Îõ³h& ”— Yò                   	  
                                               !  "  #  $  %  &  '  (  )  *  +  ,  -  .  /  0  1  2  3  4  5  6  7  8  9  :  ;  <  =  >  ?  @  A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  Y  Z  [  \  ]  ^  _  `  a  b  c  d  e  f  g  h  i  j  k  l  m  n  o  p  q  r  s  t  u  v  w  x  y  z  {  |  }  ~    €    ‚  ƒ  „  …  †  ‡  ˆ  ‰  Š  ‹  Œ    Ž      ‘  ’  “  ”  •  –  —  ˜  ™  š  ›  œ    ž  Ÿ     ¡  ¢  £  ¤  ¥  ¦  §  ¨  ©  ª  «  ¬  ­  ®  ¯  °  ±  ²  ³  ´  µ  ¶  ·  ¸  ¹  º  »  ¼  ½  ¾  ¿  À  Á  Â  Ã  Ä  Å  Æ  Ç  È  É  Ê  Ë  Ì  Í  Î  Ï  Ð  Ñ  Ò  Ó  Ô  Õ  Ö  ×  Ø  Ù  Ú  Û  Ü  Ý  Þ  ß  à  á  	â  	ã  	ä  	å  	æ  	ç  	è  	é  	ê  	ë  	ì  	í  	î  	ï  	ð  	ñ  	ò  	ó  	ô  	õ  	ö  	÷  	ø  	ù  	ú  	û  
ü  
ý  
þ  
ÿ  
€  
  
‚  
ƒ  
„  
…  
†  
‡  
ˆ  
‰  
Š  
‹  
Œ  
  
Ž  
  
  
‘  
’  
“  ”  •  –  —  ˜  ™  š  ›  œ    ž  Ÿ     ¡  ¢  £  ¤  ¥  ¦  §  ¨  ©  ª  «  ¬  ­  ®  ¯  °  ±  ²  ³  ´  µ  ¶  ·  ¸  ¹  º  »  ¼  ½  ¾  ¿  À  Á  Â  Ã  Ä  Å  Æ  Ç  È  É  Ê  Ë  Ì  Í  Î  Ï  Ð  Ñ  Ò  Ó  Ô  Õ  Ö  ×  Ø  Ù  Ú  Û  Ü  Ý  Þ  ß  à  á  â  ã  ä  å  æ  ç  è  é  ê  ë  ì  í  î  ï  ð  ñ  ò  ó  ô  õ  ö  ÷  ø  ù  ú  û  ü  ý  þ  ÿ  €    ‚  ƒ  „  …  †  ‡  ˆ  ‰  Š  ‹  Œ    Ž      ‘  ’  “  ”  •  –  —  ˜  ™  š  ›  œ    ž  Ÿ     ¡  ¢  £  ¤  ¥  ¦  §  ¨  ©  ª  «  ¬  ­  ®  ¯  °  ±  ²  ³  ´  µ  ¶  ·  ¸  ¹  º  »  ¼  ½  ¾  ¿  À  Á  Â  Ã  Ä  Å  Æ  Ç  È  É  Ê  Ë  Ì  Í  Î  Ï  Ð  Ñ  Ò  Ó  Ô  Õ  Ö  ×  Ø  Ù  Ú  Û  Ü  Ý  Þ  ß  à  á  â  ã  ä  å  æ  ç  è  é  ê  ë  ì  í  î  ï  ð  ñ  ò  ó  ô  õ  ö  ÷  ø  ù  ú  û  ü  ý  þ  ÿ  €    ‚  ƒ  „  …  †  ‡  ˆ  ‰  Š  ‹  Œ    Ž      ‘  ’  “  ”  •  –  —  ˜  ™  š  ›  œ    ž  Ÿ     ¡  ¢  £  ¤  ¥  ¦  §  ¨  ©  ª  «  ¬  ­  ®  ¯  °  ±  ²  ³  ´  µ  ¶  ·  ¸  ¹  º  »  ¼  ½  ¾  ¿  À  Á  Â  Ã  Ä  Å  Æ  Ç  È  É  Ê  Ë  Ì  Í  Î  Ï  Ð  Ñ  Ò  Ó  Ô  Õ  Ö  ×  Ø  Ù  Ú  Û  Ü  Ý  Þ  ß  à  á  â  ã  ä  å  æ  ç  è  é  ê  ë  ì  í  î  ï  ð  ñ  ò  ó  ô  õ  ö  ÷  ø  ù  ú  û  ü  ý  þ  ÿ  €    ‚  ƒ  „  …  †  ‡  ˆ  ‰  Š  ‹  Œ    Ž      ‘  ’  “  ”  •  –  —  ˜  ™  š  ›  œ    ž  Ÿ     ¡  ¢  £  ¤  ¥  ¦  §  ¨  ©  ª  «  ¬  ­  ®  ¯  °  ±  ²  ³  ´  µ  ¶  ·  ¸  ¹  º  »  ¼  ½  ¾  ¿  À  Á  Â  Ã  Ä  Å  Æ  Ç  È  É  Ê  Ë  Ì  Í  Î  Ï  Ð  Ñ  Ò  Ó  Ô  Õ  Ö  ×  Ø  Ù  Ú  Û  Ü  Ý  Þ  ß  à  á  â  ã  ä  å  æ  ç  è  é  ê  ë  ì  í  î  ï  ð  ñ  ò  ó  ô  õ  ö  ÷  ø  ù  ú  û  ü  ý  þ  ÿ  €    ‚  ƒ  „  …  †  ‡  ˆ  ‰  Š  ‹  Œ    Ž        ‘   ’   “   ”   •   –   —   ˜   ™   š   ›   œ      ž   Ÿ       ¡   ¢   £   ¤   ¥   ¦   §  !¨  !©  !ª  !«  !¬  !­  !®  !¯  !°  !±  !²  !³  !´  !µ  !¶  !·  !¸  !¹  !º  "»  "¼  "½  "¾  "¿  "À  "Á  "Â  "Ã  "Ä  "Å  "Æ  "Ç  "È  "É  "Ê  "Ë  "Ì  "Í  "Î  "Ï  "Ð  "Ñ  "Ò  "Ó  "Ô  "Õ  #Ö  #×  #Ø  #Ù  #Ú  #Û  #Ü  #Ý  #Þ  #ß  #à  #á  #â  #ã  #ä  #å  #æ  #ç  #è  #é  #ê  #ë  #ì  #í  #î  #ï  #ð  #ñ  #ò  #ó  #ô  #õ  #ö  #÷  #ø  #ù  #ú  #û  #ü  #ý  #þ  #ÿ  #€  #  #‚  #ƒ  #„  $…  $†  $‡  $ˆ  $‰  $Š  $‹  $Œ  $  $Ž  $  $  $‘  $’  $“  $”  $•  $–  $—  $˜  $™  $š  $›  $œ  $  $ž  %Ÿ  %   %¡  %¢  %£  %¤  %¥  %¦  %§  %¨  %©  %ª  %«  %¬  %­  %®  %¯  %°  %±  %²  %³  %´  %µ  %¶  %·  %¸  %¹  %º  %»  %¼  %½  %¾  %¿  %À  %Á  %Â  %Ã  %Ä  %Å  &Æ  &Ç  &È  &É  &Ê  &Ë  &Ì  &Í  &Î  &Ï  &Ð  &Ñ  &Ò  &Ó  &Ô  &Õ  &Ö  &×  &Ø  &Ù  &Ú  &Û  &Ü  &Ý  &Þ  &ß  &à  &á  &â  &ã  &ä  &å  &æ  &ç  &è  &é  'ê  'ë  'ì  'í  'î  'ï  'ð  'ñ  'ò  'ó  'ô  'õ  'ö  '÷  'ø  'ù  'ú  'û  'ü  'ý  'þ  'ÿ  '€  '  '‚  'ƒ  („  (…  (†  (‡  (ˆ  (‰  (Š  (‹  (Œ  (  (Ž  (  (  (‘  (’  (“  (”  (•  (–  (—  (˜  (™  (š  (›  (œ  (  (ž  (Ÿ  )   )¡  )¢  )£  )¤  )¥  )¦  )§  )¨  )©  )ª  )«  )¬  )­  )®  )¯  )°  )±  )²  )³  )´  )µ  )¶  )·  )¸  )¹  )º  )»  )¼  )½  )¾  )¿  )À  )Á  )Â  )Ã  )Ä  )Å  )Æ  )Ç  )È  )É  *Ê  *Ë  *Ì  *Í  *Î  *Ï  *Ð  *Ñ  *Ò  *Ó  *Ô  *Õ  *Ö  *×  *Ø  *Ù  *Ú  *Û  *Ü  *Ý  *Þ  *ß  *à  *á  *â  *ã  *ä  *å  *æ  *ç  *è  *é  *ê  *ë  *ì  *í  *î  *ï  *ð  *ñ  *ò  *ó  *ô  *õ  *ö  *÷  *ø  *ù  *ú  *û  +ü  +ý  +þ  +ÿ  +€	  +	  +‚	  +ƒ	  +„	  +…	  +†	  +‡	  +ˆ	  +‰	  +Š	  +‹	  +Œ	  +	  +Ž	  +	  +	  +‘	  +’	  +“	  +”	  +•	  +–	  +—	  +˜	  +™	  ,š	  ,›	  ,œ	  ,	  ,ž	  ,Ÿ	  , 	  ,¡	  ,¢	  ,£	  ,¤	  ,¥	  ,¦	  ,§	  ,¨	  ,©	  ,ª	  ,«	  ,¬	  ,­	  ,®	  -¯	  -°	  -±	  -²	  -³	  -´	  -µ	  -¶	  -·	  -¸	  -¹	  -º	  -»	  -¼	  -½	  -¾	  -¿	  -À	  -Á	  -Â	  -Ã	  -Ä	  -Å	  -Æ	  -Ç	  -È	  -É	  -Ê	  -Ë	  -Ì	  -Í	  -Î	  -Ï	  -Ð	  -Ñ	  -Ò	  -Ó	  .Ô	  .Õ	  .Ö	  .×	  .Ø	  .Ù	  .Ú	  .Û	  .Ü	  .Ý	  .Þ	  .ß	  .à	  .á	  .â	  .ã	  .ä	  .å	  .æ	  .ç	  .è	  .é	  .ê	  .ë	  .ì	  .í	  .î	  .ï	  .ð	  .ñ	  .ò	  .ó	  .ô	  .õ	  .ö	  /÷	  /ø	  /ù	  /ú	  /û	  /ü	  /ý	  /þ	  /ÿ	  /€
  /
  /‚
  /ƒ
  /„
  /…
  /†
  /‡
  /ˆ
  /‰
  /Š
  /‹
  /Œ
  /
  /Ž
  /
  /
  /‘
  /’
  /“
  /”
  /•
  /–
  /—
  /˜
  /™
  /š
  /›
  0œ
  0
  0ž
  0Ÿ
  0 
  0¡
  0¢
  0£
  0¤
  0¥
  0¦
  0§
  0¨
  0©
  0ª
  0«
  0¬
  0­
  0®
  0¯
  0°
  0±
  0²
  0³
  0´
  1µ
  1¶
  1·
  1¸
  1¹
  1º
  1»
  1¼
  1½
  1¾
  1¿
  1À
  1Á
  1Â
  1Ã
  1Ä
  1Å
  1Æ
  1Ç
  1È
  1É
  1Ê
  1Ë
  1Ì
  1Í
  1Î
  1Ï
  1Ð
  1Ñ
  1Ò
  1Ó
  1Ô
  1Õ
  1Ö
  1×
  1Ø
  1Ù
  2Ú
  2Û
  2Ü
  2Ý
  2Þ
  2ß
  2à
  2á
  2â
  2ã
  2ä
  2å
  2æ
  2ç
  2è
  2é
  2ê
  2ë
  2ì
  2í
  2î
  2ï
  2ð
  2ñ
  2ò
  2ó
  2ô
  2õ
  2ö
  2÷
  2ø
  2ù
  2ú
  2û
  3ü
  3ý
  3þ
  3ÿ
  3€  3  3‚  3ƒ  3„  3…  3†  3‡  3ˆ  3‰  3Š  3‹  3Œ  3  3Ž  3  3  3‘  3’  3“  3”  3•  3–  3—  3˜  3™  3š  3›  3œ  3  3ž  3Ÿ  3   3¡  3¢  3£  3¤  3¥  4¦  4§  4¨  4©  4ª  4«  4¬  4­  4®  4¯  4°  4±  4²  4³  4´  4µ  4¶  4·  4¸  4¹  4º  4»  4¼  4½  4¾  4¿  4À  4Á  4Â  4Ã  4Ä  4Å  4Æ  4Ç  4È  4É  4Ê  5Ë  5Ì  5Í  5Î  5Ï  5Ð  5Ñ  5Ò  5Ó  5Ô  5Õ  5Ö  5×  5Ø  5Ù  5Ú  5Û  5Ü  5Ý  5Þ  5ß  5à  5á  5â  5ã  5ä  5å  5æ  6ç  6è  6é  6ê  6ë  6ì  6í  6î  6ï  6ð  6ñ  6ò  6ó  6ô  6õ  6ö  6÷  6ø  6ù  6ú  6û  6ü  6ý  6þ  6ÿ  6€  6  6‚  6ƒ  6„  7…  7†  7‡  7ˆ  7‰  7Š  7‹  7Œ  7  7Ž  7  7  7‘  7’  7“  7”  7•  7–  7—  7˜  7™  7š  7›  7œ  7  7ž  7Ÿ  7   7¡  8¢  8£  8¤  8¥  8¦  8§  8¨  8©  8ª  8«  8¬  8­  8®  8¯  8°  8±  8²  8³  8´  8µ  8¶  8·  8¸  8¹  8º  8»  8¼  8½  8¾  8¿  8À  8Á  8Â  8Ã  8Ä  8Å  8Æ  9Ç  9È  9É  9Ê  9Ë  9Ì  9Í  9Î  9Ï  9Ð  9Ñ  9Ò  9Ó  9Ô  9Õ  9Ö  9×  9Ø  9Ù  9Ú  9Û  9Ü  9Ý  9Þ  9ß  9à  9á  9â  9ã  9ä  9å  9æ  9ç  9è  9é  9ê  9ë  9ì  :í  :î  :ï  :ð  :ñ  :ò  :ó  :ô  :õ  :ö  :÷  :ø  :ù  :ú  :û  :ü  :ý  :þ  :ÿ  :€  :  :‚  :ƒ  :„  :…  :†  :‡  :ˆ  :‰  :Š  :‹  :Œ  :  :Ž  :  :  :‘  :’  :“  :”  ;•  ;–  ;—  ;˜  ;™  ;š  ;›  ;œ  ;  ;ž  ;Ÿ  ;   ;¡  ;¢  ;£  ;¤  ;¥  ;¦  ;§  ;¨  ;©  ;ª  ;«  ;¬  ;­  ;®  ;¯  ;°  ;±  ;²  ;³  ;´  ;µ  ;¶  ;·  ;¸  ;¹  ;º  ;»  ;¼  ;½  <¾  <¿  <À  <Á  <Â  <Ã  <Ä  <Å  <Æ  <Ç  <È  <É  <Ê  <Ë  <Ì  <Í  <Î  <Ï  <Ð  <Ñ  <Ò  <Ó  <Ô  <Õ  <Ö  <×  <Ø  <Ù  <Ú  <Û  <Ü  <Ý  <Þ  <ß  <à  <á  <â  <ã  <ä  =å  =æ  =ç  =è  =é  =ê  =ë  =ì  =í  =î  =ï  =ð  =ñ  =ò  =ó  =ô  =õ  =ö  =÷  =ø  =ù  =ú  =û  =ü  =ý  =þ  =ÿ  =€  =  =‚  =ƒ  =„  =…  =†  =‡  =ˆ  =‰  =Š  =‹  >Œ  >  >Ž  >  >  >‘  >’  >“  >”  >•  >–  >—  >˜  >™  >š  >›  >œ  >  >ž  >Ÿ  >   >¡  >¢  >£  ?¤  ?¥  ?¦  ?§  ?¨  ?©  ?ª  ?«  ?¬  ?­  ?®  ?¯  ?°  ?±  ?²  ?³  ?´  ?µ  ?¶  ?·  ?¸  ?¹  ?º  ?»  @¼  @½  @¾  @¿  @À  @Á  @Â  @Ã  @Ä  @Å  @Æ  @Ç  @È  @É  @Ê  @Ë  @Ì  @Í  @Î  @Ï  @Ð  @Ñ  @Ò  @Ó  @Ô  @Õ  AÖ  A×  AØ  AÙ  AÚ  AÛ  AÜ  AÝ  AÞ  Aß  Aà  Aá  Aâ  Aã  Aä  Aå  Aæ  Aç  Aè  Aé  Aê  Aë  Aì  Aí  Bî  Bï  Bð  Bñ  Bò  Bó  Bô  Bõ  Bö  B÷  Bø  Bù  Bú  Bû  Bü  Bý  Bþ  Bÿ  B€  B  B‚  Bƒ  B„  B…  C†  C‡  Cˆ  C‰  CŠ  C‹  CŒ  C  CŽ  C  C  C‘  C’  C“  C”  C•  C–  C—  C˜  C™  Cš  C›  Cœ  C  Cž  CŸ  C   C¡  C¢  C£  D¤  D¥  D¦  D§  D¨  D©  Dª  D«  D¬  D­  D®  D¯  D°  D±  D²  D³  D´  Dµ  D¶  D·  D¸  D¹  Dº  D»  D¼  D½  D¾  D¿  DÀ  DÁ  DÂ  DÃ  DÄ  DÅ  DÆ  DÇ  DÈ  DÉ  EÊ  EË  EÌ  EÍ  EÎ  EÏ  EÐ  EÑ  EÒ  EÓ  EÔ  EÕ  EÖ  E×  EØ  EÙ  EÚ  EÛ  EÜ  EÝ  EÞ  Eß  Eà  Eá  Fâ  Fã  Fä  Få  Fæ  Fç  Fè  Fé  Fê  Fë  Fì  Fí  Fî  Fï  Fð  Fñ  Fò  Fó  Fô  Fõ  Fö  F÷  Fø  Fù  Fú  Fû  Gü  Gý  Gþ  Gÿ  G€  G  G‚  Gƒ  G„  G…  G†  G‡  Gˆ  G‰  GŠ  G‹  GŒ  G  GŽ  G  G  G‘  G’  G“  H”  H•  H–  H—  H˜  H™  Hš  H›  Hœ  H  Hž  HŸ  H   H¡  H¢  H£  H¤  H¥  H¦  H§  H¨  H©  Hª  H«  H¬  H­  H®  H¯  H°  H±  H²  H³  H´  Hµ  H¶  H·  H¸  H¹  Hº  I»  I¼  I½  I¾  I¿  IÀ  IÁ  IÂ  IÃ  IÄ  IÅ  IÆ  IÇ  IÈ  IÉ  IÊ  IË  IÌ  IÍ  IÎ  IÏ  IÐ  IÑ  IÒ  IÓ  IÔ  IÕ  IÖ  I×  IØ  IÙ  IÚ  IÛ  IÜ  IÝ  IÞ  Iß  Ià  Iá  Iâ  Iã  Iä  Iå  Iæ  Iç  Iè  Ié  Iê  Jë  Jì  Jí  Jî  Jï  Jð  Jñ  Jò  Jó  Jô  Jõ  Jö  J÷  Jø  Jù  Jú  Jû  Jü  Jý  Jþ  Jÿ  J€  J  J‚  Jƒ  J„  J…  J†  J‡  Jˆ  J‰  JŠ  J‹  JŒ  J  JŽ  J  J  J‘  J’  J“  J”  K•  K–  K—  K˜  K™  Kš  K›  Kœ  K  Kž  KŸ  K   K¡  K¢  K£  K¤  K¥  K¦  K§  K¨  K©  Kª  K«  K¬  K­  K®  K¯  K°  K±  K²  K³  K´  Kµ  K¶  K·  K¸  K¹  Kº  K»  K¼  K½  K¾  K¿  KÀ  KÁ  LÂ  LÃ  LÄ  LÅ  LÆ  LÇ  LÈ  LÉ  LÊ  LË  LÌ  LÍ  LÎ  LÏ  LÐ  LÑ  LÒ  LÓ  LÔ  LÕ  LÖ  L×  LØ  LÙ  LÚ  LÛ  MÜ  MÝ  MÞ  Mß  Mà  Má  Mâ  Mã  Mä  Må  Mæ  Mç  Mè  Mé  Mê  Më  Mì  Mí  Mî  Mï  Mð  Mñ  Mò  Mó  Mô  Mõ  Nö  N÷  Nø  Nù  Nú  Nû  Nü  Ný  Nþ  Nÿ  N€  N  N‚  Nƒ  N„  N…  N†  N‡  Nˆ  N‰  NŠ  N‹  NŒ  N  NŽ  N  N  N‘  O’  O“  O”  O•  O–  O—  O˜  O™  Oš  O›  Oœ  O  Ož  OŸ  O   O¡  O¢  O£  O¤  O¥  O¦  O§  O¨  O©  Oª  O«  P¬  P­  P®  P¯  P°  P±  P²  P³  P´  Pµ  P¶  P·  P¸  P¹  Pº  P»  P¼  P½  P¾  P¿  PÀ  PÁ  PÂ  PÃ  PÄ  PÅ  QÆ  QÇ  QÈ  QÉ  QÊ  QË  QÌ  QÍ  QÎ  QÏ  QÐ  QÑ  QÒ  QÓ  QÔ  QÕ  QÖ  Q×  QØ  QÙ  QÚ  QÛ  QÜ  QÝ  QÞ  Qß  Qà  Qá  Qâ  Qã  Qä  Qå  Qæ  Qç  Qè  Qé  Qê  Që  Qì  Qí  Qî  Rï  Rð  Rñ  Rò  Ró  Rô  Rõ  Rö  R÷  Rø  Rù  Rú  Rû  Rü  Rý  Rþ  Rÿ  R€  R  R‚  Rƒ  R„  R…  R†  R‡  Rˆ  S‰  SŠ  S‹  SŒ  S  SŽ  S  S  S‘  S’  S“  S”  S•  S–  S—  S˜  S™  Sš  S›  Sœ  S  Sž  SŸ  S   S¡  S¢  T£  T¤  T¥  T¦  T§  T¨  T©  Tª  T«  T¬  T­  T®  T¯  T°  T±  T²  T³  T´  Tµ  T¶  T·  T¸  T¹  Tº  T»  T¼  T½  T¾  T¿  TÀ  TÁ  TÂ  TÃ  TÄ  TÅ  TÆ  TÇ  TÈ  TÉ  TÊ  TË  UÌ  UÍ  UÎ  UÏ  UÐ  UÑ  UÒ  UÓ  UÔ  UÕ  UÖ  U×  UØ  UÙ  UÚ  UÛ  UÜ  UÝ  UÞ  Uß  Uà  Uá  Uâ  Uã  Uä  Uå  Uæ  Uç  Uè  Ué  Uê  Uë  Uì  Uí  Uî  Uï  Uð  Uñ  UØ     (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   1ë   	       (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';è ñ   :l amazonka-kms$Contains information about an alias.See:    smart constructor. amazonka-kms!String that contains the key ARN. amazonka-kms7String that contains the alias. This value begins with alias/. amazonka-kmsê Date and time that the alias was most recently created in the account
 and Region. Formatted as Unix time. amazonka-kmsü Date and time that the alias was most recently associated with a KMS key
 in the account and Region. Formatted as Unix time. amazonka-kmsÒ String that contains the key identifier of the KMS key associated with
 the alias.  amazonka-kmsCreate a value of  " with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ,  !$ - String that contains the key ARN. ,  ": - String that contains the alias. This value begins with alias/. ,  #í  - Date and time that the alias was most recently created in the account
 and Region. Formatted as Unix time. ,  $ÿ  - Date and time that the alias was most recently associated with a KMS key
 in the account and Region. Formatted as Unix time. ,  %Õ  - String that contains the key identifier of the KMS key associated with
 the alias.! amazonka-kms!String that contains the key ARN." amazonka-kms7String that contains the alias. This value begins with alias/.# amazonka-kmsê Date and time that the alias was most recently created in the account
 and Region. Formatted as Unix time.$ amazonka-kmsü Date and time that the alias was most recently associated with a KMS key
 in the account and Region. Formatted as Unix time.% amazonka-kmsÒ String that contains the key identifier of the KMS key associated with
 the alias.  !"#$% !"#$%      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   ;*  -A@?>=<;:9876543210./'-A@?>=<;:9876543210./A@?>=<;:9876543210      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   <
  U\[ZYXVWU\[ZYXVW\[ZYX      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   <Ã  ptsqrptsqrts      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   =s  ˆ—–•”“’‘ŽŒ‹‰Šˆ—–•”“’‘ŽŒ‹‰Š—–•”“’‘ŽŒ‹      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   >q  «µ´³²±°¯®¬­«µ´³²±°¯®¬­µ´³²±°¯®      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   ?Q  ÉÍÌÊËÉÍÌÊËÍÌ    	  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   @  áçæåäâãáçæåäâãçæåä    
  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   @Õ  ûÿþüýûÿþüýÿþ      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';è ñ   S|“ amazonka-kmsUse this structure to allow
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operationsÇ 
 in the grant only when the operation request includes the specified
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextencryption context.—KMS applies the grant constraints only to cryptographic operations that
 support an encryption context, that is, all cryptographic operations
 with a
 Ý https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmkssymmetric KMS keyØ.
 Grant constraints are not applied to operations that do not support an
 encryption context, such as cryptographic operations with asymmetric KMS
 keys and management operations, such as DescribeKey or RetireGrant.ïIn a cryptographic operation, the encryption context in the decryption
 operation must be an exact, case-sensitive match for the keys and values
 in the encryption context of the encryption operation. Only the order of
 the pairs can vary.÷ However, in a grant constraint, the key in each key-value pair is not
 case sensitive, but the value is case sensitive.›To avoid confusion, do not use multiple encryption context pairs that
 differ only by case. To require a fully case-sensitive encryption
 context, use the kms:EncryptionContext: and
 kms:EncryptionContextKeys8 conditions in an IAM or key policy. For
 details, see
 î https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-contextkms:EncryptionContext:

 in the /&Key Management Service Developer Guide/ .See:  — smart constructor.• amazonka-kmsÉ A list of key-value pairs that must match the encryption context in the
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operationŸ
 request. The grant allows the operation only when the encryption context
 in the request is the same as the encryption context specified in this
 constraint.– amazonka-kmsÓ A list of key-value pairs that must be included in the encryption
 context of the
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operationØ
 request. The grant allows the cryptographic operation only when the
 encryption context in the request includes the key-value pairs specified
 in this constraint, although it can include additional key-value pairs.— amazonka-kmsCreate a value of  “" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: •,  ˜Ì  - A list of key-value pairs that must match the encryption context in the
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operationŸ
 request. The grant allows the operation only when the encryption context
 in the request is the same as the encryption context specified in this
 constraint. –,  ™Ö  - A list of key-value pairs that must be included in the encryption
 context of the
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operationØ
 request. The grant allows the cryptographic operation only when the
 encryption context in the request includes the key-value pairs specified
 in this constraint, although it can include additional key-value pairs.˜ amazonka-kmsÉ A list of key-value pairs that must match the encryption context in the
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operationŸ
 request. The grant allows the operation only when the encryption context
 in the request is the same as the encryption context specified in this
 constraint.™ amazonka-kmsÓ A list of key-value pairs that must be included in the encryption
 context of the
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operationØ
 request. The grant allows the cryptographic operation only when the
 encryption context in the request includes the key-value pairs specified
 in this constraint, although it can include additional key-value pairs. “–•”—˜™“–•”—˜™      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   T<  ¢´³²±°¯®­¬«ª©¨§¦¥£¤#¢´³²±°¯®­¬«ª©¨§¦¥£¤´³²±°¯®­¬«ª©¨§¦¥      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';è ñ   foÈ amazonka-kms#Contains information about a grant.See:  Ó smart constructor.Ê amazonka-kmsA list of key-value pairs that must be present in the encryption context
 of certain subsequent operations that the grant allows.Ë amazonka-kms-The date and time when the grant was created.Ì amazonka-kms$The unique identifier for the grant.Í amazonka-kms4The identity that gets the permissions in the grant.The GranteePrincipal field in the 
ListGrants¹ response usually
 contains the user or role designated as the grantee principal in the
 grant. However, when the grantee principal in the grant is an Amazon Web
 Services service, the GranteePrincipal field contains the
 î https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-servicesservice principal>,
 which might represent several different grantee principals.Î amazonka-kmsÁ The Amazon Web Services account under which the grant was issued.Ï amazonka-kmsÁ The unique identifier for the KMS key to which the grant applies.Ð amazonka-kms–The friendly name that identifies the grant. If a name was provided in
 the CreateGrant request, that name is returned. Otherwise this value is
 null.Ñ amazonka-kms.The list of operations permitted by the grant.Ò amazonka-kms(The principal that can retire the grant.Ó amazonka-kmsCreate a value of  È" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Ê,  Ô„ - A list of key-value pairs that must be present in the encryption context
 of certain subsequent operations that the grant allows. Ë,  Õ0 - The date and time when the grant was created. Ì,  Ö' - The unique identifier for the grant. Í,  ×7 - The identity that gets the permissions in the grant.The GranteePrincipal field in the 
ListGrants¹ response usually
 contains the user or role designated as the grantee principal in the
 grant. However, when the grantee principal in the grant is an Amazon Web
 Services service, the GranteePrincipal field contains the
 î https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-servicesservice principal>,
 which might represent several different grantee principals. Î,  ØÄ  - The Amazon Web Services account under which the grant was issued. Ï,  ÙÄ  - The unique identifier for the KMS key to which the grant applies. Ð,  Ú™ - The friendly name that identifies the grant. If a name was provided in
 the CreateGrant request, that name is returned. Otherwise this value is
 null. Ñ,  Û1 - The list of operations permitted by the grant. Ò,  Ü+ - The principal that can retire the grant.Ô amazonka-kmsA list of key-value pairs that must be present in the encryption context
 of certain subsequent operations that the grant allows.Õ amazonka-kms-The date and time when the grant was created.Ö amazonka-kms$The unique identifier for the grant.× amazonka-kms4The identity that gets the permissions in the grant.The GranteePrincipal field in the 
ListGrants¹ response usually
 contains the user or role designated as the grantee principal in the
 grant. However, when the grantee principal in the grant is an Amazon Web
 Services service, the GranteePrincipal field contains the
 î https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-servicesservice principal>,
 which might represent several different grantee principals.Ø amazonka-kmsÁ The Amazon Web Services account under which the grant was issued.Ù amazonka-kmsÁ The unique identifier for the KMS key to which the grant applies.Ú amazonka-kms–The friendly name that identifies the grant. If a name was provided in
 the CreateGrant request, that name is returned. Otherwise this value is
 null.Û amazonka-kms.The list of operations permitted by the grant.Ü amazonka-kms(The principal that can retire the grant. ÈÒÑÏÎÍÌÊËÐÉÓÔÕÖ×ØÙÚÛÜÈÒÑÏÎÍÌÊËÐÉÓÔÕÖ×ØÙÚÛÜ      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';è ñ   jFä amazonka-kms6Contains information about each entry in the key list.See:  è smart constructor.æ amazonka-kmsARN of the key.ç amazonka-kmsUnique identifier of the key.è amazonka-kmsCreate a value of  ä" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: æ,  é - ARN of the key. ç,  ê  - Unique identifier of the key.é amazonka-kmsARN of the key.ê amazonka-kmsUnique identifier of the key. äæçåèéêäæçåèéê      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   k  òöõóôòöõóôöõ      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   kÂ  Š™˜—–•”“’‘Ž‹ŒŠ™˜—–•”“’‘Ž‹Œ™˜—–•”“’‘Ž      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   lÀ  ­·¶µ´³²±°®¯­·¶µ´³²±°®¯·¶µ´³²±°      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   m   ËÐÏÎÌÍ	ËÐÏÎÌÍÐÏÎ      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';è ñ   uÎä amazonka-kmsSee:  é smart constructor.æ amazonka-kmsA list of grants.ç amazonka-kmsWhen 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request.è amazonka-kms¬A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request.é amazonka-kmsCreate a value of  ä" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: æ,  ê - A list of grants. ç,  ë - When 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request. è,  ì¯ - A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request.ê amazonka-kmsA list of grants.ë amazonka-kmsWhen 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request.ì amazonka-kms¬A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request. 	äçæèåéêëì	äçæèåéêëì      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   v–  ôúùø÷õöôúùø÷õöúùø÷      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   w^  Ž’‘Ž’‘’‘      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';è ñ   |f¦ amazonka-kms;Describes the primary or replica key in a multi-Region key.See:  ª smart constructor.¨ amazonka-kmsÇ Displays the key ARN of a primary or replica key of a multi-Region key.© amazonka-kmsÛ Displays the Amazon Web Services Region of a primary or replica key in a
 multi-Region key.ª amazonka-kmsCreate a value of  ¦" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ¨,  «Ê  - Displays the key ARN of a primary or replica key of a multi-Region key. ©,  ¬Þ  - Displays the Amazon Web Services Region of a primary or replica key in a
 multi-Region key.« amazonka-kmsÇ Displays the key ARN of a primary or replica key of a multi-Region key.¬ amazonka-kmsÛ Displays the Amazon Web Services Region of a primary or replica key in a
 multi-Region key. ¦©¨§ª«¬¦©¨§ª«¬      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   }&  ´¸·µ¶´¸·µ¶¸·      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';è ñ   „ÌÌ amazonka-kmsŽDescribes the configuration of this multi-Region key. This field appears
 only when the KMS key is a primary or replica of a multi-Region key.Î For more information about any listed KMS key, use the DescribeKey
 operation.See:  Ñ smart constructor.Î amazonka-kms#Indicates whether the KMS key is a PRIMARY or REPLICA key.Ï amazonka-kmsö Displays the key ARN and Region of the primary key. This field includes
 the current KMS key if it is the primary key.Ð amazonka-kms÷ displays the key ARNs and Regions of all replica keys. This field
 includes the current KMS key if it is a replica key.Ñ amazonka-kmsCreate a value of  Ì" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Î,  Ò& - Indicates whether the KMS key is a PRIMARY or REPLICA key. Ï,  Óù  - Displays the key ARN and Region of the primary key. This field includes
 the current KMS key if it is the primary key. Ð,  Ôú  - displays the key ARNs and Regions of all replica keys. This field
 includes the current KMS key if it is a replica key.Ò amazonka-kms#Indicates whether the KMS key is a PRIMARY or REPLICA key.Ó amazonka-kmsö Displays the key ARN and Region of the primary key. This field includes
 the current KMS key if it is the primary key.Ô amazonka-kms÷ displays the key ARNs and Regions of all replica keys. This field
 includes the current KMS key if it is a replica key. 	ÌÐÏÎÍÑÒÓÔ	ÌÐÏÎÍÑÒÓÔ      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   …”  ÜâáàßÝÞÜâáàßÝÞâáàß      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   †\  ö‚€ÿþýüûúù÷øö‚€ÿþýüûúù÷ø‚€ÿþýüûúù      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';è ñ   ‹Ë– amazonka-kms—A key-value pair. A tag consists of a tag key and a tag value. Tag keys
 and tag values are both required, but tag values can be empty (null)
 strings.Í For information about the rules that apply to tag keys and tag values,
 see
 Ý https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.htmlUser-Defined Tag Restrictions	
 in the :Amazon Web Services Billing and Cost Management User Guide.See:  š smart constructor.˜ amazonka-kmsThe key of the tag.™ amazonka-kmsThe value of the tag.š amazonka-kmsCreate a value of  –" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ˜,  › - The key of the tag. ™,  œ - The value of the tag.› amazonka-kmsThe key of the tag.œ amazonka-kmsThe value of the tag.š  amazonka-kms ˜ amazonka-kms ™–™˜—š›œ–™˜—š›œ      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   Œ‹  ¥¨¦§¥¨¦§¨      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';è ñ   ”¼ amazonka-kmsInformation about the
 á https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-keyexternal key=
 that is associated with a KMS key in an external key store.é This element appears in a CreateKey or DescribeKey response only for a
 KMS key in an external key store.The external key¿ is a symmetric encryption key that is hosted by an
 external key manager outside of Amazon Web Services. When you use the
 KMS key in an external key store in a cryptographic operation, the
 cryptographic operation is performed in the external key manager using
 the specified external key. For more information, see
 á https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-keyExternal key	
 in the &Key Management Service Developer Guide.See:  ¿ smart constructor.¾ amazonka-kmsŒThe ID of the external key in its external key manager. This is the ID
 that the external key store proxy uses to identify the external key.¿ amazonka-kmsCreate a value of  ¼" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ¾,  À - The ID of the external key in its external key manager. This is the ID
 that the external key store proxy uses to identify the external key.À amazonka-kmsŒThe ID of the external key in its external key manager. This is the ID
 that the external key store proxy uses to identify the external key. ¼¾½¿À¼¾½¿À      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';è ñ   ê@2È amazonka-kms"Contains metadata about a KMS key.ê This data type is used as a response element for the CreateKey,
 DescribeKey, and ReplicateKey operations.See:  â smart constructor.Ê amazonka-kmsÖ The twelve-digit account ID of the Amazon Web Services account that owns
 the KMS key.Ë amazonka-kmsÂ The Amazon Resource Name (ARN) of the KMS key. For examples, see
 Ù https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kmsKey Management Service (KMS)Î 
 in the Example ARNs section of the /Amazon Web Services General
 Reference/.Ì amazonka-kms‚The cluster ID of the CloudHSM cluster that contains the key material
 for the KMS key. When you create a KMS key in an CloudHSM
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlcustom key store¦,
 KMS creates the key material for the KMS key in the associated CloudHSM
 cluster. This field is present only when the KMS key is created in an
 CloudHSM key store.Í amazonka-kms/The date and time when the KMS key was created.Î amazonka-kmsA unique identifier for the
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlcustom key storeë 
 that contains the KMS key. This field is present only when the KMS key
 is created in a custom key store.Ï amazonka-kmsInstead, use the KeySpec field.The KeySpec and CustomerMasterKeySpec< fields have the same value. We
 recommend that you use the KeySpecÓ  field in your code. However, to
 avoid breaking changes, KMS supports both fields.Ð amazonka-kms“The date and time after which KMS deletes this KMS key. This value is
 present only when the KMS key is scheduled for deletion, that is, when
 its KeyState is PendingDeletion.ó When the primary key in a multi-Region key is scheduled for deletion but
 still has replica keys, its key state is PendingReplicaDeletion< and
 the length of its waiting period is displayed in the
 PendingDeletionWindowInDays field.Ñ amazonka-kmsThe description of the KMS key.Ò amazonka-kms/Specifies whether the KMS key is enabled. When KeyState is Enabled,
 this value is true, otherwise it is false.Ó amazonka-kmsý The encryption algorithms that the KMS key supports. You cannot use the
 KMS key with other encryption algorithms within KMS.$This value is present only when the KeyUsage of the KMS key is
 ENCRYPT_DECRYPT.Ô amazonka-kms× Specifies whether the KMS key's key material expires. This value is
 present only when Origin is EXTERNAL#, otherwise this value is
 omitted.Õ amazonka-kms·The manager of the KMS key. KMS keys in your Amazon Web Services account
 are either customer managed or Amazon Web Services managed. For more
 information about the difference, see
 Ì https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keysKMS keys	
 in the &Key Management Service Developer Guide.Ö amazonka-kms2Describes the type of key material in the KMS key.× amazonka-kms"The current status of the KMS key.Í For more information about how key state affects the use of a KMS key,
 see
 Ä https://docs.aws.amazon.com/kms/latest/developerguide/key-state.htmlKey states of KMS keys	
 in the &Key Management Service Developer Guide.Ø amazonka-kmsThe
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operations$
 for which you can use the KMS key.Ù amazonka-kmsÐ The message authentication code (MAC) algorithm that the HMAC KMS key
 supports.$This value is present only when the KeyUsage of the KMS key is
 GENERATE_VERIFY_MAC.Ú amazonka-kms1Indicates whether the KMS key is a multi-Region (True) or regional
 (False) key. This value is True0 for multi-Region primary and replica
 keys and False for regional KMS keys.3For more information about multi-Region keys, see
 Õ https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.htmlMulti-Region keys in KMS	
 in the &Key Management Service Developer Guide.Û amazonka-kmsï Lists the primary and replica keys in same multi-Region key. This field
 is present only when the value of the MultiRegion
 field is True.Î For more information about any listed KMS key, use the DescribeKey
 operation.MultiRegionKeyType$ indicates whether the KMS key is a PRIMARY	 or
     REPLICA key.
PrimaryKeyû  displays the key ARN and Region of the primary key.
     This field displays the current KMS key if it is the primary key.ReplicaKeysü  displays the key ARNs and Regions of all replica keys.
     This field includes the current KMS key if it is a replica key.Ü amazonka-kmsÄ The source of the key material for the KMS key. When this value is
 AWS_KMS3, KMS created the key material. When this value is EXTERNALã ,
 the key material was imported or the KMS key doesn't have any key
 material. When this value is AWS_CLOUDHSMÛ , the key material was
 created in the CloudHSM cluster associated with a custom key store.Ý amazonka-kms»The waiting period before the primary key in a multi-Region key is
 deleted. This waiting period begins when the last of its replica keys is
 deleted. This value is present only when the KeyState of the KMS key
 is PendingReplicaDeletion“. That indicates that the KMS key is the
 primary key in a multi-Region key, it is scheduled for deletion, and it
 still has existing replica keys.ý When a single-Region KMS key or a multi-Region replica key is scheduled
 for deletion, its deletion date is displayed in the DeletionDate’
 field. However, when the primary key in a multi-Region key is scheduled
 for deletion, its waiting period doesn't begin until all of its replica
 keys are deleted. This value displays that waiting period. When the last
 replica key in the multi-Region key is deleted, the KeyState, of the
 scheduled primary key changes from PendingReplicaDeletion to
 PendingDeletion& and the deletion date appears in the DeletionDate
 field.Þ amazonka-kms÷ The signing algorithms that the KMS key supports. You cannot use the KMS
 key with other signing algorithms within KMS.!This field appears only when the KeyUsage of the KMS key is
 SIGN_VERIFY.ß amazonka-kmsÃThe time at which the imported key material expires. When the key
 material expires, KMS deletes the key material and the KMS key becomes
 unusable. This value is present only for KMS keys whose Origin is
 EXTERNAL and whose ExpirationModel is KEY_MATERIAL_EXPIRES#,
 otherwise this value is omitted.à amazonka-kmsß Information about the external key that is associated with a KMS key in
 an external key store.For more information, see
 á https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-keyExternal key	
 in the &Key Management Service Developer Guide.á amazonka-kms/The globally unique identifier for the KMS key.â amazonka-kmsCreate a value of  È" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Ê,  ãÙ  - The twelve-digit account ID of the Amazon Web Services account that owns
 the KMS key. Ë,  äÅ  - The Amazon Resource Name (ARN) of the KMS key. For examples, see
 Ù https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kmsKey Management Service (KMS)Î 
 in the Example ARNs section of the /Amazon Web Services General
 Reference/. Ì,  å… - The cluster ID of the CloudHSM cluster that contains the key material
 for the KMS key. When you create a KMS key in an CloudHSM
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlcustom key store¦,
 KMS creates the key material for the KMS key in the associated CloudHSM
 cluster. This field is present only when the KMS key is created in an
 CloudHSM key store. Í,  æ2 - The date and time when the KMS key was created. Î,  ç  - A unique identifier for the
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlcustom key storeë 
 that contains the KMS key. This field is present only when the KMS key
 is created in a custom key store. Ï,  è - Instead, use the KeySpec field.The KeySpec and CustomerMasterKeySpec< fields have the same value. We
 recommend that you use the KeySpecÓ  field in your code. However, to
 avoid breaking changes, KMS supports both fields. Ð,  é– - The date and time after which KMS deletes this KMS key. This value is
 present only when the KMS key is scheduled for deletion, that is, when
 its KeyState is PendingDeletion.ó When the primary key in a multi-Region key is scheduled for deletion but
 still has replica keys, its key state is PendingReplicaDeletion< and
 the length of its waiting period is displayed in the
 PendingDeletionWindowInDays field. Ñ,  ê" - The description of the KMS key. Ò,  ë2 - Specifies whether the KMS key is enabled. When KeyState is Enabled,
 this value is true, otherwise it is false. Ó,  ì€ - The encryption algorithms that the KMS key supports. You cannot use the
 KMS key with other encryption algorithms within KMS.$This value is present only when the KeyUsage of the KMS key is
 ENCRYPT_DECRYPT. Ô,  íÚ  - Specifies whether the KMS key's key material expires. This value is
 present only when Origin is EXTERNAL#, otherwise this value is
 omitted. Õ,  îº - The manager of the KMS key. KMS keys in your Amazon Web Services account
 are either customer managed or Amazon Web Services managed. For more
 information about the difference, see
 Ì https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keysKMS keys	
 in the &Key Management Service Developer Guide. Ö,  ï5 - Describes the type of key material in the KMS key. ×,  ð% - The current status of the KMS key.Í For more information about how key state affects the use of a KMS key,
 see
 Ä https://docs.aws.amazon.com/kms/latest/developerguide/key-state.htmlKey states of KMS keys	
 in the &Key Management Service Developer Guide. Ø,  ñ - The
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operations$
 for which you can use the KMS key. Ù,  òÓ  - The message authentication code (MAC) algorithm that the HMAC KMS key
 supports.$This value is present only when the KeyUsage of the KMS key is
 GENERATE_VERIFY_MAC. Ú,  ó4 - Indicates whether the KMS key is a multi-Region (True) or regional
 (False) key. This value is True0 for multi-Region primary and replica
 keys and False for regional KMS keys.3For more information about multi-Region keys, see
 Õ https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.htmlMulti-Region keys in KMS	
 in the &Key Management Service Developer Guide. Û,  ôò  - Lists the primary and replica keys in same multi-Region key. This field
 is present only when the value of the MultiRegion
 field is True.Î For more information about any listed KMS key, use the DescribeKey
 operation.MultiRegionKeyType$ indicates whether the KMS key is a PRIMARY	 or
     REPLICA key.
PrimaryKeyû  displays the key ARN and Region of the primary key.
     This field displays the current KMS key if it is the primary key.ReplicaKeysü  displays the key ARNs and Regions of all replica keys.
     This field includes the current KMS key if it is a replica key. Ü,  õÇ  - The source of the key material for the KMS key. When this value is
 AWS_KMS3, KMS created the key material. When this value is EXTERNALã ,
 the key material was imported or the KMS key doesn't have any key
 material. When this value is AWS_CLOUDHSMÛ , the key material was
 created in the CloudHSM cluster associated with a custom key store. Ý,  ö¾ - The waiting period before the primary key in a multi-Region key is
 deleted. This waiting period begins when the last of its replica keys is
 deleted. This value is present only when the KeyState of the KMS key
 is PendingReplicaDeletion“. That indicates that the KMS key is the
 primary key in a multi-Region key, it is scheduled for deletion, and it
 still has existing replica keys.ý When a single-Region KMS key or a multi-Region replica key is scheduled
 for deletion, its deletion date is displayed in the DeletionDate’
 field. However, when the primary key in a multi-Region key is scheduled
 for deletion, its waiting period doesn't begin until all of its replica
 keys are deleted. This value displays that waiting period. When the last
 replica key in the multi-Region key is deleted, the KeyState, of the
 scheduled primary key changes from PendingReplicaDeletion to
 PendingDeletion& and the deletion date appears in the DeletionDate
 field. Þ,  ÷ú  - The signing algorithms that the KMS key supports. You cannot use the KMS
 key with other signing algorithms within KMS.!This field appears only when the KeyUsage of the KMS key is
 SIGN_VERIFY. ß,  øÆ - The time at which the imported key material expires. When the key
 material expires, KMS deletes the key material and the KMS key becomes
 unusable. This value is present only for KMS keys whose Origin is
 EXTERNAL and whose ExpirationModel is KEY_MATERIAL_EXPIRES#,
 otherwise this value is omitted. à,  ùâ  - Information about the external key that is associated with a KMS key in
 an external key store.For more information, see
 á https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-keyExternal key	
 in the &Key Management Service Developer Guide. á,  ú2 - The globally unique identifier for the KMS key.ã amazonka-kmsÖ The twelve-digit account ID of the Amazon Web Services account that owns
 the KMS key.ä amazonka-kmsÂ The Amazon Resource Name (ARN) of the KMS key. For examples, see
 Ù https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kmsKey Management Service (KMS)Î 
 in the Example ARNs section of the /Amazon Web Services General
 Reference/.å amazonka-kms‚The cluster ID of the CloudHSM cluster that contains the key material
 for the KMS key. When you create a KMS key in an CloudHSM
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlcustom key store¦,
 KMS creates the key material for the KMS key in the associated CloudHSM
 cluster. This field is present only when the KMS key is created in an
 CloudHSM key store.æ amazonka-kms/The date and time when the KMS key was created.ç amazonka-kmsA unique identifier for the
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlcustom key storeë 
 that contains the KMS key. This field is present only when the KMS key
 is created in a custom key store.è amazonka-kmsInstead, use the KeySpec field.The KeySpec and CustomerMasterKeySpec< fields have the same value. We
 recommend that you use the KeySpecÓ  field in your code. However, to
 avoid breaking changes, KMS supports both fields.é amazonka-kms“The date and time after which KMS deletes this KMS key. This value is
 present only when the KMS key is scheduled for deletion, that is, when
 its KeyState is PendingDeletion.ó When the primary key in a multi-Region key is scheduled for deletion but
 still has replica keys, its key state is PendingReplicaDeletion< and
 the length of its waiting period is displayed in the
 PendingDeletionWindowInDays field.ê amazonka-kmsThe description of the KMS key.ë amazonka-kms/Specifies whether the KMS key is enabled. When KeyState is Enabled,
 this value is true, otherwise it is false.ì amazonka-kmsý The encryption algorithms that the KMS key supports. You cannot use the
 KMS key with other encryption algorithms within KMS.$This value is present only when the KeyUsage of the KMS key is
 ENCRYPT_DECRYPT.í amazonka-kms× Specifies whether the KMS key's key material expires. This value is
 present only when Origin is EXTERNAL#, otherwise this value is
 omitted.î amazonka-kms·The manager of the KMS key. KMS keys in your Amazon Web Services account
 are either customer managed or Amazon Web Services managed. For more
 information about the difference, see
 Ì https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keysKMS keys	
 in the &Key Management Service Developer Guide.ï amazonka-kms2Describes the type of key material in the KMS key.ð amazonka-kms"The current status of the KMS key.Í For more information about how key state affects the use of a KMS key,
 see
 Ä https://docs.aws.amazon.com/kms/latest/developerguide/key-state.htmlKey states of KMS keys	
 in the &Key Management Service Developer Guide.ñ amazonka-kmsThe
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operations$
 for which you can use the KMS key.ò amazonka-kmsÐ The message authentication code (MAC) algorithm that the HMAC KMS key
 supports.$This value is present only when the KeyUsage of the KMS key is
 GENERATE_VERIFY_MAC.ó amazonka-kms1Indicates whether the KMS key is a multi-Region (True) or regional
 (False) key. This value is True0 for multi-Region primary and replica
 keys and False for regional KMS keys.3For more information about multi-Region keys, see
 Õ https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.htmlMulti-Region keys in KMS	
 in the &Key Management Service Developer Guide.ô amazonka-kmsï Lists the primary and replica keys in same multi-Region key. This field
 is present only when the value of the MultiRegion
 field is True.Î For more information about any listed KMS key, use the DescribeKey
 operation.MultiRegionKeyType$ indicates whether the KMS key is a PRIMARY	 or
     REPLICA key.
PrimaryKeyû  displays the key ARN and Region of the primary key.
     This field displays the current KMS key if it is the primary key.ReplicaKeysü  displays the key ARNs and Regions of all replica keys.
     This field includes the current KMS key if it is a replica key.õ amazonka-kmsÄ The source of the key material for the KMS key. When this value is
 AWS_KMS3, KMS created the key material. When this value is EXTERNALã ,
 the key material was imported or the KMS key doesn't have any key
 material. When this value is AWS_CLOUDHSMÛ , the key material was
 created in the CloudHSM cluster associated with a custom key store.ö amazonka-kms»The waiting period before the primary key in a multi-Region key is
 deleted. This waiting period begins when the last of its replica keys is
 deleted. This value is present only when the KeyState of the KMS key
 is PendingReplicaDeletion“. That indicates that the KMS key is the
 primary key in a multi-Region key, it is scheduled for deletion, and it
 still has existing replica keys.ý When a single-Region KMS key or a multi-Region replica key is scheduled
 for deletion, its deletion date is displayed in the DeletionDate’
 field. However, when the primary key in a multi-Region key is scheduled
 for deletion, its waiting period doesn't begin until all of its replica
 keys are deleted. This value displays that waiting period. When the last
 replica key in the multi-Region key is deleted, the KeyState, of the
 scheduled primary key changes from PendingReplicaDeletion to
 PendingDeletion& and the deletion date appears in the DeletionDate
 field.÷ amazonka-kms÷ The signing algorithms that the KMS key supports. You cannot use the KMS
 key with other signing algorithms within KMS.!This field appears only when the KeyUsage of the KMS key is
 SIGN_VERIFY.ø amazonka-kmsÃThe time at which the imported key material expires. When the key
 material expires, KMS deletes the key material and the KMS key becomes
 unusable. This value is present only for KMS keys whose Origin is
 EXTERNAL and whose ExpirationModel is KEY_MATERIAL_EXPIRES#,
 otherwise this value is omitted.ù amazonka-kmsß Information about the external key that is associated with a KMS key in
 an external key store.For more information, see
 á https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-keyExternal key	
 in the &Key Management Service Developer Guide.ú amazonka-kms/The globally unique identifier for the KMS key.â  amazonka-kms á3ÈàßÞÝÜÛÚÙØ×ÖÕÔÓÒÐÏÎÌÊËáÍÑÉâãäåæçèéêëìíîïðñòóôõö÷øùú3ÈàßÞÝÜÛÚÙØ×ÖÕÔÓÒÐÏÎÌÊËáÍÑÉâãäåæçèéêëìíîïðñòóôõö÷øùú      (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';è ñ   ðÊ‚ amazonka-kmsÝKMS uses the authentication credential to sign requests that it sends to
 the external key store proxy (XKS proxy) on your behalf. You establish
 these credentials on your external key store proxy and report them to
 KMS.The  XksProxyAuthenticationCredential  includes two required elements.See:  † smart constructor.„ amazonka-kms2A unique identifier for the raw secret access key.… amazonka-kmsÖ A secret string of 43-64 characters. Valid characters are a-z, A-Z, 0-9,
 /, +, and =.† amazonka-kmsCreate a value of  ‚" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: „,  ‡5 - A unique identifier for the raw secret access key. …,  ˆÙ  - A secret string of 43-64 characters. Valid characters are a-z, A-Z, 0-9,
 /, +, and =.‡ amazonka-kms2A unique identifier for the raw secret access key.ˆ amazonka-kmsÖ A secret string of 43-64 characters. Valid characters are a-z, A-Z, 0-9,
 /, +, and =.†  amazonka-kms „ amazonka-kms …‚…„ƒ†‡ˆ‚…„ƒ†‡ˆ       (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred";?Ñ ã ë ñ   ñŠ  “’‘“’‘“’    !  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';è ñ  ‰§ amazonka-kmsƒDetailed information about the external key store proxy (XKS proxy).
 Your external key store proxy translates KMS requests into a format that
 your external key manager can understand. These fields appear in a
 DescribeCustomKeyStores response only when the CustomKeyStoreType is
 EXTERNAL_KEY_STORE.See:  ® smart constructor.© amazonka-kms$The part of the external key store
 “https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html#KMS-CreateCustomKeyStore-request-XksProxyAuthenticationCredentialproxy authentication credential1
 that uniquely identifies the secret access key.ª amazonka-kmsIndicates whether the external key store proxy uses a public endpoint or
 an Amazon VPC endpoint service to communicate with KMS.« amazonka-kms2The URI endpoint for the external key store proxy.Í If the external key store proxy has a public endpoint, it is displayed
 here.žIf the external key store proxy uses an Amazon VPC endpoint service
 name, this field displays the private DNS name associated with the VPC
 endpoint service.¬ amazonka-kms.The path to the external key store proxy APIs.­ amazonka-kmsÏThe Amazon VPC endpoint service used to communicate with the external
 key store proxy. This field appears only when the external key store
 proxy uses an Amazon VPC endpoint service to communicate with KMS.® amazonka-kmsCreate a value of  §" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ©,  ¯' - The part of the external key store
 “https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html#KMS-CreateCustomKeyStore-request-XksProxyAuthenticationCredentialproxy authentication credential1
 that uniquely identifies the secret access key. ª,  °„ - Indicates whether the external key store proxy uses a public endpoint or
 an Amazon VPC endpoint service to communicate with KMS. «,  ±5 - The URI endpoint for the external key store proxy.Í If the external key store proxy has a public endpoint, it is displayed
 here.žIf the external key store proxy uses an Amazon VPC endpoint service
 name, this field displays the private DNS name associated with the VPC
 endpoint service. ¬,  ²1 - The path to the external key store proxy APIs. ­,  ³Ò - The Amazon VPC endpoint service used to communicate with the external
 key store proxy. This field appears only when the external key store
 proxy uses an Amazon VPC endpoint service to communicate with KMS.¯ amazonka-kms$The part of the external key store
 “https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html#KMS-CreateCustomKeyStore-request-XksProxyAuthenticationCredentialproxy authentication credential1
 that uniquely identifies the secret access key.° amazonka-kmsIndicates whether the external key store proxy uses a public endpoint or
 an Amazon VPC endpoint service to communicate with KMS.± amazonka-kms2The URI endpoint for the external key store proxy.Í If the external key store proxy has a public endpoint, it is displayed
 here.žIf the external key store proxy uses an Amazon VPC endpoint service
 name, this field displays the private DNS name associated with the VPC
 endpoint service.² amazonka-kms.The path to the external key store proxy APIs.³ amazonka-kmsÏThe Amazon VPC endpoint service used to communicate with the external
 key store proxy. This field appears only when the external key store
 proxy uses an Amazon VPC endpoint service to communicate with KMS. §­«ª©¬¨®¯°±²³§­«ª©¬¨®¯°±²³    "  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';è ñ  ‡+º amazonka-kmsÏ Contains information about each custom key store in the custom key store
 list.See:  Å smart constructor.¼ amazonka-kmsÿ A unique identifier for the CloudHSM cluster that is associated with an
 CloudHSM key store. This field appears only when the
 CustomKeyStoreType is AWS_CLOUDHSM.½ amazonka-kmsÒ Describes the connection error. This field appears in the response only
 when the ConnectionState is FAILED.¬Many failures can be resolved by updating the properties of the custom
 key store. To update a custom key store, disconnect it
 (DisconnectCustomKeyStore), correct the errors (UpdateCustomKeyStore),
 and try to connect again (ConnectCustomKeyStore). For additional help
 resolving these errors, see
 Û https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failedHow to Fix a Connection Failure
 in &Key Management Service Developer Guide.All custom key stores:INTERNAL_ERRORÜ  ”@ KMS could not complete the request due to an
     internal error. Retry the request. For ConnectCustomKeyStoreÔ 
     requests, disconnect the custom key store before trying to connect
     again.NETWORK_ERRORSè  ”@ Network errors are preventing KMS from connecting
     the custom key store to its backing key store.CloudHSM key stores:CLUSTER_NOT_FOUNDË  ”@ KMS cannot find the CloudHSM cluster with the
     specified cluster ID.INSUFFICIENT_CLOUDHSM_HSMS· ”@ The associated CloudHSM cluster does
     not contain any active HSMs. To connect a custom key store to its
     CloudHSM cluster, the cluster must contain at least one active HSM.%INSUFFICIENT_FREE_ADDRESSES_IN_SUBNETœ ”@ At least one private
     subnet associated with the CloudHSM cluster doesn't have any
     available IP addresses. A CloudHSM key store connection requires one
     free IP address in each of the associated private subnets, although
     two are preferable. For details, see
     Û https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failedHow to Fix a Connection Failure
     in the &Key Management Service Developer Guide.INVALID_CREDENTIALS ”@ The KeyStorePasswordÉ  for the custom key
     store doesn't match the current password of the kmsuserŠ crypto
     user in the CloudHSM cluster. Before you can connect your custom key
     store to its CloudHSM cluster, you must change the kmsuser& account
     password and update the KeyStorePassword% value for the custom key
     store.SUBNET_NOT_FOUND· ”@ A subnet in the CloudHSM cluster configuration
     was deleted. If KMS cannot find all of the subnets in the cluster
     configuration, attempts to connect the custom key store to the
     CloudHSM cluster fail. To fix this error, create a cluster from a
     recent backup and associate it with your custom key store. (This
     process creates a new cluster configuration with a VPC and private
     subnets.) For details, see
     Û https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failedHow to Fix a Connection Failure
     in the &Key Management Service Developer Guide.USER_LOCKED_OUT ”@ The kmsuserÐ CU account is locked out of the
     associated CloudHSM cluster due to too many failed password
     attempts. Before you can connect your custom key store to its
     CloudHSM cluster, you must change the kmsuserØ  account password and
     update the key store password value for the custom key store.USER_LOGGED_IN ”@ The kmsuserê  CU account is logged into the
     associated CloudHSM cluster. This prevents KMS from rotating the
     kmsuser‘ account password and logging into the cluster. Before you
     can connect your custom key store to its CloudHSM cluster, you must
     log the kmsuser0 CU out of the cluster. If you changed the
     kmsuser‹ password to log into the cluster, you must also and update
     the key store password value for the custom key store. For help, see
     × https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2How to Log Out and Reconnect
     in the &Key Management Service Developer Guide.USER_NOT_FOUND ”@ KMS cannot find a kmsuser’ CU account in the
     associated CloudHSM cluster. Before you can connect your custom key
     store to its CloudHSM cluster, you must create a kmsuserì  CU
     account in the cluster, and then update the key store password value
     for the custom key store.External key stores:	INVALID_CREDENTIALS ”@ One or both of the
      XksProxyAuthenticationCredentialÄ  values is not valid on the
     specified external key store proxy.XKS_PROXY_ACCESS_DENIEDÔ ”@ KMS requests are denied access to the
     external key store proxy. If the external key store proxy has
     authorization rules, verify that they permit KMS to communicate with
     the proxy on your behalf.XKS_PROXY_INVALID_CONFIGURATIONþ  ”@ A configuration error is
     preventing the external key store from connecting to its proxy.
     Verify the value of the XksProxyUriPath.XKS_PROXY_INVALID_RESPONSE° ”@ KMS cannot interpret the response
     from the external key store proxy. If you see this connection error
     code repeatedly, notify your external key store proxy vendor.#XKS_PROXY_INVALID_TLS_CONFIGURATION… ”@ KMS cannot connect to the
     external key store proxy because the TLS configuration is invalid.
     Verify that the XKS proxy supports TLS 1.2 or 1.3. Also, verify that
     the TLS certificate is not expired, and that it matches the hostname
     in the XksProxyUriEndpointÓ  value, and that it is signed by a
     certificate authority included in the
     Ø https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthoritiesTrusted Certificate Authorities
     list.XKS_PROXY_NOT_REACHABLEÒ  ”@ KMS can't communicate with your
     external key store proxy. Verify that the XksProxyUriEndpoint
 and
     XksProxyUriPathì are correct. Use the tools for your external key
     store proxy to verify that the proxy is active and available on its
     network. Also, verify that your external key manager instances are
     operating properly. Connection attempts fail with this connection
     error code if the proxy reports that all external key manager
     instances are unavailable.XKS_PROXY_TIMED_OUTÝ ”@ KMS can connect to the external key store
     proxy, but the proxy does not respond to KMS in the time allotted.
     If you see this connection error code repeatedly, notify your
     external key store proxy vendor..XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATIONý  ”@ The Amazon VPC
     endpoint service configuration doesn't conform to the requirements
     for an KMS external key store.The VPC endpoint service must be an endpoint service for
    interface endpoints in the caller's Amazon Web Services
    account.ø It must have a network load balancer (NLB) connected to at least
    two subnets, each in a different Availability Zone.The Allow principalsÁ  list must include the KMS service
    principal for the Region, cks.kms.<region>.amazonaws.com,
    such as cks.kms.us-east-1.amazonaws.com.It must not require
    Ï https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html
acceptance
    of connection requests.Ù It must have a private DNS name. The private DNS name for an
    external key store with VPC_ENDPOINT_SERVICEÃ  connectivity must
    be unique in its Amazon Web Services Region.3The domain of the private DNS name must have a
    Æ https://docs.aws.amazon.com/vpc/latest/privatelink/verify-domains.htmlverification status
    of verified.The
    Ø https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.htmlTLS certificateÏ 
    specifies the private DNS hostname at which the endpoint is
    reachable."XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND„ ”@ KMS can't find the VPC
     endpoint service that it uses to communicate with the external key
     store proxy. Verify that the XksProxyVpcEndpointServiceNameø  is
     correct and the KMS service principal has service consumer
     permissions on the Amazon VPC endpoint service.¾ amazonka-kmsî Indicates whether the custom key store is connected to its backing key
 store. For an CloudHSM key store, the ConnectionStateÝ  indicates
 whether it is connected to its CloudHSM cluster. For an external key
 store, the ConnectionStateö  indicates whether it is connected to the
 external key store proxy that communicates with your external key
 manager.É You can create and use KMS keys in your custom key stores only when its
 ConnectionState is 	CONNECTED.The ConnectionState
 value is DISCONNECTED† only if the key store has
 never been connected or you use the DisconnectCustomKeyStore operation
 to disconnect it. If the value is 	CONNECTEDé but you are having trouble
 using the custom key store, make sure that the backing key store is
 reachable and active. For an CloudHSM key store, verify that its
 associated CloudHSM cluster is active and contains at least one active
 HSM. For an external key store, verify that the external key store proxy
 and external key manager are connected and enabled.A value of FAILED= indicates that an attempt to connect was
 unsuccessful. The ConnectionErrorCodeê  field in the response indicates
 the cause of the failure. For help resolving a connection failure, see
 Ç https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html"Troubleshooting a custom key store	
 in the &Key Management Service Developer Guide.¿ amazonka-kms8The date and time when the custom key store was created.À amazonka-kms-A unique identifier for the custom key store.Á amazonka-kms:The user-specified friendly name for the custom key store.Â amazonka-kms,Indicates the type of the custom key store. AWS_CLOUDHSM> indicates a
 custom key store backed by an CloudHSM cluster. EXTERNAL_KEY_STOREþ 
 indicates a custom key store backed by an external key store proxy and
 external key manager outside of Amazon Web Services.Ã amazonka-kmsç The trust anchor certificate of the CloudHSM cluster associated with an
 CloudHSM key store. When you
 Ö https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csrinitialize the cluster2,
 you create this certificate and save it in the customerCA.crt file.!This field appears only when the CustomKeyStoreType is AWS_CLOUDHSM.Ä amazonka-kms„Configuration settings for the external key store proxy (XKS proxy). The
 external key store proxy translates KMS requests into a format that your
 external key manager can understand. The proxy configuration includes
 connection information that KMS requires.!This field appears only when the CustomKeyStoreType is
 EXTERNAL_KEY_STORE.Å amazonka-kmsCreate a value of  º" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ¼,  Æ‚ - A unique identifier for the CloudHSM cluster that is associated with an
 CloudHSM key store. This field appears only when the
 CustomKeyStoreType is AWS_CLOUDHSM. ½,  ÇÕ  - Describes the connection error. This field appears in the response only
 when the ConnectionState is FAILED.¬Many failures can be resolved by updating the properties of the custom
 key store. To update a custom key store, disconnect it
 (DisconnectCustomKeyStore), correct the errors (UpdateCustomKeyStore),
 and try to connect again (ConnectCustomKeyStore). For additional help
 resolving these errors, see
 Û https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failedHow to Fix a Connection Failure
 in &Key Management Service Developer Guide.All custom key stores:INTERNAL_ERRORÜ  ”@ KMS could not complete the request due to an
     internal error. Retry the request. For ConnectCustomKeyStoreÔ 
     requests, disconnect the custom key store before trying to connect
     again.NETWORK_ERRORSè  ”@ Network errors are preventing KMS from connecting
     the custom key store to its backing key store.CloudHSM key stores:CLUSTER_NOT_FOUNDË  ”@ KMS cannot find the CloudHSM cluster with the
     specified cluster ID.INSUFFICIENT_CLOUDHSM_HSMS· ”@ The associated CloudHSM cluster does
     not contain any active HSMs. To connect a custom key store to its
     CloudHSM cluster, the cluster must contain at least one active HSM.%INSUFFICIENT_FREE_ADDRESSES_IN_SUBNETœ ”@ At least one private
     subnet associated with the CloudHSM cluster doesn't have any
     available IP addresses. A CloudHSM key store connection requires one
     free IP address in each of the associated private subnets, although
     two are preferable. For details, see
     Û https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failedHow to Fix a Connection Failure
     in the &Key Management Service Developer Guide.INVALID_CREDENTIALS ”@ The KeyStorePasswordÉ  for the custom key
     store doesn't match the current password of the kmsuserŠ crypto
     user in the CloudHSM cluster. Before you can connect your custom key
     store to its CloudHSM cluster, you must change the kmsuser& account
     password and update the KeyStorePassword% value for the custom key
     store.SUBNET_NOT_FOUND· ”@ A subnet in the CloudHSM cluster configuration
     was deleted. If KMS cannot find all of the subnets in the cluster
     configuration, attempts to connect the custom key store to the
     CloudHSM cluster fail. To fix this error, create a cluster from a
     recent backup and associate it with your custom key store. (This
     process creates a new cluster configuration with a VPC and private
     subnets.) For details, see
     Û https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failedHow to Fix a Connection Failure
     in the &Key Management Service Developer Guide.USER_LOCKED_OUT ”@ The kmsuserÐ CU account is locked out of the
     associated CloudHSM cluster due to too many failed password
     attempts. Before you can connect your custom key store to its
     CloudHSM cluster, you must change the kmsuserØ  account password and
     update the key store password value for the custom key store.USER_LOGGED_IN ”@ The kmsuserê  CU account is logged into the
     associated CloudHSM cluster. This prevents KMS from rotating the
     kmsuser‘ account password and logging into the cluster. Before you
     can connect your custom key store to its CloudHSM cluster, you must
     log the kmsuser0 CU out of the cluster. If you changed the
     kmsuser‹ password to log into the cluster, you must also and update
     the key store password value for the custom key store. For help, see
     × https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2How to Log Out and Reconnect
     in the &Key Management Service Developer Guide.USER_NOT_FOUND ”@ KMS cannot find a kmsuser’ CU account in the
     associated CloudHSM cluster. Before you can connect your custom key
     store to its CloudHSM cluster, you must create a kmsuserì  CU
     account in the cluster, and then update the key store password value
     for the custom key store.External key stores:	INVALID_CREDENTIALS ”@ One or both of the
      XksProxyAuthenticationCredentialÄ  values is not valid on the
     specified external key store proxy.XKS_PROXY_ACCESS_DENIEDÔ ”@ KMS requests are denied access to the
     external key store proxy. If the external key store proxy has
     authorization rules, verify that they permit KMS to communicate with
     the proxy on your behalf.XKS_PROXY_INVALID_CONFIGURATIONþ  ”@ A configuration error is
     preventing the external key store from connecting to its proxy.
     Verify the value of the XksProxyUriPath.XKS_PROXY_INVALID_RESPONSE° ”@ KMS cannot interpret the response
     from the external key store proxy. If you see this connection error
     code repeatedly, notify your external key store proxy vendor.#XKS_PROXY_INVALID_TLS_CONFIGURATION… ”@ KMS cannot connect to the
     external key store proxy because the TLS configuration is invalid.
     Verify that the XKS proxy supports TLS 1.2 or 1.3. Also, verify that
     the TLS certificate is not expired, and that it matches the hostname
     in the XksProxyUriEndpointÓ  value, and that it is signed by a
     certificate authority included in the
     Ø https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthoritiesTrusted Certificate Authorities
     list.XKS_PROXY_NOT_REACHABLEÒ  ”@ KMS can't communicate with your
     external key store proxy. Verify that the XksProxyUriEndpoint
 and
     XksProxyUriPathì are correct. Use the tools for your external key
     store proxy to verify that the proxy is active and available on its
     network. Also, verify that your external key manager instances are
     operating properly. Connection attempts fail with this connection
     error code if the proxy reports that all external key manager
     instances are unavailable.XKS_PROXY_TIMED_OUTÝ ”@ KMS can connect to the external key store
     proxy, but the proxy does not respond to KMS in the time allotted.
     If you see this connection error code repeatedly, notify your
     external key store proxy vendor..XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATIONý  ”@ The Amazon VPC
     endpoint service configuration doesn't conform to the requirements
     for an KMS external key store.The VPC endpoint service must be an endpoint service for
    interface endpoints in the caller's Amazon Web Services
    account.ø It must have a network load balancer (NLB) connected to at least
    two subnets, each in a different Availability Zone.The Allow principalsÁ  list must include the KMS service
    principal for the Region, cks.kms.<region>.amazonaws.com,
    such as cks.kms.us-east-1.amazonaws.com.It must not require
    Ï https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html
acceptance
    of connection requests.Ù It must have a private DNS name. The private DNS name for an
    external key store with VPC_ENDPOINT_SERVICEÃ  connectivity must
    be unique in its Amazon Web Services Region.3The domain of the private DNS name must have a
    Æ https://docs.aws.amazon.com/vpc/latest/privatelink/verify-domains.htmlverification status
    of verified.The
    Ø https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.htmlTLS certificateÏ 
    specifies the private DNS hostname at which the endpoint is
    reachable."XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND„ ”@ KMS can't find the VPC
     endpoint service that it uses to communicate with the external key
     store proxy. Verify that the XksProxyVpcEndpointServiceNameø  is
     correct and the KMS service principal has service consumer
     permissions on the Amazon VPC endpoint service. ¾,  Èñ  - Indicates whether the custom key store is connected to its backing key
 store. For an CloudHSM key store, the ConnectionStateÝ  indicates
 whether it is connected to its CloudHSM cluster. For an external key
 store, the ConnectionStateö  indicates whether it is connected to the
 external key store proxy that communicates with your external key
 manager.É You can create and use KMS keys in your custom key stores only when its
 ConnectionState is 	CONNECTED.The ConnectionState
 value is DISCONNECTED† only if the key store has
 never been connected or you use the DisconnectCustomKeyStore operation
 to disconnect it. If the value is 	CONNECTEDé but you are having trouble
 using the custom key store, make sure that the backing key store is
 reachable and active. For an CloudHSM key store, verify that its
 associated CloudHSM cluster is active and contains at least one active
 HSM. For an external key store, verify that the external key store proxy
 and external key manager are connected and enabled.A value of FAILED= indicates that an attempt to connect was
 unsuccessful. The ConnectionErrorCodeê  field in the response indicates
 the cause of the failure. For help resolving a connection failure, see
 Ç https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html"Troubleshooting a custom key store	
 in the &Key Management Service Developer Guide. ¿,  É; - The date and time when the custom key store was created. À,  Ê0 - A unique identifier for the custom key store. Á,  Ë= - The user-specified friendly name for the custom key store. Â,  Ì/ - Indicates the type of the custom key store. AWS_CLOUDHSM> indicates a
 custom key store backed by an CloudHSM cluster. EXTERNAL_KEY_STOREþ 
 indicates a custom key store backed by an external key store proxy and
 external key manager outside of Amazon Web Services. Ã,  Íê  - The trust anchor certificate of the CloudHSM cluster associated with an
 CloudHSM key store. When you
 Ö https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csrinitialize the cluster2,
 you create this certificate and save it in the customerCA.crt file.!This field appears only when the CustomKeyStoreType is AWS_CLOUDHSM. Ä,  Î‡ - Configuration settings for the external key store proxy (XKS proxy). The
 external key store proxy translates KMS requests into a format that your
 external key manager can understand. The proxy configuration includes
 connection information that KMS requires.!This field appears only when the CustomKeyStoreType is
 EXTERNAL_KEY_STORE.Æ amazonka-kmsÿ A unique identifier for the CloudHSM cluster that is associated with an
 CloudHSM key store. This field appears only when the
 CustomKeyStoreType is AWS_CLOUDHSM.Ç amazonka-kmsÒ Describes the connection error. This field appears in the response only
 when the ConnectionState is FAILED.¬Many failures can be resolved by updating the properties of the custom
 key store. To update a custom key store, disconnect it
 (DisconnectCustomKeyStore), correct the errors (UpdateCustomKeyStore),
 and try to connect again (ConnectCustomKeyStore). For additional help
 resolving these errors, see
 Û https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failedHow to Fix a Connection Failure
 in &Key Management Service Developer Guide.All custom key stores:INTERNAL_ERRORÜ  ”@ KMS could not complete the request due to an
     internal error. Retry the request. For ConnectCustomKeyStoreÔ 
     requests, disconnect the custom key store before trying to connect
     again.NETWORK_ERRORSè  ”@ Network errors are preventing KMS from connecting
     the custom key store to its backing key store.CloudHSM key stores:CLUSTER_NOT_FOUNDË  ”@ KMS cannot find the CloudHSM cluster with the
     specified cluster ID.INSUFFICIENT_CLOUDHSM_HSMS· ”@ The associated CloudHSM cluster does
     not contain any active HSMs. To connect a custom key store to its
     CloudHSM cluster, the cluster must contain at least one active HSM.%INSUFFICIENT_FREE_ADDRESSES_IN_SUBNETœ ”@ At least one private
     subnet associated with the CloudHSM cluster doesn't have any
     available IP addresses. A CloudHSM key store connection requires one
     free IP address in each of the associated private subnets, although
     two are preferable. For details, see
     Û https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failedHow to Fix a Connection Failure
     in the &Key Management Service Developer Guide.INVALID_CREDENTIALS ”@ The KeyStorePasswordÉ  for the custom key
     store doesn't match the current password of the kmsuserŠ crypto
     user in the CloudHSM cluster. Before you can connect your custom key
     store to its CloudHSM cluster, you must change the kmsuser& account
     password and update the KeyStorePassword% value for the custom key
     store.SUBNET_NOT_FOUND· ”@ A subnet in the CloudHSM cluster configuration
     was deleted. If KMS cannot find all of the subnets in the cluster
     configuration, attempts to connect the custom key store to the
     CloudHSM cluster fail. To fix this error, create a cluster from a
     recent backup and associate it with your custom key store. (This
     process creates a new cluster configuration with a VPC and private
     subnets.) For details, see
     Û https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failedHow to Fix a Connection Failure
     in the &Key Management Service Developer Guide.USER_LOCKED_OUT ”@ The kmsuserÐ CU account is locked out of the
     associated CloudHSM cluster due to too many failed password
     attempts. Before you can connect your custom key store to its
     CloudHSM cluster, you must change the kmsuserØ  account password and
     update the key store password value for the custom key store.USER_LOGGED_IN ”@ The kmsuserê  CU account is logged into the
     associated CloudHSM cluster. This prevents KMS from rotating the
     kmsuser‘ account password and logging into the cluster. Before you
     can connect your custom key store to its CloudHSM cluster, you must
     log the kmsuser0 CU out of the cluster. If you changed the
     kmsuser‹ password to log into the cluster, you must also and update
     the key store password value for the custom key store. For help, see
     × https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2How to Log Out and Reconnect
     in the &Key Management Service Developer Guide.USER_NOT_FOUND ”@ KMS cannot find a kmsuser’ CU account in the
     associated CloudHSM cluster. Before you can connect your custom key
     store to its CloudHSM cluster, you must create a kmsuserì  CU
     account in the cluster, and then update the key store password value
     for the custom key store.External key stores:	INVALID_CREDENTIALS ”@ One or both of the
      XksProxyAuthenticationCredentialÄ  values is not valid on the
     specified external key store proxy.XKS_PROXY_ACCESS_DENIEDÔ ”@ KMS requests are denied access to the
     external key store proxy. If the external key store proxy has
     authorization rules, verify that they permit KMS to communicate with
     the proxy on your behalf.XKS_PROXY_INVALID_CONFIGURATIONþ  ”@ A configuration error is
     preventing the external key store from connecting to its proxy.
     Verify the value of the XksProxyUriPath.XKS_PROXY_INVALID_RESPONSE° ”@ KMS cannot interpret the response
     from the external key store proxy. If you see this connection error
     code repeatedly, notify your external key store proxy vendor.#XKS_PROXY_INVALID_TLS_CONFIGURATION… ”@ KMS cannot connect to the
     external key store proxy because the TLS configuration is invalid.
     Verify that the XKS proxy supports TLS 1.2 or 1.3. Also, verify that
     the TLS certificate is not expired, and that it matches the hostname
     in the XksProxyUriEndpointÓ  value, and that it is signed by a
     certificate authority included in the
     Ø https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthoritiesTrusted Certificate Authorities
     list.XKS_PROXY_NOT_REACHABLEÒ  ”@ KMS can't communicate with your
     external key store proxy. Verify that the XksProxyUriEndpoint
 and
     XksProxyUriPathì are correct. Use the tools for your external key
     store proxy to verify that the proxy is active and available on its
     network. Also, verify that your external key manager instances are
     operating properly. Connection attempts fail with this connection
     error code if the proxy reports that all external key manager
     instances are unavailable.XKS_PROXY_TIMED_OUTÝ ”@ KMS can connect to the external key store
     proxy, but the proxy does not respond to KMS in the time allotted.
     If you see this connection error code repeatedly, notify your
     external key store proxy vendor..XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATIONý  ”@ The Amazon VPC
     endpoint service configuration doesn't conform to the requirements
     for an KMS external key store.The VPC endpoint service must be an endpoint service for
    interface endpoints in the caller's Amazon Web Services
    account.ø It must have a network load balancer (NLB) connected to at least
    two subnets, each in a different Availability Zone.The Allow principalsÁ  list must include the KMS service
    principal for the Region, cks.kms.<region>.amazonaws.com,
    such as cks.kms.us-east-1.amazonaws.com.It must not require
    Ï https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html
acceptance
    of connection requests.Ù It must have a private DNS name. The private DNS name for an
    external key store with VPC_ENDPOINT_SERVICEÃ  connectivity must
    be unique in its Amazon Web Services Region.3The domain of the private DNS name must have a
    Æ https://docs.aws.amazon.com/vpc/latest/privatelink/verify-domains.htmlverification status
    of verified.The
    Ø https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.htmlTLS certificateÏ 
    specifies the private DNS hostname at which the endpoint is
    reachable."XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND„ ”@ KMS can't find the VPC
     endpoint service that it uses to communicate with the external key
     store proxy. Verify that the XksProxyVpcEndpointServiceNameø  is
     correct and the KMS service principal has service consumer
     permissions on the Amazon VPC endpoint service.È amazonka-kmsî Indicates whether the custom key store is connected to its backing key
 store. For an CloudHSM key store, the ConnectionStateÝ  indicates
 whether it is connected to its CloudHSM cluster. For an external key
 store, the ConnectionStateö  indicates whether it is connected to the
 external key store proxy that communicates with your external key
 manager.É You can create and use KMS keys in your custom key stores only when its
 ConnectionState is 	CONNECTED.The ConnectionState
 value is DISCONNECTED† only if the key store has
 never been connected or you use the DisconnectCustomKeyStore operation
 to disconnect it. If the value is 	CONNECTEDé but you are having trouble
 using the custom key store, make sure that the backing key store is
 reachable and active. For an CloudHSM key store, verify that its
 associated CloudHSM cluster is active and contains at least one active
 HSM. For an external key store, verify that the external key store proxy
 and external key manager are connected and enabled.A value of FAILED= indicates that an attempt to connect was
 unsuccessful. The ConnectionErrorCodeê  field in the response indicates
 the cause of the failure. For help resolving a connection failure, see
 Ç https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html"Troubleshooting a custom key store	
 in the &Key Management Service Developer Guide.É amazonka-kms8The date and time when the custom key store was created.Ê amazonka-kms-A unique identifier for the custom key store.Ë amazonka-kms:The user-specified friendly name for the custom key store.Ì amazonka-kms,Indicates the type of the custom key store. AWS_CLOUDHSM> indicates a
 custom key store backed by an CloudHSM cluster. EXTERNAL_KEY_STOREþ 
 indicates a custom key store backed by an external key store proxy and
 external key manager outside of Amazon Web Services.Í amazonka-kmsç The trust anchor certificate of the CloudHSM cluster associated with an
 CloudHSM key store. When you
 Ö https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csrinitialize the cluster2,
 you create this certificate and save it in the customerCA.crt file.!This field appears only when the CustomKeyStoreType is AWS_CLOUDHSM.Î amazonka-kms„Configuration settings for the external key store proxy (XKS proxy). The
 external key store proxy translates KMS requests into a format that your
 external key manager can understand. The proxy configuration includes
 connection information that KMS requires.!This field appears only when the CustomKeyStoreType is
 EXTERNAL_KEY_STORE. ºÄÃÂÁ¾½À¼¿»ÅÆÇÈÉÊËÌÍÎºÄÃÂÁ¾½À¼¿»ÅÆÇÈÉÊËÌÍÎ    #  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%ñ  Æ”/Õ amazonka-kmsAPI version 
2014-11-018 of the Amazon Key Management Service SDK configuration.Ö amazonka-kmsØ The request was rejected because it attempted to create a resource that
 already exists.× amazonka-kmsªThe request was rejected because the specified CloudHSM cluster is
 already associated with an CloudHSM key store in the account, or it
 shares a backup history with an CloudHSM key store in the account. Each
 CloudHSM key store in the account must be associated with a different
 CloudHSM cluster.”CloudHSM clusters that share a backup history have the same cluster
 certificate. To view the cluster certificate of an CloudHSM cluster, use
 the
 Ò https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.htmlDescribeClusters
 operation.Ø amazonka-kmsˆThe request was rejected because the associated CloudHSM cluster did not
 meet the configuration requirements for an CloudHSM key store.ý The CloudHSM cluster must be configured with private subnets in at
     least two different Availability Zones in the Region.	The
     Ç https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.htmlsecurity group for the cluster
     (cloudhsm-cluster-<cluster-id>ì -sg) must include inbound rules and
     outbound rules that allow TCP traffic on ports 2223-2225. The
     Source in the inbound rules and the Destinationó in the
     outbound rules must match the security group ID. These rules are set
     by default when you create the CloudHSM cluster. Do not delete or
     change them. To get information about a particular security group,
     use the
     Ö https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.htmlDescribeSecurityGroups
     operation.û The CloudHSM cluster must contain at least as many HSMs as the
     operation requires. To add HSMs, use the CloudHSM
     Ë https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html	CreateHsm
     operation.‰For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
operations, the CloudHSM cluster must have at least two active HSMs,
each in a different Availability Zone. For the ConnectCustomKeyStore
operation, the CloudHSM must contain at least one active HSM.ô For information about the requirements for an CloudHSM cluster that is
 associated with an CloudHSM key store, see
 Ú https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystoreAssemble the Prerequisites	
 in the &Key Management Service Developer GuideÑ . For information about
 creating a private subnet for an CloudHSM cluster, see
 É https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.htmlCreate a Private Subnet	
 in the CloudHSM User Guide7. For information about cluster security
 groups, see
 Ç https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html"Configure a Default Security Group

 in the /CloudHSM User Guide/ .Ù amazonka-kmsÍThe request was rejected because the CloudHSM cluster associated with
 the CloudHSM key store is not active. Initialize and activate the
 cluster and try the command again. For detailed instructions, see
 Ê https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.htmlGetting Started	
 in the CloudHSM User Guide.Ú amazonka-kms•The request was rejected because KMS cannot find the CloudHSM cluster
 with the specified cluster ID. Retry the request with a different
 cluster ID.Û amazonka-kmsØThe request was rejected because the specified CloudHSM cluster has a
 different cluster certificate than the original cluster. You cannot use
 the operation to specify an unrelated cluster for an CloudHSM key store.üSpecify an CloudHSM cluster that shares a backup history with the
 original cluster. This includes clusters that were created from a backup
 of the current cluster, and clusters that were created from the same
 backup that produced the current cluster.”CloudHSM clusters that share a backup history have the same cluster
 certificate. To view the cluster certificate of an CloudHSM cluster, use
 the
 Ò https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.htmlDescribeClusters
 operation.Ü amazonka-kms€The request was rejected because the custom key store contains KMS keys.
 After verifying that you do not need to use the KMS keys, use the
 ScheduleKeyDeletion operation to delete the KMS keys. After they are
 deleted, you can delete the custom key store.Ý amazonka-kms(The request was rejected because of the ConnectionState& of the custom
 key store. To get the ConnectionStateÃ  of a custom key store, use the
 DescribeCustomKeyStores operation.8This exception is thrown under the following conditions:Ô You requested the ConnectCustomKeyStore operation on a custom key
     store with a ConnectionState of DISCONNECTING or FAILED-. This
     operation is valid for all other ConnectionState3 values. To
     reconnect a custom key store in a FAILEDÍ  state, disconnect it
     (DisconnectCustomKeyStore), then connect it
     (ConnectCustomKeyStore).•You requested the CreateKey operation in a custom key store that is
     not connected. This operations is valid only when the custom key
     store ConnectionState is 	CONNECTED.× You requested the DisconnectCustomKeyStore operation on a custom key
     store with a ConnectionState of DISCONNECTING or DISCONNECTED-.
     This operation is valid for all other ConnectionState values.ºYou requested the UpdateCustomKeyStore or DeleteCustomKeyStore
     operation on a custom key store that is not disconnected. This
     operation is valid only when the custom key store ConnectionState	
     is DISCONNECTED.žYou requested the GenerateRandom operation in an CloudHSM key store
     that is not connected. This operation is valid only when the
     CloudHSM key store ConnectionState is 	CONNECTED.Þ amazonka-kmsÌThe request was rejected because the specified custom key store name is
 already assigned to another custom key store in the account. Try again
 with a custom key store name that is unique in the account.ß amazonka-kmsí The request was rejected because KMS cannot find a custom key store with
 the specified key store name or ID.à amazonka-kmsÕ The system timed out while trying to fulfill the request. You can retry
 the request.á amazonka-kmsÆ The request was rejected because the specified KMS key is not enabled.â amazonka-kmsãThe request was rejected because the specified import token is expired.
 Use GetParametersForImport to get a new import token and public key, use
 the new public key to encrypt the key material, and then try the request
 again.ã amazonka-kmsÕ The request was rejected because the specified KMS key cannot decrypt
 the data. The KeyId in a Decrypt request and the SourceKeyIdá  in a
 ReEncrypt request must identify the same KMS key that was used to
 encrypt the ciphertext.ä amazonka-kms¨The request was rejected because the key material in the request is,
 expired, invalid, or is not the same key material that was previously
 imported into this KMS key.å amazonka-kms¶The request was rejected because the trust anchor certificate in the
 request to create an CloudHSM key store is not the trust anchor
 certificate for the specified CloudHSM cluster.
When you
 Ö https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csrinitialize the CloudHSM cluster?,
 you create the trust anchor certificate and save it in the
 customerCA.crt file.æ amazonka-kmsÇ The request was rejected because the specified alias name is not valid.ç amazonka-kmsÛ The request was rejected because a specified ARN, or an ARN in a key
 policy, is not valid.è amazonka-kmsöFrom the Decrypt or ReEncrypt operation, the request was rejected
 because the specified ciphertext, or additional authenticated data
 incorporated into the ciphertext, such as the encryption context, is
 corrupted, missing, or otherwise invalid.ƒFrom the ImportKeyMaterial operation, the request was rejected because
 KMS could not decrypt the encrypted (wrapped) key material.é amazonka-kms/The request was rejected because the specified GrantId is not valid.ê amazonka-kmsÈ The request was rejected because the specified grant token is not valid.ë amazonka-kmsñ The request was rejected because the provided import token is invalid or
 is associated with a different KMS key.ì amazonka-kms:The request was rejected for one of the following reasons:The KeyUsageÂ  value of the KMS key is incompatible with the API
     operation.‘The encryption algorithm or signing algorithm specified for the
     operation is incompatible with the type of key material in the KMS
     key (KeySpec).Ê For encrypting, decrypting, re-encrypting, and generating data keys, the
 KeyUsage	 must be ENCRYPT_DECRYPT+. For signing and verifying
 messages, the KeyUsage	 must be SIGN_VERIFYÉ . For generating and
 verifying message authentication codes (MACs), the KeyUsage
 must be
 GENERATE_VERIFY_MAC. To find the KeyUsage. of a KMS key, use the
 DescribeKey operation.ð To find the encryption or signing algorithms supported for a particular
 KMS key, use the DescribeKey operation.í amazonka-kmsì The request was rejected because the marker that specifies where
 pagination should next begin is not valid.î amazonka-kmsÝ The request was rejected because an internal exception occurred. The
 request can be retried.ï amazonka-kmsâThe request was rejected because the HMAC verification failed. HMAC
 verification fails when the HMAC computed by using the specified
 message, HMAC KMS key, and MAC algorithm does not match the HMAC
 specified in the request.ð amazonka-kmséThe request was rejected because the signature verification failed.
 Signature verification fails when it cannot confirm that signature was
 produced by signing the specified message with the specified KMS key and
 signing algorithm.ñ amazonka-kmsä The request was rejected because the state of the specified resource is
 not valid for this request.+This exceptions means one of the following:Â The key state of the KMS key is not compatible with the operation.ŽTo find the key state, use the DescribeKey operation. For more
information about which key states are compatible with each KMS
operation, see
Ä https://docs.aws.amazon.com/kms/latest/developerguide/key-state.htmlKey states of KMS keys	
in the /&Key Management Service Developer Guide/ .áFor cryptographic operations on KMS keys in custom key stores, this
     exception represents a general failure with many possible causes. To
     identify the cause, see the error message that accompanies the
     exception.ò amazonka-kmså The request was rejected because the specified KMS key was not
 available. You can retry the request.ó amazonka-kmsÓ The request was rejected because a quota was exceeded. For more
 information, see
 Á https://docs.aws.amazon.com/kms/latest/developerguide/limits.htmlQuotas	
 in the &Key Management Service Developer Guide.ô amazonka-kmsä The request was rejected because the specified policy is not
 syntactically or semantically correct.õ amazonka-kmsÖ The request was rejected because the specified entity or resource could
 not be found.ö amazonka-kmsÀ The request was rejected because one or more tags are not valid.÷ amazonka-kmsThe request was rejected because a specified parameter is not supported
 or a specified resource is not valid for this operation.ø amazonka-kms&The request was rejected because the (XksKeyIdœ) is already associated
 with a KMS key in this external key store. Each KMS key in an external
 key store must be associated with a different external key.ù amazonka-kmsÄ The request was rejected because the external key specified by the
 XksKeyIdÒ  parameter did not meet the configuration requirements for an
 external key store.ê The external key must be an AES-256 symmetric key that is enabled and
 performs encryption and decryption.ú amazonka-kmsThe request was rejected because the external key store proxy could not
 find the external key. This exception is thrown when the value of the
 XksKeyIdæ  parameter doesn't identify a key in the external key manager
 associated with the external key proxy.Verify that the XksKeyIdí represents an existing key in the external
 key manager. Use the key identifier that the external key store proxy
 uses to identify the key. For details, see the documentation provided
 with your external key store proxy or key manager.û amazonka-kmsÊThe request was rejected because the proxy credentials failed to
 authenticate to the specified external key store proxy. The specified
 external key store proxy rejected a status request from KMS due to
 invalid credentials. This can indicate an error in the credentials or in
 the identification of the external key store proxy.ü amazonka-kms»The request was rejected because the Amazon VPC endpoint service
 configuration does not fulfill the requirements for an external key
 store proxy. For details, see the exception message.ý amazonka-kmsøKMS cannot interpret the response it received from the external key
 store proxy. The problem might be a poorly constructed response, but it
 could also be a transient network issue. If you see this error
 repeatedly, report it to the proxy vendor.þ amazonka-kms;The request was rejected because the concatenation of the
 XksProxyUriEndpointÈ is already associated with an external key store
 in the Amazon Web Services account and Region. Each external key store
 in an account and Region must use a unique external key store proxy
 address.ÿ amazonka-kms;The request was rejected because the concatenation of the
 XksProxyUriEndpoint and XksProxyUriPathÌ is already associated with
 an external key store in the Amazon Web Services account and Region.
 Each external key store in an account and Region must use a unique
 external key store proxy API address.€ amazonka-kms&KMS was unable to reach the specified XksProxyUriPathß . The path must
 be reachable before you create the external key store or update its
 settings.Ï This exception is also thrown when the external key store proxy response
 to a GetHealthStatusÌ  request indicates that all external key manager
 instances are unavailable. amazonka-kms¥The request was rejected because the specified Amazon VPC endpoint
 service is already associated with an external key store in the Amazon
 Web Services account and Region. Each external key store in an Amazon
 Web Services account and Region must use a different Amazon VPC endpoint
 service.‚ amazonka-kmsÀThe request was rejected because the Amazon VPC endpoint service
 configuration does not fulfill the requirements for an external key
 store proxy. For details, see the exception message and
 Ä kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirementsreview the requirementsÉ 
 for Amazon VPC endpoint service connectivity for an external key store.ƒ amazonka-kmsÒThe request was rejected because KMS could not find the specified VPC
 endpoint service. Use DescribeCustomKeyStores to verify the VPC endpoint
 service name for the external key store. Also, confirm that the
 Allow principalsà  list for the VPC endpoint service includes the KMS
 service principal for the Region, such as
 cks.kms.us-east-1.amazonaws.com. ›  !"#$%-A@?>=<;:9876543210./U\[ZYXVWptsqrˆ—–•”“’‘ŽŒ‹‰Š«µ´³²±°¯®¬­ÉÍÌÊËáçæåäâãûÿþüý“”•–—˜™¢´³²±°¯®­¬«ª©¨§¦¥£¤ÈÉÐËÊÌÍÎÏÑÒÓÔÕÖ×ØÙÚÛÜäåçæèéêòöõóôŠ™˜—–•”“’‘Ž‹Œ­·¶µ´³²±°®¯ËÐÏÎÌÍäåèæçéêëìôúùø÷õöŽ’‘¦§¨©ª«¬´¸·µ¶ÌÍÎÏÐÑÒÓÔÜâáàßÝÞö‚€ÿþýüûúù÷ø–—˜™š›œ¥¨¦§¼½¾¿ÀÈÉÑÍáËÊÌÎÏÐÒÓÔÕÖ×ØÙÚÛÜÝÞßàâãäåæçèéêëìíîïðñòóôõö÷øùú‚ƒ„…†‡ˆ“’‘§¨¬©ª«­®¯°±²³º»¿¼À½¾ÁÂÃÄÅÆÇÈÉÊËÌÍÎÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ƒ—ÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ƒ -A@?>=<;:9876543210./A@?>=<;:9876543210U\[ZYXVW\[ZYXptsqrtsˆ—–•”“’‘ŽŒ‹‰Š—–•”“’‘ŽŒ‹«µ´³²±°¯®¬­µ´³²±°¯®ÉÍÌÊËÍÌáçæåäâãçæåäûÿþüýÿþ¢´³²±°¯®­¬«ª©¨§¦¥£¤´³²±°¯®­¬«ª©¨§¦¥òöõóôöõŠ™˜—–•”“’‘Ž‹Œ™˜—–•”“’‘Ž­·¶µ´³²±°®¯·¶µ´³²±°ËÐÏÎÌÍÐÏÎôúùø÷õöúùø÷Ž’‘’‘´¸·µ¶¸·ÜâáàßÝÞâáàßö‚€ÿþýüûúù÷ø‚€ÿþýüûúù¥¨¦§¨“’‘“’ !"#$%º»¿¼À½¾ÁÂÃÄÅÆÇÈÉÊËÌÍÎ“”•–—˜™ÈÉÐËÊÌÍÎÏÑÒÓÔÕÖ×ØÙÚÛÜäåçæèéêÈÉÑÍáËÊÌÎÏÐÒÓÔÕÖ×ØÙÚÛÜÝÞßàâãäåæçèéêëìíîïðñòóôõö÷øùúäåèæçéêëìÌÍÎÏÐÑÒÓÔ¦§¨©ª«¬–—˜™š›œ¼½¾¿À‚ƒ„…†‡ˆ§¨¬©ª«­®¯°±²³    $  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  Ù^„ amazonka-kmsSee:   smart constructor.† amazonka-kmsSee:  Š smart constructor.ˆ amazonka-kms<Identifies a customer managed key in the account and Region.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.‰ amazonka-kmsOne or more tags.Ý Each tag consists of a tag key and a tag value. The tag value can be an
 empty (null) string.ÁYou cannot have more than one tag on a KMS key with the same tag key. If
 you specify an existing tag key with a different tag value, KMS replaces
 the current tag value with the specified one.Š amazonka-kmsCreate a value of  †" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: †,  ‹? - Identifies a customer managed key in the account and Region.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. ‰,  Œ - One or more tags.Ý Each tag consists of a tag key and a tag value. The tag value can be an
 empty (null) string.ÁYou cannot have more than one tag on a KMS key with the same tag key. If
 you specify an existing tag key with a different tag value, KMS replaces
 the current tag value with the specified one.‹ amazonka-kms<Identifies a customer managed key in the account and Region.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Œ amazonka-kmsOne or more tags.Ý Each tag consists of a tag key and a tag value. The tag value can be an
 empty (null) string.ÁYou cannot have more than one tag on a KMS key with the same tag key. If
 you specify an existing tag key with a different tag value, KMS replaces
 the current tag value with the specified one. amazonka-kmsCreate a value of  „" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.Š  amazonka-kms †
„…†‡‰ˆŠ‹Œ
†‡‰ˆŠ‹Œ„…    %  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  ªž amazonka-kmsSee:  ± smart constructor.  amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN?)
 of the asymmetric KMS key that was used to sign the message.¡ amazonka-kms?The cryptographic signature that was generated for the message.è When used with the supported RSA signing algorithms, the encoding of
     this value is defined by
     #https://tools.ietf.org/html/rfc8017PKCS #1 in RFC 8017.When used with the ECDSA_SHA_256, ECDSA_SHA_384
, or
     ECDSA_SHA_512ã  signing algorithms, this value is a DER-encoded
     object as defined by ANS X9.62“@2005 and
     1https://tools.ietf.org/html/rfc3279#section-2.2.3RFC 3279 Section 2.2.3Ý .
     This is the most commonly used signature format and is appropriate
     for most uses.ü When you use the HTTP API or the Amazon Web Services CLI, the value is
 Base64-encoded. Otherwise, it is not Base64-encoded.¢ amazonka-kms8The signing algorithm that was used to sign the message.£ amazonka-kms The response's http status code.¤ amazonka-kmsSee:  « smart constructor.¦ amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.§ amazonka-kms#Tells KMS whether the value of the Messageþ  parameter is a message or
 message digest. The default value, RAW, indicates a message. To indicate
 a message digest, enter DIGEST.¨ amazonka-kmsï Identifies an asymmetric KMS key. KMS uses the private key in the
 asymmetric KMS key to sign the message. The KeyUsage type of the KMS
 key must be SIGN_VERIFY. To find the KeyUsage. of a KMS key, use the
 DescribeKey operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.© amazonka-kms…Specifies the message or message digest to sign. Messages can be 0-4096
 bytes. To sign a larger message, provide the message digest.Ø If you provide a message, KMS generates a hash digest of the message and
 then signs it.ª amazonka-kmsÀ Specifies the signing algorithm to use when signing the message.ã Choose an algorithm that is compatible with the type and size of the
 specified asymmetric KMS key.« amazonka-kmsCreate a value of  ¤" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ¦,  ¬ - A list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. §,  ­& - Tells KMS whether the value of the Messageþ  parameter is a message or
 message digest. The default value, RAW, indicates a message. To indicate
 a message digest, enter DIGEST. ¤,  ®ò  - Identifies an asymmetric KMS key. KMS uses the private key in the
 asymmetric KMS key to sign the message. The KeyUsage type of the KMS
 key must be SIGN_VERIFY. To find the KeyUsage. of a KMS key, use the
 DescribeKey operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases. ©,  ¯ˆ - Specifies the message or message digest to sign. Messages can be 0-4096
 bytes. To sign a larger message, provide the message digest.ß If you provide a message, KMS generates a hash digest of the message and
 then signs it.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. ¤,  °Ã  - Specifies the signing algorithm to use when signing the message.ã Choose an algorithm that is compatible with the type and size of the
 specified asymmetric KMS key.¬ amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.­ amazonka-kms#Tells KMS whether the value of the Messageþ  parameter is a message or
 message digest. The default value, RAW, indicates a message. To indicate
 a message digest, enter DIGEST.® amazonka-kmsï Identifies an asymmetric KMS key. KMS uses the private key in the
 asymmetric KMS key to sign the message. The KeyUsage type of the KMS
 key must be SIGN_VERIFY. To find the KeyUsage. of a KMS key, use the
 DescribeKey operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.¯ amazonka-kms…Specifies the message or message digest to sign. Messages can be 0-4096
 bytes. To sign a larger message, provide the message digest.ß If you provide a message, KMS generates a hash digest of the message and
 then signs it.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.° amazonka-kmsÀ Specifies the signing algorithm to use when signing the message.ã Choose an algorithm that is compatible with the type and size of the
 specified asymmetric KMS key.± amazonka-kmsCreate a value of  ž" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ¤,  ² - The Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN?)
 of the asymmetric KMS key that was used to sign the message. ¡,  ³Â  - The cryptographic signature that was generated for the message.è When used with the supported RSA signing algorithms, the encoding of
     this value is defined by
     #https://tools.ietf.org/html/rfc8017PKCS #1 in RFC 8017.When used with the ECDSA_SHA_256, ECDSA_SHA_384
, or
     ECDSA_SHA_512ã  signing algorithms, this value is a DER-encoded
     object as defined by ANS X9.62“@2005 and
     1https://tools.ietf.org/html/rfc3279#section-2.2.3RFC 3279 Section 2.2.3Ý .
     This is the most commonly used signature format and is appropriate
     for most uses.ƒWhen you use the HTTP API or the Amazon Web Services CLI, the value is
 Base64-encoded. Otherwise, it is not Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. ¤,  ´; - The signing algorithm that was used to sign the message. £,  µ# - The response's http status code.² amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN?)
 of the asymmetric KMS key that was used to sign the message.³ amazonka-kms?The cryptographic signature that was generated for the message.è When used with the supported RSA signing algorithms, the encoding of
     this value is defined by
     #https://tools.ietf.org/html/rfc8017PKCS #1 in RFC 8017.When used with the ECDSA_SHA_256, ECDSA_SHA_384
, or
     ECDSA_SHA_512ã  signing algorithms, this value is a DER-encoded
     object as defined by ANS X9.62“@2005 and
     1https://tools.ietf.org/html/rfc3279#section-2.2.3RFC 3279 Section 2.2.3Ý .
     This is the most commonly used signature format and is appropriate
     for most uses.ƒWhen you use the HTTP API or the Amazon Web Services CLI, the value is
 Base64-encoded. Otherwise, it is not Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.´ amazonka-kms8The signing algorithm that was used to sign the message.µ amazonka-kms The response's http status code.«  amazonka-kms ¤ amazonka-kms © amazonka-kms ¤±  amazonka-kms £žŸ¡ ¢£¤¥©¨¦§ª«¬­®¯°±²³´µ¤¥©¨¦§ª«¬­®¯°žŸ¡ ¢£±²³´µ    &  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  ":Å amazonka-kmsSee:  Ó smart constructor.Ç amazonka-kms6The date and time after which KMS deletes the KMS key.¶If the KMS key is a multi-Region primary key with replica keys, this
 field does not appear. The deletion date for the primary key isn't
 known until its last replica key is deleted.È amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN.)
 of the KMS key whose deletion is scheduled.É amazonka-kms"The current status of the KMS key.Í For more information about how key state affects the use of a KMS key,
 see
 Ä https://docs.aws.amazon.com/kms/latest/developerguide/key-state.htmlKey states of KMS keys	
 in the &Key Management Service Developer Guide.Ê amazonka-kms1The waiting period before the KMS key is deleted.·If the KMS key is a multi-Region primary key with replicas, the waiting
 period begins when the last of its replica keys is deleted. Otherwise,
 the waiting period begins immediately.Ë amazonka-kms The response's http status code.Ì amazonka-kmsSee:  Ð smart constructor.Î amazonka-kmsé The waiting period, specified in number of days. After the waiting
 period ends, KMS deletes the KMS key.»If the KMS key is a multi-Region primary key with replica keys, the
 waiting period begins when the last of its replica keys is deleted.
 Otherwise, the waiting period begins immediately.ŠThis value is optional. If you include a value, it must be between 7 and
 30, inclusive. If you do not include a value, it defaults to 30.Ï amazonka-kms/The unique identifier of the KMS key to delete.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Ð amazonka-kmsCreate a value of  Ì" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Ì,  Ñì  - The waiting period, specified in number of days. After the waiting
 period ends, KMS deletes the KMS key.»If the KMS key is a multi-Region primary key with replica keys, the
 waiting period begins when the last of its replica keys is deleted.
 Otherwise, the waiting period begins immediately.ŠThis value is optional. If you include a value, it must be between 7 and
 30, inclusive. If you do not include a value, it defaults to 30. Ì,  Ò2 - The unique identifier of the KMS key to delete.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Ñ amazonka-kmsé The waiting period, specified in number of days. After the waiting
 period ends, KMS deletes the KMS key.»If the KMS key is a multi-Region primary key with replica keys, the
 waiting period begins when the last of its replica keys is deleted.
 Otherwise, the waiting period begins immediately.ŠThis value is optional. If you include a value, it must be between 7 and
 30, inclusive. If you do not include a value, it defaults to 30.Ò amazonka-kms/The unique identifier of the KMS key to delete.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Ó amazonka-kmsCreate a value of  Å" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Å,  Ô9 - The date and time after which KMS deletes the KMS key.¶If the KMS key is a multi-Region primary key with replica keys, this
 field does not appear. The deletion date for the primary key isn't
 known until its last replica key is deleted. Ì,  Õ - The Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN.)
 of the KMS key whose deletion is scheduled. Å,  Ö% - The current status of the KMS key.Í For more information about how key state affects the use of a KMS key,
 see
 Ä https://docs.aws.amazon.com/kms/latest/developerguide/key-state.htmlKey states of KMS keys	
 in the &Key Management Service Developer Guide. Ì,  ×4 - The waiting period before the KMS key is deleted.·If the KMS key is a multi-Region primary key with replicas, the waiting
 period begins when the last of its replica keys is deleted. Otherwise,
 the waiting period begins immediately. Ë,  Ø# - The response's http status code.Ô amazonka-kms6The date and time after which KMS deletes the KMS key.¶If the KMS key is a multi-Region primary key with replica keys, this
 field does not appear. The deletion date for the primary key isn't
 known until its last replica key is deleted.Õ amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN.)
 of the KMS key whose deletion is scheduled.Ö amazonka-kms"The current status of the KMS key.Í For more information about how key state affects the use of a KMS key,
 see
 Ä https://docs.aws.amazon.com/kms/latest/developerguide/key-state.htmlKey states of KMS keys	
 in the &Key Management Service Developer Guide.× amazonka-kms1The waiting period before the KMS key is deleted.·If the KMS key is a multi-Region primary key with replicas, the waiting
 period begins when the last of its replica keys is deleted. Otherwise,
 the waiting period begins immediately.Ø amazonka-kms The response's http status code.Ð  amazonka-kms ÌÓ  amazonka-kms ËÅÆÈÇÉËÊÌÍÏÎÐÑÒÓÔÕÖ×ØÌÍÏÎÐÑÒÅÆÈÇÉËÊÓÔÕÖ×Ø    '  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  . é amazonka-kmsSee:  ò smart constructor.ë amazonka-kmsSee:  ï smart constructor.í amazonka-kms‰A unique identifier for the KMS key associated with the grant. To get
 the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.‰Specify the key ID or key ARN of the KMS key. To specify a KMS key in a
 different Amazon Web Services account, you must use the key ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.î amazonka-kmsê Identifies the grant to revoke. To get the grant ID, use CreateGrant,
 ListGrants, or ListRetirableGrants.ï amazonka-kmsCreate a value of  ë" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ë,  ðŒ - A unique identifier for the KMS key associated with the grant. To get
 the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.‰Specify the key ID or key ARN of the KMS key. To specify a KMS key in a
 different Amazon Web Services account, you must use the key ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. ë,  ñí  - Identifies the grant to revoke. To get the grant ID, use CreateGrant,
 ListGrants, or ListRetirableGrants.ð amazonka-kms‰A unique identifier for the KMS key associated with the grant. To get
 the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.‰Specify the key ID or key ARN of the KMS key. To specify a KMS key in a
 different Amazon Web Services account, you must use the key ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.ñ amazonka-kmsê Identifies the grant to revoke. To get the grant ID, use CreateGrant,
 ListGrants, or ListRetirableGrants.ò amazonka-kmsCreate a value of  é" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï  amazonka-kms ë amazonka-kms ë
éêëìîíïðñò
ëìîíïðñéêò    (  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  <û
ƒ amazonka-kmsSee:  Ž smart constructor.… amazonka-kmsSee:  Š smart constructor.‡ amazonka-kmsê Identifies the grant to retire. To get the grant ID, use CreateGrant,
 ListGrants, or ListRetirableGrants.Ø Grant ID Example -
     0123456789012345678901234567890123456789012345678901234567890123ˆ amazonka-kmsˆIdentifies the grant to be retired. You can use a grant token to
 identify a new grant even before it has achieved eventual consistency.È Only the CreateGrant operation returns a grant token. For details, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistencyEventual consistency	
 in the &Key Management Service Developer Guide.‰ amazonka-kmsà The key ARN KMS key associated with the grant. To find the key ARN, use
 the ListKeys operation.For example:
 Ë arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890abŠ amazonka-kmsCreate a value of  …" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: …,  ‹í  - Identifies the grant to retire. To get the grant ID, use CreateGrant,
 ListGrants, or ListRetirableGrants.Ø Grant ID Example -
     0123456789012345678901234567890123456789012345678901234567890123 ˆ,  Œ‹ - Identifies the grant to be retired. You can use a grant token to
 identify a new grant even before it has achieved eventual consistency.È Only the CreateGrant operation returns a grant token. For details, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistencyEventual consistency	
 in the &Key Management Service Developer Guide. …,  ã  - The key ARN KMS key associated with the grant. To find the key ARN, use
 the ListKeys operation.For example:
 Ë arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab‹ amazonka-kmsê Identifies the grant to retire. To get the grant ID, use CreateGrant,
 ListGrants, or ListRetirableGrants.Ø Grant ID Example -
     0123456789012345678901234567890123456789012345678901234567890123Œ amazonka-kmsˆIdentifies the grant to be retired. You can use a grant token to
 identify a new grant even before it has achieved eventual consistency.È Only the CreateGrant operation returns a grant token. For details, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistencyEventual consistency	
 in the &Key Management Service Developer Guide. amazonka-kmsà The key ARN KMS key associated with the grant. To find the key ARN, use
 the ListKeys operation.For example:
 Ë arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890abŽ amazonka-kmsCreate a value of  ƒ" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields. ƒ„…†‡‰ˆŠ‹ŒŽ…†‡‰ˆŠ‹Œƒ„Ž    )  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ   ¥Ÿ amazonka-kmsSee:  ´ smart constructor.¡ amazonka-kmsÒ Displays details about the new replica key, including its Amazon
 Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN)
 and
 Ä https://docs.aws.amazon.com/kms/latest/developerguide/key-state.htmlKey states of KMS keysæ .
 It also includes the ARN and Amazon Web Services Region of its primary
 key and other replica keys.¢ amazonka-kmsÚ The key policy of the new replica key. The value is a key policy
 document in JSON format.£ amazonka-kmsÕ The tags on the new replica key. The value is a list of tag key and tag
 value pairs.¤ amazonka-kms The response's http status code.¥ amazonka-kmsSee:  ­ smart constructor.§ amazonka-kmsÊ A flag to indicate whether to bypass the key policy lockout safety
 check.…Setting this value to true increases the risk that the KMS key becomes
 unmanageable. Do not set this value to true indiscriminately.4For more information, refer to the scenario in the
 ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
 section in the &Key Management Service Developer Guide.ö Use this parameter only when you intend to prevent the principal that is
 making the request from making a subsequent PutKeyPolicy request on
 the KMS key.The default value is false.¨ amazonka-kmsÕ A description of the KMS key. The default value is an empty string (no
 description).ÝThe description is not a shared property of multi-Region keys. You can
 specify the same description or a different description for each key in
 a set of related multi-Region keys. KMS does not synchronize this
 property.© amazonka-kmsü The key policy to attach to the KMS key. This parameter is optional. If
 you do not provide a key policy, KMS attaches the
 Ú https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-defaultdefault key policy
 to the KMS key.ÚThe key policy is not a shared property of multi-Region keys. You can
 specify the same key policy or a different key policy for each key in a
 set of related multi-Region keys. KMS does not synchronize this
 property.Á If you provide a key policy, it must meet the following criteria:If you don't set BypassPolicyLockoutSafetyCheck3 to true, the key
     policy must give the caller kms:PutKeyPolicyŸ permission on the
     replica key. This reduces the risk that the KMS key becomes
     unmanageable. For more information, refer to the scenario in the
     ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
     section of the /&Key Management Service Developer Guide/ .¶Each statement in the key policy must contain one or more
     principals. The principals in the key policy must exist and be
     visible to KMS. When you create a new Amazon Web Services principal
     (for example, an IAM user or role), you might need to enforce a
     delay before including the new principal in a key policy because the
     new principal might not be immediately visible to KMS. For more
     information, see
     ô https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency6Changes that I make are not always immediately visible
     in the /)Identity and Access Management User Guide/ .À A key policy document can include only the following characters:5Printable ASCII characters from the space character (\u00204)
     through the end of the ASCII character range.Û Printable characters in the Basic Latin and Latin-1 Supplement
     character set (through \u00FF).	The tab (\u0009), line feed (\u000A), and carriage return
     (\u000D) special characters)For information about key policies, see
 Ç https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.htmlKey policies in KMS	
 in the &Key Management Service Developer GuideÄ . For help writing and
 formatting a JSON policy document, see the
 È https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.htmlIAM JSON Policy Reference

 in the /)Identity and Access Management User Guide/ .ª amazonka-kms£Assigns one or more tags to the replica key. Use this parameter to tag
 the KMS key when it is created. To tag an existing KMS key, use the
 TagResource operation.ß Tagging or untagging a KMS key can allow or deny permission to the KMS
 key. For details, see
 ?https://docs.aws.amazon.com/kms/latest/developerguide/abac.htmlABAC for KMS	
 in the &Key Management Service Developer Guide.&To use this parameter, you must have
 Ø https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.htmlkms:TagResource
 permission in an IAM policy.ÂTags are not a shared property of multi-Region keys. You can specify the
 same tags or different tags for each key in a set of related
 multi-Region keys. KMS does not synchronize this property.ÕEach tag consists of a tag key and a tag value. Both the tag key and the
 tag value are required, but the tag value can be an empty (null) string.
 You cannot have more than one tag on a KMS key with the same tag key. If
 you specify an existing tag key with a different tag value, KMS replaces
 the current tag value with the specified one.áWhen you add tags to an Amazon Web Services resource, Amazon Web
 Services generates a cost allocation report with usage and costs
 aggregated by tags. Tags can also be used to control access to a KMS
 key. For details, see
 Ç https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.htmlTagging Keys.« amazonka-kmsºIdentifies the multi-Region primary key that is being replicated. To
 determine whether a KMS key is a multi-Region primary key, use the
 DescribeKey operation to check the value of the MultiRegionKeyType
 property.<Specify the key ID or key ARN of a multi-Region primary key.For example:Key ID: $mrk-1234abcd12ab34cd56ef1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.¬ amazonka-kmsÅ The Region ID of the Amazon Web Services Region for this replica key.Enter the Region ID, such as 	us-east-1 or ap-southeast-2Í . For a list
 of Amazon Web Services Regions in which KMS is supported, see
 Á https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_regionKMS service endpoints	
 in the %Amazon Web Services General Reference.¹HMAC KMS keys are not supported in all Amazon Web Services Regions. If
 you try to replicate an HMAC KMS key in an Amazon Web Services Region in
 which HMAC keys are not supported, the ReplicateKey operation returns
 an UnsupportedOperationExceptionÄ . For a list of Regions in which HMAC
 KMS keys are supported, see
 ?https://docs.aws.amazon.com/kms/latest/developerguide/hmac.htmlHMAC keys in KMS	
 in the &Key Management Service Developer Guide.ÿThe replica must be in a different Amazon Web Services Region than its
 primary key and other replicas of that primary key, but in the same
 Amazon Web Services partition. KMS must be available in the replica
 Region. If the Region is not enabled by default, the Amazon Web Services
 account must be enabled in the Region. For information about Amazon Web
 Services partitions, see
 Ê https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.htmlAmazon Resource Names (ARNs)	
 in the %Amazon Web Services General Reference>. For information about
 enabling and disabling Regions, see
 Ó https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enableEnabling a Region
 and
 Ô https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disableDisabling a Region	
 in the %Amazon Web Services General Reference.­ amazonka-kmsCreate a value of  ¥" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: §,  ®Í  - A flag to indicate whether to bypass the key policy lockout safety
 check.…Setting this value to true increases the risk that the KMS key becomes
 unmanageable. Do not set this value to true indiscriminately.4For more information, refer to the scenario in the
 ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
 section in the &Key Management Service Developer Guide.ö Use this parameter only when you intend to prevent the principal that is
 making the request from making a subsequent PutKeyPolicy request on
 the KMS key.The default value is false. ¥,  ¯Ø  - A description of the KMS key. The default value is an empty string (no
 description).ÝThe description is not a shared property of multi-Region keys. You can
 specify the same description or a different description for each key in
 a set of related multi-Region keys. KMS does not synchronize this
 property. ©,  °ÿ  - The key policy to attach to the KMS key. This parameter is optional. If
 you do not provide a key policy, KMS attaches the
 Ú https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-defaultdefault key policy
 to the KMS key.ÚThe key policy is not a shared property of multi-Region keys. You can
 specify the same key policy or a different key policy for each key in a
 set of related multi-Region keys. KMS does not synchronize this
 property.Á If you provide a key policy, it must meet the following criteria:If you don't set BypassPolicyLockoutSafetyCheck3 to true, the key
     policy must give the caller kms:PutKeyPolicyŸ permission on the
     replica key. This reduces the risk that the KMS key becomes
     unmanageable. For more information, refer to the scenario in the
     ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
     section of the /&Key Management Service Developer Guide/ .¶Each statement in the key policy must contain one or more
     principals. The principals in the key policy must exist and be
     visible to KMS. When you create a new Amazon Web Services principal
     (for example, an IAM user or role), you might need to enforce a
     delay before including the new principal in a key policy because the
     new principal might not be immediately visible to KMS. For more
     information, see
     ô https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency6Changes that I make are not always immediately visible
     in the /)Identity and Access Management User Guide/ .À A key policy document can include only the following characters:5Printable ASCII characters from the space character (\u00204)
     through the end of the ASCII character range.Û Printable characters in the Basic Latin and Latin-1 Supplement
     character set (through \u00FF).	The tab (\u0009), line feed (\u000A), and carriage return
     (\u000D) special characters)For information about key policies, see
 Ç https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.htmlKey policies in KMS	
 in the &Key Management Service Developer GuideÄ . For help writing and
 formatting a JSON policy document, see the
 È https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.htmlIAM JSON Policy Reference

 in the /)Identity and Access Management User Guide/ . ª,  ±¦ - Assigns one or more tags to the replica key. Use this parameter to tag
 the KMS key when it is created. To tag an existing KMS key, use the
 TagResource operation.ß Tagging or untagging a KMS key can allow or deny permission to the KMS
 key. For details, see
 ?https://docs.aws.amazon.com/kms/latest/developerguide/abac.htmlABAC for KMS	
 in the &Key Management Service Developer Guide.&To use this parameter, you must have
 Ø https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.htmlkms:TagResource
 permission in an IAM policy.ÂTags are not a shared property of multi-Region keys. You can specify the
 same tags or different tags for each key in a set of related
 multi-Region keys. KMS does not synchronize this property.ÕEach tag consists of a tag key and a tag value. Both the tag key and the
 tag value are required, but the tag value can be an empty (null) string.
 You cannot have more than one tag on a KMS key with the same tag key. If
 you specify an existing tag key with a different tag value, KMS replaces
 the current tag value with the specified one.áWhen you add tags to an Amazon Web Services resource, Amazon Web
 Services generates a cost allocation report with usage and costs
 aggregated by tags. Tags can also be used to control access to a KMS
 key. For details, see
 Ç https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.htmlTagging Keys. ¥,  ²½ - Identifies the multi-Region primary key that is being replicated. To
 determine whether a KMS key is a multi-Region primary key, use the
 DescribeKey operation to check the value of the MultiRegionKeyType
 property.<Specify the key ID or key ARN of a multi-Region primary key.For example:Key ID: $mrk-1234abcd12ab34cd56ef1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. ¬,  ³È  - The Region ID of the Amazon Web Services Region for this replica key.Enter the Region ID, such as 	us-east-1 or ap-southeast-2Í . For a list
 of Amazon Web Services Regions in which KMS is supported, see
 Á https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_regionKMS service endpoints	
 in the %Amazon Web Services General Reference.¹HMAC KMS keys are not supported in all Amazon Web Services Regions. If
 you try to replicate an HMAC KMS key in an Amazon Web Services Region in
 which HMAC keys are not supported, the ReplicateKey operation returns
 an UnsupportedOperationExceptionÄ . For a list of Regions in which HMAC
 KMS keys are supported, see
 ?https://docs.aws.amazon.com/kms/latest/developerguide/hmac.htmlHMAC keys in KMS	
 in the &Key Management Service Developer Guide.ÿThe replica must be in a different Amazon Web Services Region than its
 primary key and other replicas of that primary key, but in the same
 Amazon Web Services partition. KMS must be available in the replica
 Region. If the Region is not enabled by default, the Amazon Web Services
 account must be enabled in the Region. For information about Amazon Web
 Services partitions, see
 Ê https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.htmlAmazon Resource Names (ARNs)	
 in the %Amazon Web Services General Reference>. For information about
 enabling and disabling Regions, see
 Ó https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enableEnabling a Region
 and
 Ô https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disableDisabling a Region	
 in the %Amazon Web Services General Reference.® amazonka-kmsÊ A flag to indicate whether to bypass the key policy lockout safety
 check.…Setting this value to true increases the risk that the KMS key becomes
 unmanageable. Do not set this value to true indiscriminately.4For more information, refer to the scenario in the
 ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
 section in the &Key Management Service Developer Guide.ö Use this parameter only when you intend to prevent the principal that is
 making the request from making a subsequent PutKeyPolicy request on
 the KMS key.The default value is false.¯ amazonka-kmsÕ A description of the KMS key. The default value is an empty string (no
 description).ÝThe description is not a shared property of multi-Region keys. You can
 specify the same description or a different description for each key in
 a set of related multi-Region keys. KMS does not synchronize this
 property.° amazonka-kmsü The key policy to attach to the KMS key. This parameter is optional. If
 you do not provide a key policy, KMS attaches the
 Ú https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-defaultdefault key policy
 to the KMS key.ÚThe key policy is not a shared property of multi-Region keys. You can
 specify the same key policy or a different key policy for each key in a
 set of related multi-Region keys. KMS does not synchronize this
 property.Á If you provide a key policy, it must meet the following criteria:If you don't set BypassPolicyLockoutSafetyCheck3 to true, the key
     policy must give the caller kms:PutKeyPolicyŸ permission on the
     replica key. This reduces the risk that the KMS key becomes
     unmanageable. For more information, refer to the scenario in the
     ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
     section of the /&Key Management Service Developer Guide/ .¶Each statement in the key policy must contain one or more
     principals. The principals in the key policy must exist and be
     visible to KMS. When you create a new Amazon Web Services principal
     (for example, an IAM user or role), you might need to enforce a
     delay before including the new principal in a key policy because the
     new principal might not be immediately visible to KMS. For more
     information, see
     ô https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency6Changes that I make are not always immediately visible
     in the /)Identity and Access Management User Guide/ .À A key policy document can include only the following characters:5Printable ASCII characters from the space character (\u00204)
     through the end of the ASCII character range.Û Printable characters in the Basic Latin and Latin-1 Supplement
     character set (through \u00FF).	The tab (\u0009), line feed (\u000A), and carriage return
     (\u000D) special characters)For information about key policies, see
 Ç https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.htmlKey policies in KMS	
 in the &Key Management Service Developer GuideÄ . For help writing and
 formatting a JSON policy document, see the
 È https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.htmlIAM JSON Policy Reference

 in the /)Identity and Access Management User Guide/ .± amazonka-kms£Assigns one or more tags to the replica key. Use this parameter to tag
 the KMS key when it is created. To tag an existing KMS key, use the
 TagResource operation.ß Tagging or untagging a KMS key can allow or deny permission to the KMS
 key. For details, see
 ?https://docs.aws.amazon.com/kms/latest/developerguide/abac.htmlABAC for KMS	
 in the &Key Management Service Developer Guide.&To use this parameter, you must have
 Ø https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.htmlkms:TagResource
 permission in an IAM policy.ÂTags are not a shared property of multi-Region keys. You can specify the
 same tags or different tags for each key in a set of related
 multi-Region keys. KMS does not synchronize this property.ÕEach tag consists of a tag key and a tag value. Both the tag key and the
 tag value are required, but the tag value can be an empty (null) string.
 You cannot have more than one tag on a KMS key with the same tag key. If
 you specify an existing tag key with a different tag value, KMS replaces
 the current tag value with the specified one.áWhen you add tags to an Amazon Web Services resource, Amazon Web
 Services generates a cost allocation report with usage and costs
 aggregated by tags. Tags can also be used to control access to a KMS
 key. For details, see
 Ç https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.htmlTagging Keys.² amazonka-kmsºIdentifies the multi-Region primary key that is being replicated. To
 determine whether a KMS key is a multi-Region primary key, use the
 DescribeKey operation to check the value of the MultiRegionKeyType
 property.<Specify the key ID or key ARN of a multi-Region primary key.For example:Key ID: $mrk-1234abcd12ab34cd56ef1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.³ amazonka-kmsÅ The Region ID of the Amazon Web Services Region for this replica key.Enter the Region ID, such as 	us-east-1 or ap-southeast-2Í . For a list
 of Amazon Web Services Regions in which KMS is supported, see
 Á https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_regionKMS service endpoints	
 in the %Amazon Web Services General Reference.¹HMAC KMS keys are not supported in all Amazon Web Services Regions. If
 you try to replicate an HMAC KMS key in an Amazon Web Services Region in
 which HMAC keys are not supported, the ReplicateKey operation returns
 an UnsupportedOperationExceptionÄ . For a list of Regions in which HMAC
 KMS keys are supported, see
 ?https://docs.aws.amazon.com/kms/latest/developerguide/hmac.htmlHMAC keys in KMS	
 in the &Key Management Service Developer Guide.ÿThe replica must be in a different Amazon Web Services Region than its
 primary key and other replicas of that primary key, but in the same
 Amazon Web Services partition. KMS must be available in the replica
 Region. If the Region is not enabled by default, the Amazon Web Services
 account must be enabled in the Region. For information about Amazon Web
 Services partitions, see
 Ê https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.htmlAmazon Resource Names (ARNs)	
 in the %Amazon Web Services General Reference>. For information about
 enabling and disabling Regions, see
 Ó https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enableEnabling a Region
 and
 Ô https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disableDisabling a Region	
 in the %Amazon Web Services General Reference.´ amazonka-kmsCreate a value of  Ÿ" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ¡,  µÕ  - Displays details about the new replica key, including its Amazon
 Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN)
 and
 Ä https://docs.aws.amazon.com/kms/latest/developerguide/key-state.htmlKey states of KMS keysæ .
 It also includes the ARN and Amazon Web Services Region of its primary
 key and other replica keys. ¢,  ¶Ý  - The key policy of the new replica key. The value is a key policy
 document in JSON format. £,  ·Ø  - The tags on the new replica key. The value is a list of tag key and tag
 value pairs. ¤,  ¸# - The response's http status code.µ amazonka-kmsÒ Displays details about the new replica key, including its Amazon
 Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN)
 and
 Ä https://docs.aws.amazon.com/kms/latest/developerguide/key-state.htmlKey states of KMS keysæ .
 It also includes the ARN and Amazon Web Services Region of its primary
 key and other replica keys.¶ amazonka-kmsÚ The key policy of the new replica key. The value is a key policy
 document in JSON format.· amazonka-kmsÕ The tags on the new replica key. The value is a list of tag key and tag
 value pairs.¸ amazonka-kms The response's http status code.­  amazonka-kms ¥ amazonka-kms ¬´  amazonka-kms ¤Ÿ ¤¡¢£¥¦¨ª«§©¬­®¯°±²³´µ¶·¸¥¦¨ª«§©¬­®¯°±²³Ÿ ¤¡¢£´µ¶·¸    *  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  òB É amazonka-kmsSee:  ä smart constructor.Ë amazonka-kms“The reencrypted data. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.Ì amazonka-kms=The encryption algorithm that was used to reencrypt the data.Í amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN6)
 of the KMS key that was used to reencrypt the data.Î amazonka-kmsÜ The encryption algorithm that was used to decrypt the ciphertext before
 it was reencrypted.Ï amazonka-kmsÅ Unique identifier of the KMS key used to originally encrypt the data.Ð amazonka-kms The response's http status code.Ñ amazonka-kmsSee:  Û smart constructor.Ó amazonka-kmsù Specifies the encryption algorithm that KMS will use to reecrypt the
 data after it has decrypted it. The default value, SYMMETRIC_DEFAULTÏ ,
 represents the encryption algorithm used for symmetric encryption KMS
 keys.× This parameter is required only when the destination KMS key is an
 asymmetric KMS key.Ô amazonka-kmsÈ Specifies that encryption context to use when the reencrypting the data.ÍA destination encryption context is valid only when the destination KMS
 key is a symmetric encryption KMS key. The standard ciphertext format
 for asymmetric KMS keys does not include fields for metadata.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide.Õ amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.Ö amazonka-kmsþ Specifies the encryption algorithm that KMS will use to decrypt the
 ciphertext before it is reencrypted. The default value,
 SYMMETRIC_DEFAULTÃ , represents the algorithm used for symmetric
 encryption KMS keys.…Specify the same algorithm that was used to encrypt the ciphertext. If
 you specify a different algorithm, the decrypt attempt fails.ß This parameter is required only when the ciphertext was encrypted under
 an asymmetric KMS key.× amazonka-kmsŽSpecifies the encryption context to use to decrypt the ciphertext. Enter
 the same encryption context that was used to encrypt the ciphertext.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide.Ø amazonka-kmsÝ Specifies the KMS key that KMS will use to decrypt the ciphertext before
 it is re-encrypted.ñ Enter a key ID of the KMS key that was used to encrypt the ciphertext.
 If you identify a different KMS key, the 	ReEncrypt operation throws an
 IncorrectKeyException.ÙThis parameter is required only when the ciphertext was encrypted under
 an asymmetric KMS key. If you used a symmetric encryption KMS key, KMS
 can get the KMS key from metadata that it adds to the symmetric
 ciphertext blob. However, it is always recommended as a best practice.
 This practice ensures that you use the KMS key that you intend.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.Ù amazonka-kms$Ciphertext of the data to reencrypt.Ú amazonka-kms‘A unique identifier for the KMS key that is used to reencrypt the data.
 Specify a symmetric encryption KMS key or an asymmetric KMS key with a
 KeyUsage
 value of ENCRYPT_DECRYPT. To find the KeyUsage4 value of a
 KMS key, use the DescribeKey operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.Û amazonka-kmsCreate a value of  Ñ" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Ñ,  Üü  - Specifies the encryption algorithm that KMS will use to reecrypt the
 data after it has decrypted it. The default value, SYMMETRIC_DEFAULTÏ ,
 represents the encryption algorithm used for symmetric encryption KMS
 keys.× This parameter is required only when the destination KMS key is an
 asymmetric KMS key. Ô,  ÝË  - Specifies that encryption context to use when the reencrypting the data.ÍA destination encryption context is valid only when the destination KMS
 key is a symmetric encryption KMS key. The standard ciphertext format
 for asymmetric KMS keys does not include fields for metadata.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide. Õ,  Þ - A list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. Ñ,  ß - Specifies the encryption algorithm that KMS will use to decrypt the
 ciphertext before it is reencrypted. The default value,
 SYMMETRIC_DEFAULTÃ , represents the algorithm used for symmetric
 encryption KMS keys.…Specify the same algorithm that was used to encrypt the ciphertext. If
 you specify a different algorithm, the decrypt attempt fails.ß This parameter is required only when the ciphertext was encrypted under
 an asymmetric KMS key. ×,  à‘ - Specifies the encryption context to use to decrypt the ciphertext. Enter
 the same encryption context that was used to encrypt the ciphertext.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide. Ñ,  áà  - Specifies the KMS key that KMS will use to decrypt the ciphertext before
 it is re-encrypted.ñ Enter a key ID of the KMS key that was used to encrypt the ciphertext.
 If you identify a different KMS key, the 	ReEncrypt operation throws an
 IncorrectKeyException.ÙThis parameter is required only when the ciphertext was encrypted under
 an asymmetric KMS key. If you used a symmetric encryption KMS key, KMS
 can get the KMS key from metadata that it adds to the symmetric
 ciphertext blob. However, it is always recommended as a best practice.
 This practice ensures that you use the KMS key that you intend.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases. Ñ,  â. - Ciphertext of the data to reencrypt.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. Ú,  ã” - A unique identifier for the KMS key that is used to reencrypt the data.
 Specify a symmetric encryption KMS key or an asymmetric KMS key with a
 KeyUsage
 value of ENCRYPT_DECRYPT. To find the KeyUsage4 value of a
 KMS key, use the DescribeKey operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.Ü amazonka-kmsù Specifies the encryption algorithm that KMS will use to reecrypt the
 data after it has decrypted it. The default value, SYMMETRIC_DEFAULTÏ ,
 represents the encryption algorithm used for symmetric encryption KMS
 keys.× This parameter is required only when the destination KMS key is an
 asymmetric KMS key.Ý amazonka-kmsÈ Specifies that encryption context to use when the reencrypting the data.ÍA destination encryption context is valid only when the destination KMS
 key is a symmetric encryption KMS key. The standard ciphertext format
 for asymmetric KMS keys does not include fields for metadata.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide.Þ amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.ß amazonka-kmsþ Specifies the encryption algorithm that KMS will use to decrypt the
 ciphertext before it is reencrypted. The default value,
 SYMMETRIC_DEFAULTÃ , represents the algorithm used for symmetric
 encryption KMS keys.…Specify the same algorithm that was used to encrypt the ciphertext. If
 you specify a different algorithm, the decrypt attempt fails.ß This parameter is required only when the ciphertext was encrypted under
 an asymmetric KMS key.à amazonka-kmsŽSpecifies the encryption context to use to decrypt the ciphertext. Enter
 the same encryption context that was used to encrypt the ciphertext.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide.á amazonka-kmsÝ Specifies the KMS key that KMS will use to decrypt the ciphertext before
 it is re-encrypted.ñ Enter a key ID of the KMS key that was used to encrypt the ciphertext.
 If you identify a different KMS key, the 	ReEncrypt operation throws an
 IncorrectKeyException.ÙThis parameter is required only when the ciphertext was encrypted under
 an asymmetric KMS key. If you used a symmetric encryption KMS key, KMS
 can get the KMS key from metadata that it adds to the symmetric
 ciphertext blob. However, it is always recommended as a best practice.
 This practice ensures that you use the KMS key that you intend.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.â amazonka-kms+Ciphertext of the data to reencrypt.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.ã amazonka-kms‘A unique identifier for the KMS key that is used to reencrypt the data.
 Specify a symmetric encryption KMS key or an asymmetric KMS key with a
 KeyUsage
 value of ENCRYPT_DECRYPT. To find the KeyUsage4 value of a
 KMS key, use the DescribeKey operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.ä amazonka-kmsCreate a value of  É" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Ñ,  å - The reencrypted data. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. Ñ,  æÀ  - The encryption algorithm that was used to reencrypt the data. É,  ç - The Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN6)
 of the KMS key that was used to reencrypt the data. Ñ,  èß  - The encryption algorithm that was used to decrypt the ciphertext before
 it was reencrypted. Ñ,  éÈ  - Unique identifier of the KMS key used to originally encrypt the data. Ð,  ê# - The response's http status code.å amazonka-kmsšThe reencrypted data. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.æ amazonka-kms=The encryption algorithm that was used to reencrypt the data.ç amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN6)
 of the KMS key that was used to reencrypt the data.è amazonka-kmsÜ The encryption algorithm that was used to decrypt the ciphertext before
 it was reencrypted.é amazonka-kmsÅ Unique identifier of the KMS key used to originally encrypt the data.ê amazonka-kms The response's http status code.Û  amazonka-kms Ñ amazonka-kms Úä  amazonka-kms Ð"ÉÊÍÐÌÎÏËÑÒÕÓÔÖ×ØÙÚÛÜÝÞßàáâãäåæçèéê"ÑÒÕÓÔÖ×ØÙÚÛÜÝÞßàáâãÉÊÍÐÌÎÏËäåæçèéê    +  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ   û amazonka-kmsSee:  ˆ	 smart constructor.ý amazonka-kmsSee:  ƒ	 smart constructor.ÿ amazonka-kmsÊ A flag to indicate whether to bypass the key policy lockout safety
 check.…Setting this value to true increases the risk that the KMS key becomes
 unmanageable. Do not set this value to true indiscriminately.4For more information, refer to the scenario in the
 ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
 section in the &Key Management Service Developer Guide.ö Use this parameter only when you intend to prevent the principal that is
 making the request from making a subsequent PutKeyPolicy request on
 the KMS key.The default value is false.€	 amazonka-kms-Sets the key policy on the specified KMS key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.	 amazonka-kms4The name of the key policy. The only valid value is default.‚	 amazonka-kms(The key policy to attach to the KMS key.0The key policy must meet the following criteria:If you don't set BypassPolicyLockoutSafetyCheckÊ  to true, the key
     policy must allow the principal that is making the PutKeyPolicy#
     request to make a subsequent PutKeyPolicy˜ request on the KMS key.
     This reduces the risk that the KMS key becomes unmanageable. For
     more information, refer to the scenario in the
     ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
     section of the &Key Management Service Developer Guide.¶Each statement in the key policy must contain one or more
     principals. The principals in the key policy must exist and be
     visible to KMS. When you create a new Amazon Web Services principal
     (for example, an IAM user or role), you might need to enforce a
     delay before including the new principal in a key policy because the
     new principal might not be immediately visible to KMS. For more
     information, see
     ô https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency6Changes that I make are not always immediately visibleÒ 
     in the /Amazon Web Services Identity and Access Management User
     Guide/.À A key policy document can include only the following characters:5Printable ASCII characters from the space character (\u00204)
     through the end of the ASCII character range.Û Printable characters in the Basic Latin and Latin-1 Supplement
     character set (through \u00FF).	The tab (\u0009), line feed (\u000A), and carriage return
     (\u000D) special characters)For information about key policies, see
 Ç https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.htmlKey policies in KMS	
 in the &Key Management Service Developer GuideÃ .For help writing and
 formatting a JSON policy document, see the
 È https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.htmlIAM JSON Policy Reference

 in the /)Identity and Access Management User Guide/ .ƒ	 amazonka-kmsCreate a value of  ý" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ÿ,  „	Í  - A flag to indicate whether to bypass the key policy lockout safety
 check.…Setting this value to true increases the risk that the KMS key becomes
 unmanageable. Do not set this value to true indiscriminately.4For more information, refer to the scenario in the
 ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
 section in the &Key Management Service Developer Guide.ö Use this parameter only when you intend to prevent the principal that is
 making the request from making a subsequent PutKeyPolicy request on
 the KMS key.The default value is false. ý,  …	0 - Sets the key policy on the specified KMS key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. 	,  †	7 - The name of the key policy. The only valid value is default. ‚	,  ‡	+ - The key policy to attach to the KMS key.0The key policy must meet the following criteria:If you don't set BypassPolicyLockoutSafetyCheckÊ  to true, the key
     policy must allow the principal that is making the PutKeyPolicy#
     request to make a subsequent PutKeyPolicy˜ request on the KMS key.
     This reduces the risk that the KMS key becomes unmanageable. For
     more information, refer to the scenario in the
     ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
     section of the &Key Management Service Developer Guide.¶Each statement in the key policy must contain one or more
     principals. The principals in the key policy must exist and be
     visible to KMS. When you create a new Amazon Web Services principal
     (for example, an IAM user or role), you might need to enforce a
     delay before including the new principal in a key policy because the
     new principal might not be immediately visible to KMS. For more
     information, see
     ô https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency6Changes that I make are not always immediately visibleÒ 
     in the /Amazon Web Services Identity and Access Management User
     Guide/.À A key policy document can include only the following characters:5Printable ASCII characters from the space character (\u00204)
     through the end of the ASCII character range.Û Printable characters in the Basic Latin and Latin-1 Supplement
     character set (through \u00FF).	The tab (\u0009), line feed (\u000A), and carriage return
     (\u000D) special characters)For information about key policies, see
 Ç https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.htmlKey policies in KMS	
 in the &Key Management Service Developer GuideÃ .For help writing and
 formatting a JSON policy document, see the
 È https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.htmlIAM JSON Policy Reference

 in the /)Identity and Access Management User Guide/ .„	 amazonka-kmsÊ A flag to indicate whether to bypass the key policy lockout safety
 check.…Setting this value to true increases the risk that the KMS key becomes
 unmanageable. Do not set this value to true indiscriminately.4For more information, refer to the scenario in the
 ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
 section in the &Key Management Service Developer Guide.ö Use this parameter only when you intend to prevent the principal that is
 making the request from making a subsequent PutKeyPolicy request on
 the KMS key.The default value is false.…	 amazonka-kms-Sets the key policy on the specified KMS key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.†	 amazonka-kms4The name of the key policy. The only valid value is default.‡	 amazonka-kms(The key policy to attach to the KMS key.0The key policy must meet the following criteria:If you don't set BypassPolicyLockoutSafetyCheckÊ  to true, the key
     policy must allow the principal that is making the PutKeyPolicy#
     request to make a subsequent PutKeyPolicy˜ request on the KMS key.
     This reduces the risk that the KMS key becomes unmanageable. For
     more information, refer to the scenario in the
     ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
     section of the &Key Management Service Developer Guide.¶Each statement in the key policy must contain one or more
     principals. The principals in the key policy must exist and be
     visible to KMS. When you create a new Amazon Web Services principal
     (for example, an IAM user or role), you might need to enforce a
     delay before including the new principal in a key policy because the
     new principal might not be immediately visible to KMS. For more
     information, see
     ô https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency6Changes that I make are not always immediately visibleÒ 
     in the /Amazon Web Services Identity and Access Management User
     Guide/.À A key policy document can include only the following characters:5Printable ASCII characters from the space character (\u00204)
     through the end of the ASCII character range.Û Printable characters in the Basic Latin and Latin-1 Supplement
     character set (through \u00FF).	The tab (\u0009), line feed (\u000A), and carriage return
     (\u000D) special characters)For information about key policies, see
 Ç https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.htmlKey policies in KMS	
 in the &Key Management Service Developer GuideÃ .For help writing and
 formatting a JSON policy document, see the
 È https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.htmlIAM JSON Policy Reference

 in the /)Identity and Access Management User Guide/ .ˆ	 amazonka-kmsCreate a value of  û" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ƒ	  amazonka-kms ý amazonka-kms 	 amazonka-kms ‚	ûüýþ€	ÿ‚		ƒ	„	…	†	‡	ˆ	ýþ€	ÿ‚		ƒ	„	…	†	‡	ûüˆ	    ,  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  0.™	 amazonka-kmsSee:  ž	 smart constructor.›	 amazonka-kmsºUse this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.‹This value is optional. If you include a value, it must be between 1 and
 100, inclusive. If you do not include a value, it defaults to 50.œ	 amazonka-kmsø Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.	 amazonka-kmsè The retiring principal for which to list grants. Enter a principal in
 your Amazon Web Services account.,To specify the retiring principal, use the
 Ê https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.htmlAmazon Resource Name (ARN)ð
 of an Amazon Web Services principal. Valid Amazon Web Services
 principals include Amazon Web Services accounts (root), IAM users,
 federated users, and assumed role users. For examples of the ARN syntax
 for specifying a principal, see
 Ù https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam8Amazon Web Services Identity and Access Management (IAM)Î 
 in the Example ARNs section of the /Amazon Web Services General
 Reference/.ž	 amazonka-kmsCreate a value of  ™	" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ›	,  Ÿ	½ - Use this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.‹This value is optional. If you include a value, it must be between 1 and
 100, inclusive. If you do not include a value, it defaults to 50. œ	,   	û  - Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received. ™	,  ¡	ë  - The retiring principal for which to list grants. Enter a principal in
 your Amazon Web Services account.,To specify the retiring principal, use the
 Ê https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.htmlAmazon Resource Name (ARN)ð
 of an Amazon Web Services principal. Valid Amazon Web Services
 principals include Amazon Web Services accounts (root), IAM users,
 federated users, and assumed role users. For examples of the ARN syntax
 for specifying a principal, see
 Ù https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam8Amazon Web Services Identity and Access Management (IAM)Î 
 in the Example ARNs section of the /Amazon Web Services General
 Reference/.Ÿ	 amazonka-kmsºUse this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.‹This value is optional. If you include a value, it must be between 1 and
 100, inclusive. If you do not include a value, it defaults to 50. 	 amazonka-kmsø Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.¡	 amazonka-kmsè The retiring principal for which to list grants. Enter a principal in
 your Amazon Web Services account.,To specify the retiring principal, use the
 Ê https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.htmlAmazon Resource Name (ARN)ð
 of an Amazon Web Services principal. Valid Amazon Web Services
 principals include Amazon Web Services accounts (root), IAM users,
 federated users, and assumed role users. For examples of the ARN syntax
 for specifying a principal, see
 Ù https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam8Amazon Web Services Identity and Access Management (IAM)Î 
 in the Example ARNs section of the /Amazon Web Services General
 Reference/.ž	  amazonka-kms ™	äåèæçéêëì™	š		›	œ	ž	Ÿ	 	¡	™	š		›	œ	ž	Ÿ	 	¡	äåèæçéêëì    -  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  K7®	 amazonka-kmsSee:  ½	 smart constructor.°	 amazonka-kmsWhen 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request.7Do not assume or infer any information from this value.±	 amazonka-kms?A list of tags. Each tag consists of a tag key and a tag value.ß Tagging or untagging a KMS key can allow or deny permission to the KMS
 key. For details, see
 ?https://docs.aws.amazon.com/kms/latest/developerguide/abac.htmlABAC for KMS	
 in the &Key Management Service Developer Guide.²	 amazonka-kms¬A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request.³	 amazonka-kms The response's http status code.´	 amazonka-kmsSee:  ¹	 smart constructor.¶	 amazonka-kmsºUse this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.ŠThis value is optional. If you include a value, it must be between 1 and
 50, inclusive. If you do not include a value, it defaults to 50.·	 amazonka-kmsø Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.?Do not attempt to construct this value. Use only the value of
 
NextMarker/ from the truncated response you just received.¸	 amazonka-kms#Gets tags on the specified KMS key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.¹	 amazonka-kmsCreate a value of  ´	" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ¶	,  º	½ - Use this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.ŠThis value is optional. If you include a value, it must be between 1 and
 50, inclusive. If you do not include a value, it defaults to 50. ·	,  »	û  - Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.?Do not attempt to construct this value. Use only the value of
 
NextMarker/ from the truncated response you just received. ´	,  ¼	& - Gets tags on the specified KMS key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.º	 amazonka-kmsºUse this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.ŠThis value is optional. If you include a value, it must be between 1 and
 50, inclusive. If you do not include a value, it defaults to 50.»	 amazonka-kmsø Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.?Do not attempt to construct this value. Use only the value of
 
NextMarker/ from the truncated response you just received.¼	 amazonka-kms#Gets tags on the specified KMS key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.½	 amazonka-kmsCreate a value of  ®	" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ®	,  ¾	 - When 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request.7Do not assume or infer any information from this value. ±	,  ¿	Â  - A list of tags. Each tag consists of a tag key and a tag value.ß Tagging or untagging a KMS key can allow or deny permission to the KMS
 key. For details, see
 ?https://docs.aws.amazon.com/kms/latest/developerguide/abac.htmlABAC for KMS	
 in the &Key Management Service Developer Guide. ®	,  À	¯ - A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request. ³	,  Á	# - The response's http status code.¾	 amazonka-kmsWhen 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request.7Do not assume or infer any information from this value.¿	 amazonka-kms?A list of tags. Each tag consists of a tag key and a tag value.ß Tagging or untagging a KMS key can allow or deny permission to the KMS
 key. For details, see
 ?https://docs.aws.amazon.com/kms/latest/developerguide/abac.htmlABAC for KMS	
 in the &Key Management Service Developer Guide.À	 amazonka-kms¬A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request.Á	 amazonka-kms The response's http status code.¹	  amazonka-kms ´	½	  amazonka-kms ³	®	¯	²	±	°	³	´	µ	¸	¶	·	¹	º	»	¼	½	¾	¿	À	Á	´	µ	¸	¶	·	¹	º	»	¼	®	¯	²	±	°	³	½	¾	¿	À	Á	    .  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  \‘Ó	 amazonka-kmsSee:  à	 smart constructor.Õ	 amazonka-kmsA list of KMS keys.Ö	 amazonka-kmsWhen 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request.×	 amazonka-kms¬A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request.Ø	 amazonka-kms The response's http status code.Ù	 amazonka-kmsSee:  Ý	 smart constructor.Û	 amazonka-kmsºUse this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.This value is optional. If you include a value, it must be between 1 and
 1000, inclusive. If you do not include a value, it defaults to 100.Ü	 amazonka-kmsø Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.Ý	 amazonka-kmsCreate a value of  Ù	" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Û	,  Þ	½ - Use this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.This value is optional. If you include a value, it must be between 1 and
 1000, inclusive. If you do not include a value, it defaults to 100. Ü	,  ß	û  - Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.Þ	 amazonka-kmsºUse this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.This value is optional. If you include a value, it must be between 1 and
 1000, inclusive. If you do not include a value, it defaults to 100.ß	 amazonka-kmsø Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.à	 amazonka-kmsCreate a value of  Ó	" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Õ	,  á	 - A list of KMS keys. Ó	,  â	 - When 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request. Ó	,  ã	¯ - A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request. Ø	,  ä	# - The response's http status code.á	 amazonka-kmsA list of KMS keys.â	 amazonka-kmsWhen 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request.ã	 amazonka-kms¬A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request.ä	 amazonka-kms The response's http status code.à	  amazonka-kms Ø	Ó	Ô	Õ	×	Ö	Ø	Ù	Ú	Û	Ü	Ý	Þ	ß	à	á	â	ã	ä	Ù	Ú	Û	Ü	Ý	Þ	ß	Ó	Ô	Õ	×	Ö	Ø	à	á	â	ã	ä	    /  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  spö	 amazonka-kmsSee:  …
 smart constructor.ø	 amazonka-kmsWhen 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request.ù	 amazonka-kms4A list of key policy names. The only valid value is default.ú	 amazonka-kms¬A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request.û	 amazonka-kms The response's http status code.ü	 amazonka-kmsSee:  
 smart constructor.þ	 amazonka-kmsºUse this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.This value is optional. If you include a value, it must be between 1 and
 1000, inclusive. If you do not include a value, it defaults to 100.)Only one policy can be attached to a key.ÿ	 amazonka-kmsø Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.€
 amazonka-kms9Gets the names of key policies for the specified KMS key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.
 amazonka-kmsCreate a value of  ü	" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: þ	,  ‚
½ - Use this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.This value is optional. If you include a value, it must be between 1 and
 1000, inclusive. If you do not include a value, it defaults to 100.)Only one policy can be attached to a key. ÿ	,  ƒ
û  - Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received. ü	,  „
< - Gets the names of key policies for the specified KMS key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.‚
 amazonka-kmsºUse this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.This value is optional. If you include a value, it must be between 1 and
 1000, inclusive. If you do not include a value, it defaults to 100.)Only one policy can be attached to a key.ƒ
 amazonka-kmsø Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.„
 amazonka-kms9Gets the names of key policies for the specified KMS key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.…
 amazonka-kmsCreate a value of  ö	" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ö	,  †
 - When 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request. ù	,  ‡
7 - A list of key policy names. The only valid value is default. ö	,  ˆ
¯ - A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request. û	,  ‰
# - The response's http status code.†
 amazonka-kmsWhen 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request.‡
 amazonka-kms4A list of key policy names. The only valid value is default.ˆ
 amazonka-kms¬A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request.‰
 amazonka-kms The response's http status code.
  amazonka-kms ü	…
  amazonka-kms û	ö	÷	ú	ø	û	ù	ü	ý	€
þ	ÿ	
‚
ƒ
„
…
†
‡
ˆ
‰
ü	ý	€
þ	ÿ	
‚
ƒ
„
ö	÷	ú	ø	û	ù	…
†
‡
ˆ
‰
    0  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  …›
 amazonka-kmsSee:  ¢
 smart constructor.
 amazonka-kmsà Returns only the grant with the specified grant ID. The grant ID
 uniquely identifies the grant.ž
 amazonka-kmsÚ Returns only grants where the specified principal is the grantee
 principal for the grant.Ÿ
 amazonka-kmsºUse this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.‹This value is optional. If you include a value, it must be between 1 and
 100, inclusive. If you do not include a value, it defaults to 50. 
 amazonka-kmsø Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.¡
 amazonka-kmsË Returns only grants for the specified KMS key. This parameter is
 required.‰Specify the key ID or key ARN of the KMS key. To specify a KMS key in a
 different Amazon Web Services account, you must use the key ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.¢
 amazonka-kmsCreate a value of  ›
" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ›
,  £
ã  - Returns only the grant with the specified grant ID. The grant ID
 uniquely identifies the grant. ›
,  ¤
Ý  - Returns only grants where the specified principal is the grantee
 principal for the grant. Ÿ
,  ¥
½ - Use this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.‹This value is optional. If you include a value, it must be between 1 and
 100, inclusive. If you do not include a value, it defaults to 50.  
,  ¦
û  - Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received. ›
,  §
Î  - Returns only grants for the specified KMS key. This parameter is
 required.‰Specify the key ID or key ARN of the KMS key. To specify a KMS key in a
 different Amazon Web Services account, you must use the key ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.£
 amazonka-kmsà Returns only the grant with the specified grant ID. The grant ID
 uniquely identifies the grant.¤
 amazonka-kmsÚ Returns only grants where the specified principal is the grantee
 principal for the grant.¥
 amazonka-kmsºUse this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.‹This value is optional. If you include a value, it must be between 1 and
 100, inclusive. If you do not include a value, it defaults to 50.¦
 amazonka-kmsø Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.§
 amazonka-kmsË Returns only grants for the specified KMS key. This parameter is
 required.‰Specify the key ID or key ARN of the KMS key. To specify a KMS key in a
 different Amazon Web Services account, you must use the key ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.¢
  amazonka-kms ›
äåèæçéêëì›
œ

ž
¡
Ÿ
 
¢
£
¤
¥
¦
§
›
œ

ž
¡
Ÿ
 
¢
£
¤
¥
¦
§
äåèæçéêëì    1  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  œÝ´
 amazonka-kmsSee:  Ã
 smart constructor.¶
 amazonka-kmsA list of aliases.·
 amazonka-kmsWhen 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request.¸
 amazonka-kms¬A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request.¹
 amazonka-kms The response's http status code.º
 amazonka-kmsSee:  ¿
 smart constructor.¼
 amazonka-kmsø Lists only aliases that are associated with the specified KMS key. Enter
 a KMS key in your Amazon Web Services account.,This parameter is optional. If you omit it, ListAliases0 returns all
 aliases in the account and Region.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.½
 amazonka-kmsºUse this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.‹This value is optional. If you include a value, it must be between 1 and
 100, inclusive. If you do not include a value, it defaults to 50.¾
 amazonka-kmsø Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.¿
 amazonka-kmsCreate a value of  º
" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: º
,  À
û  - Lists only aliases that are associated with the specified KMS key. Enter
 a KMS key in your Amazon Web Services account.,This parameter is optional. If you omit it, ListAliases0 returns all
 aliases in the account and Region.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. ½
,  Á
½ - Use this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.‹This value is optional. If you include a value, it must be between 1 and
 100, inclusive. If you do not include a value, it defaults to 50. ¾
,  Â
û  - Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.À
 amazonka-kmsø Lists only aliases that are associated with the specified KMS key. Enter
 a KMS key in your Amazon Web Services account.,This parameter is optional. If you omit it, ListAliases0 returns all
 aliases in the account and Region.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Á
 amazonka-kmsºUse this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.‹This value is optional. If you include a value, it must be between 1 and
 100, inclusive. If you do not include a value, it defaults to 50.Â
 amazonka-kmsø Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.Ã
 amazonka-kmsCreate a value of  ´
" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ¶
,  Ä
 - A list of aliases. ´
,  Å
 - When 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request. ´
,  Æ
¯ - A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request. ¹
,  Ç
# - The response's http status code.Ä
 amazonka-kmsA list of aliases.Å
 amazonka-kmsWhen 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request.Æ
 amazonka-kms¬A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request.Ç
 amazonka-kms The response's http status code.Ã
  amazonka-kms ¹
´
µ
¸
·
¹
¶
º
»
¼
½
¾
¿
À
Á
Â
Ã
Ä
Å
Æ
Ç
º
»
¼
½
¾
¿
À
Á
Â
´
µ
¸
·
¹
¶
Ã
Ä
Å
Æ
Ç
    2  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  Å†Ù
 amazonka-kmsSee:  é
 smart constructor.Û
 amazonka-kms The response's http status code.Ü
 amazonka-kmsSee:  ã
 smart constructor.Þ
 amazonka-kms<Specifies whether the key material expires. The default is
 KEY_MATERIAL_EXPIRES.When the value of ExpirationModel is KEY_MATERIAL_EXPIRES$, you must
 specify a value for the ValidTo parameter. When value is
 KEY_MATERIAL_DOES_NOT_EXPIRE, you must omit the ValidTo parameter.You cannot change the ExpirationModel or ValidTo  values for the
 current import after the request completes. To change either value, you
 must delete (DeleteImportedKeyMaterial) and reimport the key material.ß
 amazonka-kmsì The date and time when the imported key material expires. This parameter
 is required when the value of the ExpirationModel parameter is
 KEY_MATERIAL_EXPIRES. Otherwise it is not valid.ñ The value of this parameter must be a future date and time. The maximum
 value is 365 days from the request date.ÜWhen the key material expires, KMS deletes the key material from the KMS
 key. Without its key material, the KMS key is unusable. To use the KMS
 key in cryptographic operations, you must reimport the same key
 material.You cannot change the ExpirationModel or ValidTo  values for the
 current import after the request completes. To change either value, you
 must delete (DeleteImportedKeyMaterial) and reimport the key material.à
 amazonka-kmsThe identifier of the symmetric encryption KMS key that receives the
 imported key material. This must be the same KMS key specified in the
 KeyIDÅ  parameter of the corresponding GetParametersForImport request.
 The Origin of the KMS key must be EXTERNAL­. You cannot perform this
 operation on an asymmetric KMS key, an HMAC KMS key, a KMS key in a
 custom key store, or on a KMS key in a different Amazon Web Services
 account-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.á
 amazonka-kmsÍThe import token that you received in the response to a previous
 GetParametersForImport request. It must be from the same response that
 contained the public key that you used to encrypt the key material.â
 amazonka-kmsËThe encrypted key material to import. The key material must be encrypted
 with the public wrapping key that GetParametersForImport returned, using
 the wrapping algorithm that you specified in the same
 GetParametersForImport	 request.ã
 amazonka-kmsCreate a value of  Ü
" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Ü
,  ä
? - Specifies whether the key material expires. The default is
 KEY_MATERIAL_EXPIRES.When the value of ExpirationModel is KEY_MATERIAL_EXPIRES$, you must
 specify a value for the ValidTo parameter. When value is
 KEY_MATERIAL_DOES_NOT_EXPIRE, you must omit the ValidTo parameter.You cannot change the ExpirationModel or ValidTo  values for the
 current import after the request completes. To change either value, you
 must delete (DeleteImportedKeyMaterial) and reimport the key material. Ü
,  å
ï  - The date and time when the imported key material expires. This parameter
 is required when the value of the ExpirationModel parameter is
 KEY_MATERIAL_EXPIRES. Otherwise it is not valid.ñ The value of this parameter must be a future date and time. The maximum
 value is 365 days from the request date.ÜWhen the key material expires, KMS deletes the key material from the KMS
 key. Without its key material, the KMS key is unusable. To use the KMS
 key in cryptographic operations, you must reimport the same key
 material.You cannot change the ExpirationModel or ValidTo  values for the
 current import after the request completes. To change either value, you
 must delete (DeleteImportedKeyMaterial) and reimport the key material. Ü
,  æ
 - The identifier of the symmetric encryption KMS key that receives the
 imported key material. This must be the same KMS key specified in the
 KeyIDÅ  parameter of the corresponding GetParametersForImport request.
 The Origin of the KMS key must be EXTERNAL­. You cannot perform this
 operation on an asymmetric KMS key, an HMAC KMS key, a KMS key in a
 custom key store, or on a KMS key in a different Amazon Web Services
 account-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. á
,  ç
× - The import token that you received in the response to a previous
 GetParametersForImport request. It must be from the same response that
 contained the public key that you used to encrypt the key material.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. â
,  è
Î - The encrypted key material to import. The key material must be encrypted
 with the public wrapping key that GetParametersForImport returned, using
 the wrapping algorithm that you specified in the same
 GetParametersForImport request.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.ä
 amazonka-kms<Specifies whether the key material expires. The default is
 KEY_MATERIAL_EXPIRES.When the value of ExpirationModel is KEY_MATERIAL_EXPIRES$, you must
 specify a value for the ValidTo parameter. When value is
 KEY_MATERIAL_DOES_NOT_EXPIRE, you must omit the ValidTo parameter.You cannot change the ExpirationModel or ValidTo  values for the
 current import after the request completes. To change either value, you
 must delete (DeleteImportedKeyMaterial) and reimport the key material.å
 amazonka-kmsì The date and time when the imported key material expires. This parameter
 is required when the value of the ExpirationModel parameter is
 KEY_MATERIAL_EXPIRES. Otherwise it is not valid.ñ The value of this parameter must be a future date and time. The maximum
 value is 365 days from the request date.ÜWhen the key material expires, KMS deletes the key material from the KMS
 key. Without its key material, the KMS key is unusable. To use the KMS
 key in cryptographic operations, you must reimport the same key
 material.You cannot change the ExpirationModel or ValidTo  values for the
 current import after the request completes. To change either value, you
 must delete (DeleteImportedKeyMaterial) and reimport the key material.æ
 amazonka-kmsThe identifier of the symmetric encryption KMS key that receives the
 imported key material. This must be the same KMS key specified in the
 KeyIDÅ  parameter of the corresponding GetParametersForImport request.
 The Origin of the KMS key must be EXTERNAL­. You cannot perform this
 operation on an asymmetric KMS key, an HMAC KMS key, a KMS key in a
 custom key store, or on a KMS key in a different Amazon Web Services
 account-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.ç
 amazonka-kmsÔThe import token that you received in the response to a previous
 GetParametersForImport request. It must be from the same response that
 contained the public key that you used to encrypt the key material.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.è
 amazonka-kmsËThe encrypted key material to import. The key material must be encrypted
 with the public wrapping key that GetParametersForImport returned, using
 the wrapping algorithm that you specified in the same
 GetParametersForImport request.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.é
 amazonka-kmsCreate a value of  Ù
" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Û
,  ê
# - The response's http status code.ê
 amazonka-kms The response's http status code.ã
  amazonka-kms Ü
 amazonka-kms á
 amazonka-kms â
é
  amazonka-kms Û
Ù
Ú
Û
Ü
Ý
à
Þ
ß
á
â
ã
ä
å
æ
ç
è
é
ê
Ü
Ý
à
Þ
ß
á
â
ã
ä
å
æ
ç
è
Ù
Ú
Û
é
ê
    3  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  ïæû
 amazonka-kmsSee:  Œ smart constructor.ý
 amazonka-kmsInstead, use the KeySpec field in the GetPublicKey
 response.The KeySpec and CustomerMasterKeySpec< fields have the same value. We
 recommend that you use the KeySpecÓ  field in your code. However, to
 avoid breaking changes, KMS supports both fields.þ
 amazonka-kms9The encryption algorithms that KMS supports for this key.žThis information is critical. If a public key encrypts data outside of
 KMS by using an unsupported encryption algorithm, the ciphertext cannot
 be decrypted.1This field appears in the response only when the KeyUsage of the
 public key is ENCRYPT_DECRYPT.ÿ
 amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARNÆ )
 of the asymmetric KMS key from which the public key was downloaded.€ amazonka-kms6The type of the of the public key that was downloaded. amazonka-kms6The permitted use of the public key. Valid values are ENCRYPT_DECRYPT
 or SIGN_VERIFY.3This information is critical. If a public key with SIGN_VERIFYÍ  key
 usage encrypts data outside of KMS, the ciphertext cannot be decrypted.‚ amazonka-kmsThe exported public key.<The value is a DER-encoded X.509 public key, also known as
 SubjectPublicKeyInfo (SPKI), as defined in
 #https://tools.ietf.org/html/rfc5280RFC 5280ÿ . When you use the HTTP
 API or the Amazon Web Services CLI, the value is Base64-encoded.
 Otherwise, it is not Base64-encoded.ƒ amazonka-kms6The signing algorithms that KMS supports for this key.1This field appears in the response only when the KeyUsage of the
 public key is SIGN_VERIFY.„ amazonka-kms The response's http status code.… amazonka-kmsSee:  ‰ smart constructor.‡ amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.ˆ amazonka-kms?Identifies the asymmetric KMS key that includes the public key.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.‰ amazonka-kmsCreate a value of  …" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ‡,  Š - A list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. …,  ‹Â  - Identifies the asymmetric KMS key that includes the public key.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.Š amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.‹ amazonka-kms?Identifies the asymmetric KMS key that includes the public key.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.Œ amazonka-kmsCreate a value of  û
" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: û
,   - Instead, use the KeySpec field in the GetPublicKey
 response.The KeySpec and CustomerMasterKeySpec< fields have the same value. We
 recommend that you use the KeySpecÓ  field in your code. However, to
 avoid breaking changes, KMS supports both fields. û
,  Ž< - The encryption algorithms that KMS supports for this key.žThis information is critical. If a public key encrypts data outside of
 KMS by using an unsupported encryption algorithm, the ciphertext cannot
 be decrypted.1This field appears in the response only when the KeyUsage of the
 public key is ENCRYPT_DECRYPT. …,   - The Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARNÆ )
 of the asymmetric KMS key from which the public key was downloaded. û
,  9 - The type of the of the public key that was downloaded. û
,  ‘9 - The permitted use of the public key. Valid values are ENCRYPT_DECRYPT
 or SIGN_VERIFY.3This information is critical. If a public key with SIGN_VERIFYÍ  key
 usage encrypts data outside of KMS, the ciphertext cannot be decrypted. ‚,  ’ - The exported public key.<The value is a DER-encoded X.509 public key, also known as
 SubjectPublicKeyInfo (SPKI), as defined in
 #https://tools.ietf.org/html/rfc5280RFC 5280†. When you use the HTTP
 API or the Amazon Web Services CLI, the value is Base64-encoded.
 Otherwise, it is not Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. û
,  “9 - The signing algorithms that KMS supports for this key.1This field appears in the response only when the KeyUsage of the
 public key is SIGN_VERIFY. „,  ”# - The response's http status code. amazonka-kmsInstead, use the KeySpec field in the GetPublicKey
 response.The KeySpec and CustomerMasterKeySpec< fields have the same value. We
 recommend that you use the KeySpecÓ  field in your code. However, to
 avoid breaking changes, KMS supports both fields.Ž amazonka-kms9The encryption algorithms that KMS supports for this key.žThis information is critical. If a public key encrypts data outside of
 KMS by using an unsupported encryption algorithm, the ciphertext cannot
 be decrypted.1This field appears in the response only when the KeyUsage of the
 public key is ENCRYPT_DECRYPT. amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARNÆ )
 of the asymmetric KMS key from which the public key was downloaded. amazonka-kms6The type of the of the public key that was downloaded.‘ amazonka-kms6The permitted use of the public key. Valid values are ENCRYPT_DECRYPT
 or SIGN_VERIFY.3This information is critical. If a public key with SIGN_VERIFYÍ  key
 usage encrypts data outside of KMS, the ciphertext cannot be decrypted.’ amazonka-kmsThe exported public key.<The value is a DER-encoded X.509 public key, also known as
 SubjectPublicKeyInfo (SPKI), as defined in
 #https://tools.ietf.org/html/rfc5280RFC 5280†. When you use the HTTP
 API or the Amazon Web Services CLI, the value is Base64-encoded.
 Otherwise, it is not Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.“ amazonka-kms6The signing algorithms that KMS supports for this key.1This field appears in the response only when the KeyUsage of the
 public key is SIGN_VERIFY.” amazonka-kms The response's http status code.‰  amazonka-kms …Œ  amazonka-kms „û
ü
‚ÿ
ý
þ
€ƒ„…†ˆ‡‰Š‹ŒŽ‘’“”…†ˆ‡‰Š‹û
ü
‚ÿ
ý
þ
€ƒ„ŒŽ‘’“”    4  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  ¶¥ amazonka-kmsSee:  µ smart constructor.§ amazonka-kmsÃ The import token to send in a subsequent ImportKeyMaterial request.¨ amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARNï )
 of the KMS key to use in a subsequent ImportKeyMaterial request. This is
 the same KMS key specified in the GetParametersForImport	 request.© amazonka-kms­The time at which the import token and public key are no longer valid.
 After this time, you cannot use them to make an ImportKeyMaterial
 request and you must send another GetParametersForImport request to
 get new ones.ª amazonka-kmsÞ The public key to use to encrypt the key material before importing it
 with ImportKeyMaterial.« amazonka-kms The response's http status code.¬ amazonka-kmsSee:  ± smart constructor.® amazonka-kmsá The identifier of the symmetric encryption KMS key into which you will
 import key material. The Origin of the KMS key must be EXTERNAL.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.¯ amazonka-kmsÿ The algorithm you will use to encrypt the key material before importing
 it with ImportKeyMaterial. For more information, see
 Þ https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.htmlEncrypt the Key Material	
 in the &Key Management Service Developer Guide.° amazonka-kmsî The type of wrapping key (public key) to return in the response. Only
 2048-bit RSA public keys are supported.± amazonka-kmsCreate a value of  ¬" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ¬,  ²ä  - The identifier of the symmetric encryption KMS key into which you will
 import key material. The Origin of the KMS key must be EXTERNAL.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. ¯,  ³‚ - The algorithm you will use to encrypt the key material before importing
 it with ImportKeyMaterial. For more information, see
 Þ https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.htmlEncrypt the Key Material	
 in the &Key Management Service Developer Guide. °,  ´ñ  - The type of wrapping key (public key) to return in the response. Only
 2048-bit RSA public keys are supported.² amazonka-kmsá The identifier of the symmetric encryption KMS key into which you will
 import key material. The Origin of the KMS key must be EXTERNAL.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.³ amazonka-kmsÿ The algorithm you will use to encrypt the key material before importing
 it with ImportKeyMaterial. For more information, see
 Þ https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.htmlEncrypt the Key Material	
 in the &Key Management Service Developer Guide.´ amazonka-kmsî The type of wrapping key (public key) to return in the response. Only
 2048-bit RSA public keys are supported.µ amazonka-kmsCreate a value of  ¥" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: §,  ¶Í  - The import token to send in a subsequent ImportKeyMaterial request.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. ¬,  · - The Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARNï )
 of the KMS key to use in a subsequent ImportKeyMaterial request. This is
 the same KMS key specified in the GetParametersForImport	 request. ©,  ¸° - The time at which the import token and public key are no longer valid.
 After this time, you cannot use them to make an ImportKeyMaterial
 request and you must send another GetParametersForImport request to
 get new ones. ª,  ¹è  - The public key to use to encrypt the key material before importing it
 with ImportKeyMaterial.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. «,  º# - The response's http status code.¶ amazonka-kmsÊ The import token to send in a subsequent ImportKeyMaterial request.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.· amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARNï )
 of the KMS key to use in a subsequent ImportKeyMaterial request. This is
 the same KMS key specified in the GetParametersForImport	 request.¸ amazonka-kms­The time at which the import token and public key are no longer valid.
 After this time, you cannot use them to make an ImportKeyMaterial
 request and you must send another GetParametersForImport request to
 get new ones.¹ amazonka-kmså The public key to use to encrypt the key material before importing it
 with ImportKeyMaterial.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.º amazonka-kms The response's http status code.±  amazonka-kms ¬ amazonka-kms ¯ amazonka-kms °µ  amazonka-kms «¥¦ª¨«§©¬­®¯°±²³´µ¶·¸¹º¬­®¯°±²³´¥¦ª¨«§©µ¶·¸¹º    5  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  1
Ê amazonka-kmsSee:  Ó smart constructor.Ì amazonka-kms?A Boolean value that specifies whether key rotation is enabled.Í amazonka-kms The response's http status code.Î amazonka-kmsSee:  Ñ smart constructor.Ð amazonka-kms3Gets the rotation status for the specified KMS key.‰Specify the key ID or key ARN of the KMS key. To specify a KMS key in a
 different Amazon Web Services account, you must use the key ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Ñ amazonka-kmsCreate a value of  Î" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Î,  Ò6 - Gets the rotation status for the specified KMS key.‰Specify the key ID or key ARN of the KMS key. To specify a KMS key in a
 different Amazon Web Services account, you must use the key ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Ò amazonka-kms3Gets the rotation status for the specified KMS key.‰Specify the key ID or key ARN of the KMS key. To specify a KMS key in a
 different Amazon Web Services account, you must use the key ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Ó amazonka-kmsCreate a value of  Ê" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Ì,  ÔÂ  - A Boolean value that specifies whether key rotation is enabled. Í,  Õ# - The response's http status code.Ô amazonka-kms?A Boolean value that specifies whether key rotation is enabled.Õ amazonka-kms The response's http status code.Ñ  amazonka-kms ÎÓ  amazonka-kms ÍÊËÍÌÎÏÐÑÒÓÔÕÎÏÐÑÒÊËÍÌÓÔÕ    6  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  $ïæ amazonka-kmsSee:  ñ smart constructor.è amazonka-kms%A key policy document in JSON format.é amazonka-kms The response's http status code.ê amazonka-kmsSee:  î smart constructor.ì amazonka-kms.Gets the key policy for the specified KMS key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.í amazonka-kms=Specifies the name of the key policy. The only valid name is default9.
 To get the names of key policies, use ListKeyPolicies.î amazonka-kmsCreate a value of  ê" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ê,  ï1 - Gets the key policy for the specified KMS key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. í,  ðÀ  - Specifies the name of the key policy. The only valid name is default9.
 To get the names of key policies, use ListKeyPolicies.ï amazonka-kms.Gets the key policy for the specified KMS key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.ð amazonka-kms=Specifies the name of the key policy. The only valid name is default9.
 To get the names of key policies, use ListKeyPolicies.ñ amazonka-kmsCreate a value of  æ" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: è,  ò( - A key policy document in JSON format. é,  ó# - The response's http status code.ò amazonka-kms%A key policy document in JSON format.ó amazonka-kms The response's http status code.î  amazonka-kms ê amazonka-kms íñ  amazonka-kms éæçéèêëìíîïðñòóêëìíîïðæçéèñòó    7  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  3ê„ amazonka-kmsSee:   smart constructor.† amazonka-kms•The random byte string. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.‡ amazonka-kms The response's http status code.ˆ amazonka-kmsSee:  Œ smart constructor.Š amazonka-kmsÅGenerates the random byte string in the CloudHSM cluster that is
 associated with the specified CloudHSM key store. To find the ID of a
 custom key store, use the DescribeCustomKeyStores operation.ê External key store IDs are not valid for this parameter. If you specify
 the ID of an external key store, GenerateRandom throws an
 UnsupportedOperationException.‹ amazonka-kmsÁ The length of the random byte string. This parameter is required.Œ amazonka-kmsCreate a value of  ˆ" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ˆ,  È - Generates the random byte string in the CloudHSM cluster that is
 associated with the specified CloudHSM key store. To find the ID of a
 custom key store, use the DescribeCustomKeyStores operation.ê External key store IDs are not valid for this parameter. If you specify
 the ID of an external key store, GenerateRandom throws an
 UnsupportedOperationException. ‹,  ŽÄ  - The length of the random byte string. This parameter is required. amazonka-kmsÅGenerates the random byte string in the CloudHSM cluster that is
 associated with the specified CloudHSM key store. To find the ID of a
 custom key store, use the DescribeCustomKeyStores operation.ê External key store IDs are not valid for this parameter. If you specify
 the ID of an external key store, GenerateRandom throws an
 UnsupportedOperationException.Ž amazonka-kmsÁ The length of the random byte string. This parameter is required. amazonka-kmsCreate a value of  „" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: †,  Ÿ - The random byte string. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. ‡,  ‘# - The response's http status code. amazonka-kmsœThe random byte string. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.‘ amazonka-kms The response's http status code.  amazonka-kms ‡„…‡†ˆ‰Š‹ŒŽ‘ˆ‰Š‹ŒŽ„…‡†‘    8  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  Rï¡ amazonka-kmsSee:  ² smart constructor.£ amazonka-kms'The HMAC KMS key used in the operation.¤ amazonka-kmsThe hash-based message authentication code (HMAC) that was generated for
 the specified message, HMAC KMS key, and MAC algorithm.+This is the standard, raw HMAC defined in
 -https://datatracker.ietf.org/doc/html/rfc2104RFC 2104.¥ amazonka-kms5The MAC algorithm that was used to generate the HMAC.¦ amazonka-kms The response's http status code.§ amazonka-kmsSee:  ­ smart constructor.© amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.ª amazonka-kmsÁ The message to be hashed. Specify a message of up to 4,096 bytes.GenerateMac¯ and VerifyMac do not provide special handling for message
 digests. If you generate an HMAC for a hash digest of a message, you
 must verify the HMAC of the same hash digest.« amazonka-kmsü The HMAC KMS key to use in the operation. The MAC algorithm computes the
 HMAC for the message and the key as described in
 -https://datatracker.ietf.org/doc/html/rfc2104RFC 2104.È To identify an HMAC KMS key, use the DescribeKey operation and see the
 KeySpec field in the response.¬ amazonka-kms(The MAC algorithm used in the operation.±The algorithm must be compatible with the HMAC KMS key that you specify.
 To find the MAC algorithms that your HMAC KMS key supports, use the
 DescribeKey operation and see the MacAlgorithms field in the
 DescribeKey
 response.­ amazonka-kmsCreate a value of  §" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ©,  ® - A list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. ª,  ¯Ä  - The message to be hashed. Specify a message of up to 4,096 bytes.GenerateMac¶ and VerifyMac do not provide special handling for message
 digests. If you generate an HMAC for a hash digest of a message, you
 must verify the HMAC of the same hash digest.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. §,  °ÿ  - The HMAC KMS key to use in the operation. The MAC algorithm computes the
 HMAC for the message and the key as described in
 -https://datatracker.ietf.org/doc/html/rfc2104RFC 2104.È To identify an HMAC KMS key, use the DescribeKey operation and see the
 KeySpec field in the response. §,  ±+ - The MAC algorithm used in the operation.±The algorithm must be compatible with the HMAC KMS key that you specify.
 To find the MAC algorithms that your HMAC KMS key supports, use the
 DescribeKey operation and see the MacAlgorithms field in the
 DescribeKey
 response.® amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.¯ amazonka-kmsÁ The message to be hashed. Specify a message of up to 4,096 bytes.GenerateMac¶ and VerifyMac do not provide special handling for message
 digests. If you generate an HMAC for a hash digest of a message, you
 must verify the HMAC of the same hash digest.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.° amazonka-kmsü The HMAC KMS key to use in the operation. The MAC algorithm computes the
 HMAC for the message and the key as described in
 -https://datatracker.ietf.org/doc/html/rfc2104RFC 2104.È To identify an HMAC KMS key, use the DescribeKey operation and see the
 KeySpec field in the response.± amazonka-kms(The MAC algorithm used in the operation.±The algorithm must be compatible with the HMAC KMS key that you specify.
 To find the MAC algorithms that your HMAC KMS key supports, use the
 DescribeKey operation and see the MacAlgorithms field in the
 DescribeKey
 response.² amazonka-kmsCreate a value of  ¡" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: §,  ³* - The HMAC KMS key used in the operation. ¤,  ´„ - The hash-based message authentication code (HMAC) that was generated for
 the specified message, HMAC KMS key, and MAC algorithm.+This is the standard, raw HMAC defined in
 -https://datatracker.ietf.org/doc/html/rfc2104RFC 2104.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. §,  µ8 - The MAC algorithm that was used to generate the HMAC. ¦,  ¶# - The response's http status code.³ amazonka-kms'The HMAC KMS key used in the operation.´ amazonka-kmsThe hash-based message authentication code (HMAC) that was generated for
 the specified message, HMAC KMS key, and MAC algorithm.+This is the standard, raw HMAC defined in
 -https://datatracker.ietf.org/doc/html/rfc2104RFC 2104.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.µ amazonka-kms5The MAC algorithm that was used to generate the HMAC.¶ amazonka-kms The response's http status code.­  amazonka-kms ª amazonka-kms § amazonka-kms §²  amazonka-kms ¦¡¢£¦¥¤§¨ª«©¬­®¯°±²³´µ¶§¨ª«©¬­®¯°±¡¢£¦¥¤²³´µ¶    9  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  }cÆ amazonka-kmsSee:  Ø smart constructor.È amazonka-kms•The encrypted data key. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.É amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN.)
 of the KMS key that encrypted the data key.Ê amazonka-kms The response's http status code.Ë amazonka-kmsSee:  Ò smart constructor.Í amazonka-kmsÑ Specifies the encryption context that will be used when encrypting the
 data key.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide.Î amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.Ï amazonka-kms The length of the data key. Use AES_128* to generate a 128-bit
 symmetric key, or AES_256% to generate a 256-bit symmetric key.Ð amazonka-kmsØThe length of the data key in bytes. For example, use the value 64 to
 generate a 512-bit data key (64 bytes is 512 bits). For common key
 lengths (128-bit and 256-bit symmetric keys), we recommend that you use
 the KeySpec field instead of this one.Ñ amazonka-kmsáSpecifies the symmetric encryption KMS key that encrypts the data key.
 You cannot specify an asymmetric KMS key or a KMS key in a custom key
 store. To get the type and origin of your KMS key, use the DescribeKey
 operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.Ò amazonka-kmsCreate a value of  Ë" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Í,  ÓÔ  - Specifies the encryption context that will be used when encrypting the
 data key.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide. Î,  Ô - A list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. Ë,  Õ# - The length of the data key. Use AES_128* to generate a 128-bit
 symmetric key, or AES_256% to generate a 256-bit symmetric key. Ð,  ÖÛ - The length of the data key in bytes. For example, use the value 64 to
 generate a 512-bit data key (64 bytes is 512 bits). For common key
 lengths (128-bit and 256-bit symmetric keys), we recommend that you use
 the KeySpec field instead of this one. Ë,  ×ä - Specifies the symmetric encryption KMS key that encrypts the data key.
 You cannot specify an asymmetric KMS key or a KMS key in a custom key
 store. To get the type and origin of your KMS key, use the DescribeKey
 operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.Ó amazonka-kmsÑ Specifies the encryption context that will be used when encrypting the
 data key.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide.Ô amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.Õ amazonka-kms The length of the data key. Use AES_128* to generate a 128-bit
 symmetric key, or AES_256% to generate a 256-bit symmetric key.Ö amazonka-kmsØThe length of the data key in bytes. For example, use the value 64 to
 generate a 512-bit data key (64 bytes is 512 bits). For common key
 lengths (128-bit and 256-bit symmetric keys), we recommend that you use
 the KeySpec field instead of this one.× amazonka-kmsáSpecifies the symmetric encryption KMS key that encrypts the data key.
 You cannot specify an asymmetric KMS key or a KMS key in a custom key
 store. To get the type and origin of your KMS key, use the DescribeKey
 operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.Ø amazonka-kmsCreate a value of  Æ" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: È,  ÙŸ - The encrypted data key. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. Ë,  Ú - The Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN.)
 of the KMS key that encrypted the data key. Ê,  Û# - The response's http status code.Ù amazonka-kmsœThe encrypted data key. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.Ú amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN.)
 of the KMS key that encrypted the data key.Û amazonka-kms The response's http status code.Ò  amazonka-kms ËØ  amazonka-kms ÊÆÇÉÊÈËÌÑÏÎÐÍÒÓÔÕÖ×ØÙÚÛËÌÑÏÎÐÍÒÓÔÕÖ×ÆÇÉÊÈØÙÚÛ    :  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  ­ ì amazonka-kmsSee:  þ smart constructor.î amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN1)
 of the KMS key that encrypted the private key.ï amazonka-kms-The type of data key pair that was generated.ð amazonka-kms¤The encrypted copy of the private key. When you use the HTTP API or the
 Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is
 not Base64-encoded.ñ amazonka-kmsœThe public key (in plaintext). When you use the HTTP API or the Amazon
 Web Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.ò amazonka-kms The response's http status code.ó amazonka-kmsSee:  ù smart constructor.õ amazonka-kmsé Specifies the encryption context that will be used when encrypting the
 private key in the data key pair.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide.ö amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.÷ amazonka-kmsùSpecifies the symmetric encryption KMS key that encrypts the private key
 in the data key pair. You cannot specify an asymmetric KMS key or a KMS
 key in a custom key store. To get the type and origin of your KMS key,
 use the DescribeKey operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.ø amazonka-kms7Determines the type of data key pair that is generated.ËThe KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys
 to encrypt and decrypt or to sign and verify (but not both), and the
 rule that permits you to use ECC KMS keys only to sign and verify, are
 not effective on data key pairs, which are used outside of KMS. The SM2
 key spec is only available in China Regions.ù amazonka-kmsCreate a value of  ó" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: õ,  úì  - Specifies the encryption context that will be used when encrypting the
 private key in the data key pair.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide. ö,  û - A list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. ó,  üü - Specifies the symmetric encryption KMS key that encrypts the private key
 in the data key pair. You cannot specify an asymmetric KMS key or a KMS
 key in a custom key store. To get the type and origin of your KMS key,
 use the DescribeKey operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases. ó,  ý: - Determines the type of data key pair that is generated.ËThe KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys
 to encrypt and decrypt or to sign and verify (but not both), and the
 rule that permits you to use ECC KMS keys only to sign and verify, are
 not effective on data key pairs, which are used outside of KMS. The SM2
 key spec is only available in China Regions.ú amazonka-kmsé Specifies the encryption context that will be used when encrypting the
 private key in the data key pair.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide.û amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.ü amazonka-kmsùSpecifies the symmetric encryption KMS key that encrypts the private key
 in the data key pair. You cannot specify an asymmetric KMS key or a KMS
 key in a custom key store. To get the type and origin of your KMS key,
 use the DescribeKey operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.ý amazonka-kms7Determines the type of data key pair that is generated.ËThe KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys
 to encrypt and decrypt or to sign and verify (but not both), and the
 rule that permits you to use ECC KMS keys only to sign and verify, are
 not effective on data key pairs, which are used outside of KMS. The SM2
 key spec is only available in China Regions.þ amazonka-kmsCreate a value of  ì" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ó,  ÿ - The Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN1)
 of the KMS key that encrypted the private key. ó,  €0 - The type of data key pair that was generated. ð,  ® - The encrypted copy of the private key. When you use the HTTP API or the
 Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is
 not Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. ñ,  ‚¦ - The public key (in plaintext). When you use the HTTP API or the Amazon
 Web Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. ò,  ƒ# - The response's http status code.ÿ amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN1)
 of the KMS key that encrypted the private key.€ amazonka-kms-The type of data key pair that was generated. amazonka-kms«The encrypted copy of the private key. When you use the HTTP API or the
 Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is
 not Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.‚ amazonka-kms£The public key (in plaintext). When you use the HTTP API or the Amazon
 Web Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.ƒ amazonka-kms The response's http status code.ù  amazonka-kms ó amazonka-kms óþ  amazonka-kms òìíñîòïðóô÷öõøùúûüýþÿ€‚ƒóô÷öõøùúûüýìíñîòïðþÿ€‚ƒ    ;  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  âv” amazonka-kmsSee:  § smart constructor.– amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN1)
 of the KMS key that encrypted the private key.— amazonka-kms-The type of data key pair that was generated.˜ amazonka-kms¤The encrypted copy of the private key. When you use the HTTP API or the
 Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is
 not Base64-encoded.™ amazonka-kms¤The plaintext copy of the private key. When you use the HTTP API or the
 Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is
 not Base64-encoded.š amazonka-kmsœThe public key (in plaintext). When you use the HTTP API or the Amazon
 Web Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.› amazonka-kms The response's http status code.œ amazonka-kmsSee:  ¢ smart constructor.ž amazonka-kmsé Specifies the encryption context that will be used when encrypting the
 private key in the data key pair.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide.Ÿ amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.  amazonka-kmsùSpecifies the symmetric encryption KMS key that encrypts the private key
 in the data key pair. You cannot specify an asymmetric KMS key or a KMS
 key in a custom key store. To get the type and origin of your KMS key,
 use the DescribeKey operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.¡ amazonka-kms7Determines the type of data key pair that is generated.ËThe KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys
 to encrypt and decrypt or to sign and verify (but not both), and the
 rule that permits you to use ECC KMS keys only to sign and verify, are
 not effective on data key pairs, which are used outside of KMS. The SM2
 key spec is only available in China Regions.¢ amazonka-kmsCreate a value of  œ" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ž,  £ì  - Specifies the encryption context that will be used when encrypting the
 private key in the data key pair.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide. Ÿ,  ¤ - A list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. œ,  ¥ü - Specifies the symmetric encryption KMS key that encrypts the private key
 in the data key pair. You cannot specify an asymmetric KMS key or a KMS
 key in a custom key store. To get the type and origin of your KMS key,
 use the DescribeKey operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases. œ,  ¦: - Determines the type of data key pair that is generated.ËThe KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys
 to encrypt and decrypt or to sign and verify (but not both), and the
 rule that permits you to use ECC KMS keys only to sign and verify, are
 not effective on data key pairs, which are used outside of KMS. The SM2
 key spec is only available in China Regions.£ amazonka-kmsé Specifies the encryption context that will be used when encrypting the
 private key in the data key pair.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide.¤ amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.¥ amazonka-kmsùSpecifies the symmetric encryption KMS key that encrypts the private key
 in the data key pair. You cannot specify an asymmetric KMS key or a KMS
 key in a custom key store. To get the type and origin of your KMS key,
 use the DescribeKey operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.¦ amazonka-kms7Determines the type of data key pair that is generated.ËThe KMS rule that restricts the use of asymmetric RSA and SM2 KMS keys
 to encrypt and decrypt or to sign and verify (but not both), and the
 rule that permits you to use ECC KMS keys only to sign and verify, are
 not effective on data key pairs, which are used outside of KMS. The SM2
 key spec is only available in China Regions.§ amazonka-kmsCreate a value of  ”" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: œ,  ¨ - The Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN1)
 of the KMS key that encrypted the private key. œ,  ©0 - The type of data key pair that was generated. ˜,  ª® - The encrypted copy of the private key. When you use the HTTP API or the
 Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is
 not Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. ™,  «® - The plaintext copy of the private key. When you use the HTTP API or the
 Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is
 not Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. š,  ¬¦ - The public key (in plaintext). When you use the HTTP API or the Amazon
 Web Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. ›,  ­# - The response's http status code.¨ amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN1)
 of the KMS key that encrypted the private key.© amazonka-kms-The type of data key pair that was generated.ª amazonka-kms«The encrypted copy of the private key. When you use the HTTP API or the
 Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is
 not Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.« amazonka-kms«The plaintext copy of the private key. When you use the HTTP API or the
 Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is
 not Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.¬ amazonka-kms£The public key (in plaintext). When you use the HTTP API or the Amazon
 Web Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.­ amazonka-kms The response's http status code.¢  amazonka-kms œ amazonka-kms œ§  amazonka-kms ›”•š–›—˜™œ Ÿž¡¢£¤¥¦§¨©ª«¬­œ Ÿž¡¢£¤¥¦”•š–›—˜™§¨©ª«¬­    <  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  ½ amazonka-kmsSee:  Ð smart constructor.¿ amazonka-kms The response's http status code.À amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN.)
 of the KMS key that encrypted the data key.Á amazonka-kmsþThe plaintext data key. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded. Use this data key to encrypt your data outside of KMS.
 Then, remove it from memory as soon as possible.Â amazonka-kms¡The encrypted copy of the data key. When you use the HTTP API or the
 Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is
 not Base64-encoded.Ã amazonka-kmsSee:  Ê smart constructor.Å amazonka-kmsÑ Specifies the encryption context that will be used when encrypting the
 data key.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide.Æ amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.Ç amazonka-kms*Specifies the length of the data key. Use AES_128* to generate a
 128-bit symmetric key, or AES_256% to generate a 256-bit symmetric key.You must specify either the KeySpec or the NumberOfBytes$ parameter
 (but not both) in every GenerateDataKey	 request.È amazonka-kmsÅSpecifies the length of the data key in bytes. For example, use the
 value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
 128-bit (16-byte) and 256-bit (32-byte) data keys, use the KeySpec
 parameter.You must specify either the KeySpec or the NumberOfBytes$ parameter
 (but not both) in every GenerateDataKey	 request.É amazonka-kmsáSpecifies the symmetric encryption KMS key that encrypts the data key.
 You cannot specify an asymmetric KMS key or a KMS key in a custom key
 store. To get the type and origin of your KMS key, use the DescribeKey
 operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.Ê amazonka-kmsCreate a value of  Ã" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Å,  ËÔ  - Specifies the encryption context that will be used when encrypting the
 data key.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide. Æ,  Ì - A list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. Ã,  Í- - Specifies the length of the data key. Use AES_128* to generate a
 128-bit symmetric key, or AES_256% to generate a 256-bit symmetric key.You must specify either the KeySpec or the NumberOfBytes$ parameter
 (but not both) in every GenerateDataKey	 request. È,  ÎÈ - Specifies the length of the data key in bytes. For example, use the
 value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
 128-bit (16-byte) and 256-bit (32-byte) data keys, use the KeySpec
 parameter.You must specify either the KeySpec or the NumberOfBytes$ parameter
 (but not both) in every GenerateDataKey	 request. Ã,  Ïä - Specifies the symmetric encryption KMS key that encrypts the data key.
 You cannot specify an asymmetric KMS key or a KMS key in a custom key
 store. To get the type and origin of your KMS key, use the DescribeKey
 operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.Ë amazonka-kmsÑ Specifies the encryption context that will be used when encrypting the
 data key.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide.Ì amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.Í amazonka-kms*Specifies the length of the data key. Use AES_128* to generate a
 128-bit symmetric key, or AES_256% to generate a 256-bit symmetric key.You must specify either the KeySpec or the NumberOfBytes$ parameter
 (but not both) in every GenerateDataKey	 request.Î amazonka-kmsÅSpecifies the length of the data key in bytes. For example, use the
 value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
 128-bit (16-byte) and 256-bit (32-byte) data keys, use the KeySpec
 parameter.You must specify either the KeySpec or the NumberOfBytes$ parameter
 (but not both) in every GenerateDataKey	 request.Ï amazonka-kmsáSpecifies the symmetric encryption KMS key that encrypts the data key.
 You cannot specify an asymmetric KMS key or a KMS key in a custom key
 store. To get the type and origin of your KMS key, use the DescribeKey
 operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.Ð amazonka-kmsCreate a value of  ½" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ¿,  Ñ# - The response's http status code. Ã,  Ò - The Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN.)
 of the KMS key that encrypted the data key. Á,  Óˆ - The plaintext data key. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded. Use this data key to encrypt your data outside of KMS.
 Then, remove it from memory as soon as possible.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. Â,  Ô« - The encrypted copy of the data key. When you use the HTTP API or the
 Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is
 not Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.Ñ amazonka-kms The response's http status code.Ò amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN.)
 of the KMS key that encrypted the data key.Ó amazonka-kms…The plaintext data key. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded. Use this data key to encrypt your data outside of KMS.
 Then, remove it from memory as soon as possible.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.Ô amazonka-kms¨The encrypted copy of the data key. When you use the HTTP API or the
 Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is
 not Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.Ê  amazonka-kms ÃÐ  amazonka-kms ¿ amazonka-kms Ã amazonka-kms Á amazonka-kms Â½¾À¿ÂÁÃÄÉÇÆÈÅÊËÌÍÎÏÐÑÒÓÔÃÄÉÇÆÈÅÊËÌÍÎÏ½¾À¿ÂÁÐÑÒÓÔ    =  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  H~ä amazonka-kmsSee:  ÷ smart constructor.æ amazonka-kms–The encrypted plaintext. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.ç amazonka-kmsÀ The encryption algorithm that was used to encrypt the plaintext.è amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN9)
 of the KMS key that was used to encrypt the plaintext.é amazonka-kms The response's http status code.ê amazonka-kmsSee:  ñ smart constructor.ì amazonka-kmsœSpecifies the encryption algorithm that KMS will use to encrypt the
 plaintext message. The algorithm must be compatible with the KMS key
 that you specify.Í This parameter is required only for asymmetric KMS keys. The default
 value, SYMMETRIC_DEFAULT…, is the algorithm used for symmetric
 encryption KMS keys. If you are using an asymmetric KMS key, we
 recommend RSAES_OAEP_SHA_256.8The SM2PKE algorithm is only available in China Regions.í amazonka-kmsò Specifies the encryption context that will be used to encrypt the data.
 An encryption context is valid only for
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operationsž
 with a symmetric encryption KMS key. The standard asymmetric encryption
 algorithms and HMAC algorithms that KMS uses do not support an
 encryption context.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide.î amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.ï amazonka-kmsÔ Identifies the KMS key to use in the encryption operation. The KMS key
 must have a KeyUsage of ENCRYPT_DECRYPT. To find the KeyUsage. of a
 KMS key, use the DescribeKey operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.ð amazonka-kmsData to be encrypted.ñ amazonka-kmsCreate a value of  ê" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ê,  òŸ - Specifies the encryption algorithm that KMS will use to encrypt the
 plaintext message. The algorithm must be compatible with the KMS key
 that you specify.Í This parameter is required only for asymmetric KMS keys. The default
 value, SYMMETRIC_DEFAULT…, is the algorithm used for symmetric
 encryption KMS keys. If you are using an asymmetric KMS key, we
 recommend RSAES_OAEP_SHA_256.8The SM2PKE algorithm is only available in China Regions. í,  óõ  - Specifies the encryption context that will be used to encrypt the data.
 An encryption context is valid only for
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operationsž
 with a symmetric encryption KMS key. The standard asymmetric encryption
 algorithms and HMAC algorithms that KMS uses do not support an
 encryption context.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide. î,  ô - A list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. ê,  õ×  - Identifies the KMS key to use in the encryption operation. The KMS key
 must have a KeyUsage of ENCRYPT_DECRYPT. To find the KeyUsage. of a
 KMS key, use the DescribeKey operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases. ð,  ö - Data to be encrypted.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.ò amazonka-kmsœSpecifies the encryption algorithm that KMS will use to encrypt the
 plaintext message. The algorithm must be compatible with the KMS key
 that you specify.Í This parameter is required only for asymmetric KMS keys. The default
 value, SYMMETRIC_DEFAULT…, is the algorithm used for symmetric
 encryption KMS keys. If you are using an asymmetric KMS key, we
 recommend RSAES_OAEP_SHA_256.8The SM2PKE algorithm is only available in China Regions.ó amazonka-kmsò Specifies the encryption context that will be used to encrypt the data.
 An encryption context is valid only for
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operationsž
 with a symmetric encryption KMS key. The standard asymmetric encryption
 algorithms and HMAC algorithms that KMS uses do not support an
 encryption context.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide.ô amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.õ amazonka-kmsÔ Identifies the KMS key to use in the encryption operation. The KMS key
 must have a KeyUsage of ENCRYPT_DECRYPT. To find the KeyUsage. of a
 KMS key, use the DescribeKey operation.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.ö amazonka-kmsData to be encrypted.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.÷ amazonka-kmsCreate a value of  ä" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: æ,  ø  - The encrypted plaintext. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. ê,  ùÃ  - The encryption algorithm that was used to encrypt the plaintext. ê,  ú - The Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN9)
 of the KMS key that was used to encrypt the plaintext. é,  û# - The response's http status code.ø amazonka-kmsThe encrypted plaintext. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.ù amazonka-kmsÀ The encryption algorithm that was used to encrypt the plaintext.ú amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN9)
 of the KMS key that was used to encrypt the plaintext.û amazonka-kms The response's http status code.ñ  amazonka-kms ê amazonka-kms ð÷  amazonka-kms éäåèéæçêëïîðíìñòóôõö÷øùúûêëïîðíìñòóôõöäåèéæç÷øùúû    >  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  Y.‹ amazonka-kmsSee:  ’ smart constructor. amazonka-kmsSee:   smart constructor. amazonka-kmsÕ Identifies a symmetric encryption KMS key. You cannot enable automatic
 rotation of
 Ï https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.htmlasymmetric KMS keys,
 ?https://docs.aws.amazon.com/kms/latest/developerguide/hmac.htmlHMAC KMS keys,
 KMS keys with
 É https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.htmlimported key material,
 or KMS keys in a
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlcustom key storeÀ .
 To enable or disable automatic rotation of a set of related
 ç https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotatemulti-Region keys',
 set the property on the primary key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. amazonka-kmsCreate a value of  " with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ,  ‘Ø  - Identifies a symmetric encryption KMS key. You cannot enable automatic
 rotation of
 Ï https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.htmlasymmetric KMS keys,
 ?https://docs.aws.amazon.com/kms/latest/developerguide/hmac.htmlHMAC KMS keys,
 KMS keys with
 É https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.htmlimported key material,
 or KMS keys in a
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlcustom key storeÀ .
 To enable or disable automatic rotation of a set of related
 ç https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotatemulti-Region keys',
 set the property on the primary key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.‘ amazonka-kmsÕ Identifies a symmetric encryption KMS key. You cannot enable automatic
 rotation of
 Ï https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.htmlasymmetric KMS keys,
 ?https://docs.aws.amazon.com/kms/latest/developerguide/hmac.htmlHMAC KMS keys,
 KMS keys with
 É https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.htmlimported key material,
 or KMS keys in a
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlcustom key storeÀ .
 To enable or disable automatic rotation of a set of related
 ç https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotatemulti-Region keys',
 set the property on the primary key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.’ amazonka-kmsCreate a value of  ‹" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.  amazonka-kms ‹ŒŽ‘’Ž‘‹Œ’    ?  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  `þ£ amazonka-kmsSee:  ª smart constructor.¥ amazonka-kmsSee:  ¨ smart constructor.§ amazonka-kms!Identifies the KMS key to enable.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.¨ amazonka-kmsCreate a value of  ¥" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ¥,  ©$ - Identifies the KMS key to enable.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.© amazonka-kms!Identifies the KMS key to enable.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.ª amazonka-kmsCreate a value of  £" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.¨  amazonka-kms ¥£¤¥¦§¨©ª¥¦§¨©£¤ª    @  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  gÍ» amazonka-kmsSee:  Ã smart constructor.½ amazonka-kms The response's http status code.¾ amazonka-kmsSee:  Á smart constructor.À amazonka-kmsŽEnter the ID of the custom key store you want to disconnect. To find the
 ID of a custom key store, use the DescribeCustomKeyStores operation.Á amazonka-kmsCreate a value of  ¾" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ¾,  Â‘ - Enter the ID of the custom key store you want to disconnect. To find the
 ID of a custom key store, use the DescribeCustomKeyStores operation.Â amazonka-kmsŽEnter the ID of the custom key store you want to disconnect. To find the
 ID of a custom key store, use the DescribeCustomKeyStores operation.Ã amazonka-kmsCreate a value of  »" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ½,  Ä# - The response's http status code.Ä amazonka-kms The response's http status code.Á  amazonka-kms ¾Ã  amazonka-kms ½
»¼½¾¿ÀÁÂÃÄ
¾¿ÀÁÂ»¼½ÃÄ    A  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  uÛÕ amazonka-kmsSee:  Ü smart constructor.× amazonka-kmsSee:  Ú smart constructor.Ù amazonka-kmsà Identifies a symmetric encryption KMS key. You cannot enable or disable
 automatic rotation of
 ß https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmksasymmetric KMS keys,
 ?https://docs.aws.amazon.com/kms/latest/developerguide/hmac.htmlHMAC KMS keys,
 KMS keys with
 É https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.htmlimported key material,
 or KMS keys in a
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlcustom key store.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Ú amazonka-kmsCreate a value of  ×" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ×,  Ûã  - Identifies a symmetric encryption KMS key. You cannot enable or disable
 automatic rotation of
 ß https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmksasymmetric KMS keys,
 ?https://docs.aws.amazon.com/kms/latest/developerguide/hmac.htmlHMAC KMS keys,
 KMS keys with
 É https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.htmlimported key material,
 or KMS keys in a
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlcustom key store.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Û amazonka-kmsà Identifies a symmetric encryption KMS key. You cannot enable or disable
 automatic rotation of
 ß https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmksasymmetric KMS keys,
 ?https://docs.aws.amazon.com/kms/latest/developerguide/hmac.htmlHMAC KMS keys,
 KMS keys with
 É https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.htmlimported key material,
 or KMS keys in a
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlcustom key store.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Ü amazonka-kmsCreate a value of  Õ" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.Ú  amazonka-kms ×ÕÖ×ØÙÚÛÜ×ØÙÚÛÕÖÜ    B  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  }®í amazonka-kmsSee:  ô smart constructor.ï amazonka-kmsSee:  ò smart constructor.ñ amazonka-kms"Identifies the KMS key to disable.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.ò amazonka-kmsCreate a value of  ï" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ï,  ó% - Identifies the KMS key to disable.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.ó amazonka-kms"Identifies the KMS key to disable.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.ô amazonka-kmsCreate a value of  í" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ò  amazonka-kms ïíîïðñòóôïðñòóíîô    C  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  •… amazonka-kmsSee:   smart constructor.‡ amazonka-kms!Metadata associated with the key.ˆ amazonka-kms The response's http status code.‰ amazonka-kmsSee:   smart constructor.‹ amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.Œ amazonka-kms Describes the specified KMS key.ˆIf you specify a predefined Amazon Web Services alias (an Amazon Web
 Services alias with no key ID), KMS associates the alias with an
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html##aws-managed-cmkAmazon Web Services managed key
 and returns its KeyId and Arn in the response.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases. amazonka-kmsCreate a value of  ‰" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ‹,  Ž - A list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. ‰,  # - Describes the specified KMS key.ˆIf you specify a predefined Amazon Web Services alias (an Amazon Web
 Services alias with no key ID), KMS associates the alias with an
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html##aws-managed-cmkAmazon Web Services managed key
 and returns its KeyId and Arn in the response.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.Ž amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. amazonka-kms Describes the specified KMS key.ˆIf you specify a predefined Amazon Web Services alias (an Amazon Web
 Services alias with no key ID), KMS associates the alias with an
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html##aws-managed-cmkAmazon Web Services managed key
 and returns its KeyId and Arn in the response.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases. amazonka-kmsCreate a value of  …" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ‡,  ‘$ - Metadata associated with the key. ˆ,  ’# - The response's http status code.‘ amazonka-kms!Metadata associated with the key.’ amazonka-kms The response's http status code.  amazonka-kms ‰  amazonka-kms ˆ…†ˆ‡‰ŠŒ‹Ž‘’‰ŠŒ‹Ž…†ˆ‡‘’    D  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  ­Á£ amazonka-kmsSee:  ´ smart constructor.¥ amazonka-kms.Contains metadata about each custom key store.¦ amazonka-kmsWhen 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request.§ amazonka-kms¬A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request.¨ amazonka-kms The response's http status code.© amazonka-kmsSee:  ¯ smart constructor.« amazonka-kmsÔ Gets only information about the specified custom key store. Enter the
 key store ID.®By default, this operation gets information about all custom key stores
 in the account and Region. To limit the output to a particular custom
 key store, provide either the CustomKeyStoreId or CustomKeyStoreName
 parameter, but not both.¬ amazonka-kmsí Gets only information about the specified custom key store. Enter the
 friendly name of the custom key store.®By default, this operation gets information about all custom key stores
 in the account and Region. To limit the output to a particular custom
 key store, provide either the CustomKeyStoreId or CustomKeyStoreName
 parameter, but not both.­ amazonka-kmsºUse this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.® amazonka-kmsø Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.¯ amazonka-kmsCreate a value of  ©" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ©,  °×  - Gets only information about the specified custom key store. Enter the
 key store ID.®By default, this operation gets information about all custom key stores
 in the account and Region. To limit the output to a particular custom
 key store, provide either the CustomKeyStoreId or CustomKeyStoreName
 parameter, but not both. ©,  ±ð  - Gets only information about the specified custom key store. Enter the
 friendly name of the custom key store.®By default, this operation gets information about all custom key stores
 in the account and Region. To limit the output to a particular custom
 key store, provide either the CustomKeyStoreId or CustomKeyStoreName
 parameter, but not both. ­,  ²½ - Use this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer. ®,  ³û  - Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.° amazonka-kmsÔ Gets only information about the specified custom key store. Enter the
 key store ID.®By default, this operation gets information about all custom key stores
 in the account and Region. To limit the output to a particular custom
 key store, provide either the CustomKeyStoreId or CustomKeyStoreName
 parameter, but not both.± amazonka-kmsí Gets only information about the specified custom key store. Enter the
 friendly name of the custom key store.®By default, this operation gets information about all custom key stores
 in the account and Region. To limit the output to a particular custom
 key store, provide either the CustomKeyStoreId or CustomKeyStoreName
 parameter, but not both.² amazonka-kmsºUse this parameter to specify the maximum number of items to return.
 When this value is present, KMS does not return more than the specified
 number of items, but it might return fewer.³ amazonka-kmsø Use this parameter in a subsequent request after you receive a response
 with truncated results. Set it to the value of 
NextMarker0 from the
 truncated response you just received.´ amazonka-kmsCreate a value of  £" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ¥,  µ1 - Contains metadata about each custom key store. £,  ¶ - When 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request. £,  ·¯ - A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request. ¨,  ¸# - The response's http status code.µ amazonka-kms.Contains metadata about each custom key store.¶ amazonka-kmsWhen 	TruncatedÉ  is true, this element is present and contains the value
 to use for the Marker# parameter in a subsequent request.· amazonka-kms¬A flag that indicates whether there are more items in the list. When
 this value is true, the list in this response is truncated. To get more
 items, pass the value of the 
NextMarker! element in thisresponse to the
 Marker# parameter in a subsequent request.¸ amazonka-kms The response's http status code.´  amazonka-kms ¨£¤§¦¨¥©ª«¬­®¯°±²³´µ¶·¸©ª«¬­®¯°±²³£¤§¦¨¥´µ¶·¸    E  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  ¶õÉ amazonka-kmsSee:  Ð smart constructor.Ë amazonka-kmsSee:  Î smart constructor.Í amazonka-kmsÏ Identifies the KMS key from which you are deleting imported key
 material. The Origin of the KMS key must be EXTERNAL.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Î amazonka-kmsCreate a value of  Ë" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Ë,  ÏÒ  - Identifies the KMS key from which you are deleting imported key
 material. The Origin of the KMS key must be EXTERNAL.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Ï amazonka-kmsÏ Identifies the KMS key from which you are deleting imported key
 material. The Origin of the KMS key must be EXTERNAL.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Ð amazonka-kmsCreate a value of  É" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.Î  amazonka-kms ËÉÊËÌÍÎÏÐËÌÍÎÏÉÊÐ    F  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  ½¸á amazonka-kmsSee:  é smart constructor.ã amazonka-kms The response's http status code.ä amazonka-kmsSee:  ç smart constructor.æ amazonka-kmsŠEnter the ID of the custom key store you want to delete. To find the ID
 of a custom key store, use the DescribeCustomKeyStores operation.ç amazonka-kmsCreate a value of  ä" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ä,  è - Enter the ID of the custom key store you want to delete. To find the ID
 of a custom key store, use the DescribeCustomKeyStores operation.è amazonka-kmsŠEnter the ID of the custom key store you want to delete. To find the ID
 of a custom key store, use the DescribeCustomKeyStores operation.é amazonka-kmsCreate a value of  á" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ã,  ê# - The response's http status code.ê amazonka-kms The response's http status code.ç  amazonka-kms äé  amazonka-kms ã
áâãäåæçèéê
äåæçèáâãéê    G  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  ÃGû amazonka-kmsSee:  ‚ smart constructor.ý amazonka-kmsSee:  € smart constructor.ÿ amazonka-kms8The alias to be deleted. The alias name must begin with alias/&
 followed by the alias name, such as alias/ExampleAlias.€ amazonka-kmsCreate a value of  ý" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ý,  ; - The alias to be deleted. The alias name must begin with alias/&
 followed by the alias name, such as alias/ExampleAlias. amazonka-kms8The alias to be deleted. The alias name must begin with alias/&
 followed by the alias name, such as alias/ExampleAlias.‚ amazonka-kmsCreate a value of  û" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.€  amazonka-kms ýûüýþÿ€‚ýþÿ€ûü‚    H  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  úh“ amazonka-kmsSee:  ¦ smart constructor.• amazonka-kmsÁ The encryption algorithm that was used to decrypt the ciphertext.– amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN:)
 of the KMS key that was used to decrypt the ciphertext.— amazonka-kms—Decrypted plaintext data. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.˜ amazonka-kms The response's http status code.™ amazonka-kmsSee:    smart constructor.› amazonka-kmsºSpecifies the encryption algorithm that will be used to decrypt the
 ciphertext. Specify the same algorithm that was used to encrypt the
 data. If you specify a different algorithm, the Decrypt operation
 fails.ó This parameter is required only when the ciphertext was encrypted under
 an asymmetric KMS key. The default value, SYMMETRIC_DEFAULTÜ ,
 represents the only supported algorithm that is valid for symmetric
 encryption KMS keys.œ amazonka-kmsì Specifies the encryption context to use when decrypting the data. An
 encryption context is valid only for
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operationsž
 with a symmetric encryption KMS key. The standard asymmetric encryption
 algorithms and HMAC algorithms that KMS uses do not support an
 encryption context.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide. amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.ž amazonka-kms>Specifies the KMS key that KMS uses to decrypt the ciphertext.ñ Enter a key ID of the KMS key that was used to encrypt the ciphertext.
 If you identify a different KMS key, the Decrypt operation throws an
 IncorrectKeyException.ÙThis parameter is required only when the ciphertext was encrypted under
 an asymmetric KMS key. If you used a symmetric encryption KMS key, KMS
 can get the KMS key from metadata that it adds to the symmetric
 ciphertext blob. However, it is always recommended as a best practice.
 This practice ensures that you use the KMS key that you intend.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.Ÿ amazonka-kms7Ciphertext to be decrypted. The blob includes metadata.  amazonka-kmsCreate a value of  ™" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ™,  ¡½ - Specifies the encryption algorithm that will be used to decrypt the
 ciphertext. Specify the same algorithm that was used to encrypt the
 data. If you specify a different algorithm, the Decrypt operation
 fails.ó This parameter is required only when the ciphertext was encrypted under
 an asymmetric KMS key. The default value, SYMMETRIC_DEFAULTÜ ,
 represents the only supported algorithm that is valid for symmetric
 encryption KMS keys. œ,  ¢ï  - Specifies the encryption context to use when decrypting the data. An
 encryption context is valid only for
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operationsž
 with a symmetric encryption KMS key. The standard asymmetric encryption
 algorithms and HMAC algorithms that KMS uses do not support an
 encryption context.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide. ,  £ - A list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. ™,  ¤Á  - Specifies the KMS key that KMS uses to decrypt the ciphertext.ñ Enter a key ID of the KMS key that was used to encrypt the ciphertext.
 If you identify a different KMS key, the Decrypt operation throws an
 IncorrectKeyException.ÙThis parameter is required only when the ciphertext was encrypted under
 an asymmetric KMS key. If you used a symmetric encryption KMS key, KMS
 can get the KMS key from metadata that it adds to the symmetric
 ciphertext blob. However, it is always recommended as a best practice.
 This practice ensures that you use the KMS key that you intend.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases. Ÿ,  ¥Á  - Ciphertext to be decrypted. The blob includes metadata.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.¡ amazonka-kmsºSpecifies the encryption algorithm that will be used to decrypt the
 ciphertext. Specify the same algorithm that was used to encrypt the
 data. If you specify a different algorithm, the Decrypt operation
 fails.ó This parameter is required only when the ciphertext was encrypted under
 an asymmetric KMS key. The default value, SYMMETRIC_DEFAULTÜ ,
 represents the only supported algorithm that is valid for symmetric
 encryption KMS keys.¢ amazonka-kmsì Specifies the encryption context to use when decrypting the data. An
 encryption context is valid only for
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operationsž
 with a symmetric encryption KMS key. The standard asymmetric encryption
 algorithms and HMAC algorithms that KMS uses do not support an
 encryption context.An encryption contextÇ is a collection of non-secret key-value pairs
 that represent additional authenticated data. When you use an encryption
 context to encrypt data, you must specify the same (an exact
 case-sensitive match) encryption context to decrypt the data. An
 encryption context is supported only on operations with symmetric
 encryption KMS keys. On operations with symmetric encryption KMS keys,
 an encryption context is optional, but it is strongly recommended.For more information, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context	
 in the &Key Management Service Developer Guide.£ amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.¤ amazonka-kms>Specifies the KMS key that KMS uses to decrypt the ciphertext.ñ Enter a key ID of the KMS key that was used to encrypt the ciphertext.
 If you identify a different KMS key, the Decrypt operation throws an
 IncorrectKeyException.ÙThis parameter is required only when the ciphertext was encrypted under
 an asymmetric KMS key. If you used a symmetric encryption KMS key, KMS
 can get the KMS key from metadata that it adds to the symmetric
 ciphertext blob. However, it is always recommended as a best practice.
 This practice ensures that you use the KMS key that you intend.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.¥ amazonka-kms>Ciphertext to be decrypted. The blob includes metadata.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.¦ amazonka-kmsCreate a value of  “" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ™,  §Ä  - The encryption algorithm that was used to decrypt the ciphertext. ™,  ¨ - The Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN:)
 of the KMS key that was used to decrypt the ciphertext. —,  ©¡ - Decrypted plaintext data. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. ˜,  ª# - The response's http status code.§ amazonka-kmsÁ The encryption algorithm that was used to decrypt the ciphertext.¨ amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN:)
 of the KMS key that was used to decrypt the ciphertext.© amazonka-kmsžDecrypted plaintext data. When you use the HTTP API or the Amazon Web
 Services CLI, the value is Base64-encoded. Otherwise, it is not
 Base64-encoded.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.ª amazonka-kms The response's http status code.   amazonka-kms Ÿ¦  amazonka-kms ˜“”–˜—•™šžŸœ› ¡¢£¤¥¦§¨©ª™šžŸœ› ¡¢£¤¥“”–˜—•¦§¨©ª    I  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  ¾º amazonka-kmsSee:  × smart constructor.¼ amazonka-kms%Metadata associated with the KMS key.½ amazonka-kms The response's http status code.¾ amazonka-kmsSee:  Ë smart constructor.À amazonka-kmsÊ A flag to indicate whether to bypass the key policy lockout safety
 check.…Setting this value to true increases the risk that the KMS key becomes
 unmanageable. Do not set this value to true indiscriminately.4For more information, refer to the scenario in the
 ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
 section in the /&Key Management Service Developer Guide/ .ÃUse this parameter only when you include a policy in the request and you
 intend to prevent the principal that is making the request from making a
 subsequent PutKeyPolicy request on the KMS key.The default value is false.Á amazonka-kms&Creates the KMS key in the specified
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlcustom key store.
 The ConnectionState! of the custom key store must be 	CONNECTEDß . To
 find the CustomKeyStoreID and ConnectionState use the
 DescribeCustomKeyStores operation.—This parameter is valid only for symmetric encryption KMS keys in a
 single Region. You cannot create any other type of KMS key in a custom
 key store.øWhen you create a KMS key in an CloudHSM key store, KMS generates a
 non-exportable 256-bit symmetric key in its associated CloudHSM cluster
 and associates it with the KMS key. When you create a KMS key in an
 external key store, you must use the XksKeyIdÓ  parameter to specify an
 external key that serves as key material for the KMS key.Â amazonka-kmsInstead, use the KeySpec parameter.The KeySpec and CustomerMasterKeySpecÑ  parameters work the same way.
 Only the names differ. We recommend that you use KeySpecÜ  parameter in
 your code. However, to avoid breaking changes, KMS supports both
 parameters.Ã amazonka-kmsA description of the KMS key.Use a description that helps you decide whether the KMS key is
 appropriate for a task. The default value is an empty string (no
 description).Õ To set or change the description after the key is created, use
 UpdateKeyDescription.Ä amazonka-kms=Specifies the type of KMS key to create. The default value,
 SYMMETRIC_DEFAULTî, creates a KMS key with a 256-bit AES-GCM key that
 is used for encryption and decryption, except in China Regions, where it
 creates a 128-bit symmetric key that uses SM4 encryption. For help
 choosing a key spec for your KMS key, see
 Ö https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-chooseChoosing a KMS key type

 in the /&Key Management Service Developer Guide/ .The KeySpec¨ determines whether the KMS key contains a symmetric key or
 an asymmetric key pair. It also determines the algorithms that the KMS
 key supports. You can't change the KeySpec¸ after the KMS key is
 created. To further restrict the algorithms that can be used with the
 KMS key, use a condition key in its key policy or IAM policy. For more
 information, see
 ð https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithmkms:EncryptionAlgorithm,
 é https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithmkms:MacAlgorithm
 or
 í https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithmkms:Signing Algorithm

 in the /&Key Management Service Developer Guide/ .;http://aws.amazon.com/kms/features/#AWS_Service_Integration9Amazon Web Services services that are integrated with KMSþ 
 use symmetric encryption KMS keys to protect your data. These services
 do not support asymmetric KMS keys or HMAC KMS keys.2KMS supports the following key specs for KMS keys:"Symmetric encryption key (default)SYMMETRIC_DEFAULTHMAC keys (symmetric)HMAC_224HMAC_256HMAC_384HMAC_512Asymmetric RSA key pairsRSA_2048RSA_3072RSA_40964Asymmetric NIST-recommended elliptic curve key pairsECC_NIST_P256 (secp256r1)ECC_NIST_P384 (secp384r1)ECC_NIST_P521 (secp521r1))Other asymmetric elliptic curve key pairsECC_SECG_P256K15 (secp256k1), commonly used for
    cryptocurrencies."SM2 key pairs (China Regions only)SM2Å amazonka-kmsDetermines the
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operations;
 for which you can use the KMS key. The default value is
 ENCRYPT_DECRYPT…. This parameter is optional when you are creating a
 symmetric encryption KMS key; otherwise, it is required. You can't
 change the KeyUsage$ value after the KMS key is created.Select only one valid value.Æ For symmetric encryption KMS keys, omit the parameter or specify
     ENCRYPT_DECRYPT.'For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC.<For asymmetric KMS keys with RSA key material, specify
     ENCRYPT_DECRYPT or SIGN_VERIFY.<For asymmetric KMS keys with ECC key material, specify
     SIGN_VERIFY.Ñ For asymmetric KMS keys with SM2 key material (China Regions only),
     specify ENCRYPT_DECRYPT or SIGN_VERIFY.Æ amazonka-kmsžCreates a multi-Region primary key that you can replicate into other
 Amazon Web Services Regions. You cannot change this value after you
 create the KMS key..For a multi-Region key, set this parameter to TrueÁ . For a
 single-Region KMS key, omit this parameter or set it to False. The
 default value is False.This operation supports multi-Region keysÃ, an KMS feature that lets
 you create multiple interoperable KMS keys in different Amazon Web
 Services Regions. Because these KMS keys have the same key ID, key
 material, and other metadata, you can use them interchangeably to
 encrypt data in one Amazon Web Services Region and decrypt it in a
 different Amazon Web Services Region without re-encrypting the data or
 making a cross-Region call. For more information about multi-Region
 keys, see
 Õ https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.htmlMulti-Region keys in KMS	
 in the &Key Management Service Developer Guide.This value creates a primary keyÌ , not a replica. To create a /replica
 key/, use the ReplicateKey operation.ÃYou can create a symmetric or asymmetric multi-Region key, and you can
 create a multi-Region key with imported key material. However, you
 cannot create a multi-Region key in a custom key store.Ç amazonka-kmsû The source of the key material for the KMS key. You cannot change the
 origin after you create the KMS key. The default is AWS_KMS1, which
 means that KMS creates the key material.To
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html%create a KMS key with no key material1
 (for imported key material), set this value to EXTERNALÄ . For more
 information about importing key material into KMS, see
 É https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.htmlImporting Key Material	
 in the &Key Management Service Developer Guide. The EXTERNAL4 origin
 value is valid only for symmetric KMS keys.To
 Î https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html)create a KMS key in an CloudHSM key storeÕ 
 and create its key material in the associated CloudHSM cluster, set this
 value to AWS_CLOUDHSM. You must also use the CustomKeyStoreId4
 parameter to identify the CloudHSM key store. The KeySpec value must
 be SYMMETRIC_DEFAULT.To
 Ê https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html)create a KMS key in an external key store,
 set this value to EXTERNAL_KEY_STORE. You must also use the
 CustomKeyStoreId7 parameter to identify the external key store and the
 XksKeyId9 parameter to identify the associated external key. The
 KeySpec value must be SYMMETRIC_DEFAULT.È amazonka-kms(The key policy to attach to the KMS key.Á If you provide a key policy, it must meet the following criteria:If you don't set BypassPolicyLockoutSafetyCheckÊ  to true, the key
     policy must allow the principal that is making the 	CreateKeyÇ
     request to make a subsequent PutKeyPolicy request on the KMS key.
     This reduces the risk that the KMS key becomes unmanageable. For
     more information, refer to the scenario in the
     ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
     section of the /&Key Management Service Developer Guide/ .¶Each statement in the key policy must contain one or more
     principals. The principals in the key policy must exist and be
     visible to KMS. When you create a new Amazon Web Services principal
     (for example, an IAM user or role), you might need to enforce a
     delay before including the new principal in a key policy because the
     new principal might not be immediately visible to KMS. For more
     information, see
     ô https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency6Changes that I make are not always immediately visibleÒ 
     in the /Amazon Web Services Identity and Access Management User
     Guide/.ò If you do not provide a key policy, KMS attaches a default key policy to
 the KMS key. For more information, see
 Ú https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-defaultDefault Key Policy	
 in the &Key Management Service Developer Guide.8The key policy size quota is 32 kilobytes (32768 bytes).Á For help writing and formatting a JSON policy document, see the
 È https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.htmlIAM JSON Policy Reference

 in the /)Identity and Access Management User Guide/ .É amazonka-kmsŸAssigns one or more tags to the KMS key. Use this parameter to tag the
 KMS key when it is created. To tag an existing KMS key, use the
 TagResource operation.ß Tagging or untagging a KMS key can allow or deny permission to the KMS
 key. For details, see
 ?https://docs.aws.amazon.com/kms/latest/developerguide/abac.htmlABAC for KMS	
 in the &Key Management Service Developer Guide.&To use this parameter, you must have
 Ø https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.htmlkms:TagResource
 permission in an IAM policy.ÕEach tag consists of a tag key and a tag value. Both the tag key and the
 tag value are required, but the tag value can be an empty (null) string.
 You cannot have more than one tag on a KMS key with the same tag key. If
 you specify an existing tag key with a different tag value, KMS replaces
 the current tag value with the specified one.áWhen you add tags to an Amazon Web Services resource, Amazon Web
 Services generates a cost allocation report with usage and costs
 aggregated by tags. Tags can also be used to control access to a KMS
 key. For details, see
 Ç https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.htmlTagging Keys.Ê amazonka-kmsIdentifies the
 á https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-keyexternal key5
 that serves as key material for the KMS key in an
 Ì https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.htmlexternal key store.
 Specify the ID that the
 Þ https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxyexternal key store proxyè 
 uses to refer to the external key. For help, see the documentation for
 your external key store proxy.1This parameter is required for a KMS key with an Origin value of
 EXTERNAL_KEY_STORE/. It is not valid for KMS keys with any other
 Origin value.ÆThe external key must be an existing 256-bit AES symmetric encryption
 key hosted outside of Amazon Web Services in an external key manager
 associated with the external key store specified by the
 CustomKeyStoreId· parameter. This key must be enabled and configured to
 perform encryption and decryption. Each KMS key in an external key store
 must use a different external key. For details, see
 Å https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements3Requirements for a KMS key in an external key store	
 in the &Key Management Service Developer Guide.ÂEach KMS key in an external key store is associated two backing keys.
 One is key material that KMS generates. The other is the external key
 specified by this parameter. When you use the KMS key in an external key
 store to encrypt data, the encryption operation is performed first by
 KMS using the KMS key material, and then by the external key manager
 using the specified external key, a process known as /double
 encryption/. For details, see
 æ https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryptionDouble encryption	
 in the &Key Management Service Developer Guide.Ë amazonka-kmsCreate a value of  ¾" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: À,  ÌÍ  - A flag to indicate whether to bypass the key policy lockout safety
 check.…Setting this value to true increases the risk that the KMS key becomes
 unmanageable. Do not set this value to true indiscriminately.4For more information, refer to the scenario in the
 ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
 section in the /&Key Management Service Developer Guide/ .ÃUse this parameter only when you include a policy in the request and you
 intend to prevent the principal that is making the request from making a
 subsequent PutKeyPolicy request on the KMS key.The default value is false. ¾,  Í) - Creates the KMS key in the specified
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlcustom key store.
 The ConnectionState! of the custom key store must be 	CONNECTEDß . To
 find the CustomKeyStoreID and ConnectionState use the
 DescribeCustomKeyStores operation.—This parameter is valid only for symmetric encryption KMS keys in a
 single Region. You cannot create any other type of KMS key in a custom
 key store.øWhen you create a KMS key in an CloudHSM key store, KMS generates a
 non-exportable 256-bit symmetric key in its associated CloudHSM cluster
 and associates it with the KMS key. When you create a KMS key in an
 external key store, you must use the XksKeyIdÓ  parameter to specify an
 external key that serves as key material for the KMS key. ¾,  Î - Instead, use the KeySpec parameter.The KeySpec and CustomerMasterKeySpecÑ  parameters work the same way.
 Only the names differ. We recommend that you use KeySpecÜ  parameter in
 your code. However, to avoid breaking changes, KMS supports both
 parameters. ¾,  Ï  - A description of the KMS key.Use a description that helps you decide whether the KMS key is
 appropriate for a task. The default value is an empty string (no
 description).Õ To set or change the description after the key is created, use
 UpdateKeyDescription. ¾,  ÐÀ  - Specifies the type of KMS key to create. The default value,
 SYMMETRIC_DEFAULTî, creates a KMS key with a 256-bit AES-GCM key that
 is used for encryption and decryption, except in China Regions, where it
 creates a 128-bit symmetric key that uses SM4 encryption. For help
 choosing a key spec for your KMS key, see
 Ö https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-chooseChoosing a KMS key type

 in the /&Key Management Service Developer Guide/ .The KeySpec¨ determines whether the KMS key contains a symmetric key or
 an asymmetric key pair. It also determines the algorithms that the KMS
 key supports. You can't change the KeySpec¸ after the KMS key is
 created. To further restrict the algorithms that can be used with the
 KMS key, use a condition key in its key policy or IAM policy. For more
 information, see
 ð https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithmkms:EncryptionAlgorithm,
 é https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithmkms:MacAlgorithm
 or
 í https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithmkms:Signing Algorithm

 in the /&Key Management Service Developer Guide/ .;http://aws.amazon.com/kms/features/#AWS_Service_Integration9Amazon Web Services services that are integrated with KMSþ 
 use symmetric encryption KMS keys to protect your data. These services
 do not support asymmetric KMS keys or HMAC KMS keys.2KMS supports the following key specs for KMS keys:"Symmetric encryption key (default)SYMMETRIC_DEFAULTHMAC keys (symmetric)HMAC_224HMAC_256HMAC_384HMAC_512Asymmetric RSA key pairsRSA_2048RSA_3072RSA_40964Asymmetric NIST-recommended elliptic curve key pairsECC_NIST_P256 (secp256r1)ECC_NIST_P384 (secp384r1)ECC_NIST_P521 (secp521r1))Other asymmetric elliptic curve key pairsECC_SECG_P256K15 (secp256k1), commonly used for
    cryptocurrencies."SM2 key pairs (China Regions only)SM2 ¾,  Ñ - Determines the
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operations;
 for which you can use the KMS key. The default value is
 ENCRYPT_DECRYPT…. This parameter is optional when you are creating a
 symmetric encryption KMS key; otherwise, it is required. You can't
 change the KeyUsage$ value after the KMS key is created.Select only one valid value.Æ For symmetric encryption KMS keys, omit the parameter or specify
     ENCRYPT_DECRYPT.'For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC.<For asymmetric KMS keys with RSA key material, specify
     ENCRYPT_DECRYPT or SIGN_VERIFY.<For asymmetric KMS keys with ECC key material, specify
     SIGN_VERIFY.Ñ For asymmetric KMS keys with SM2 key material (China Regions only),
     specify ENCRYPT_DECRYPT or SIGN_VERIFY. ¾,  Ò¡ - Creates a multi-Region primary key that you can replicate into other
 Amazon Web Services Regions. You cannot change this value after you
 create the KMS key..For a multi-Region key, set this parameter to TrueÁ . For a
 single-Region KMS key, omit this parameter or set it to False. The
 default value is False.This operation supports multi-Region keysÃ, an KMS feature that lets
 you create multiple interoperable KMS keys in different Amazon Web
 Services Regions. Because these KMS keys have the same key ID, key
 material, and other metadata, you can use them interchangeably to
 encrypt data in one Amazon Web Services Region and decrypt it in a
 different Amazon Web Services Region without re-encrypting the data or
 making a cross-Region call. For more information about multi-Region
 keys, see
 Õ https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.htmlMulti-Region keys in KMS	
 in the &Key Management Service Developer Guide.This value creates a primary keyÌ , not a replica. To create a /replica
 key/, use the ReplicateKey operation.ÃYou can create a symmetric or asymmetric multi-Region key, and you can
 create a multi-Region key with imported key material. However, you
 cannot create a multi-Region key in a custom key store. ¾,  Óþ  - The source of the key material for the KMS key. You cannot change the
 origin after you create the KMS key. The default is AWS_KMS1, which
 means that KMS creates the key material.To
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html%create a KMS key with no key material1
 (for imported key material), set this value to EXTERNALÄ . For more
 information about importing key material into KMS, see
 É https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.htmlImporting Key Material	
 in the &Key Management Service Developer Guide. The EXTERNAL4 origin
 value is valid only for symmetric KMS keys.To
 Î https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html)create a KMS key in an CloudHSM key storeÕ 
 and create its key material in the associated CloudHSM cluster, set this
 value to AWS_CLOUDHSM. You must also use the CustomKeyStoreId4
 parameter to identify the CloudHSM key store. The KeySpec value must
 be SYMMETRIC_DEFAULT.To
 Ê https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html)create a KMS key in an external key store,
 set this value to EXTERNAL_KEY_STORE. You must also use the
 CustomKeyStoreId7 parameter to identify the external key store and the
 XksKeyId9 parameter to identify the associated external key. The
 KeySpec value must be SYMMETRIC_DEFAULT. È,  Ô+ - The key policy to attach to the KMS key.Á If you provide a key policy, it must meet the following criteria:If you don't set BypassPolicyLockoutSafetyCheckÊ  to true, the key
     policy must allow the principal that is making the 	CreateKeyÇ
     request to make a subsequent PutKeyPolicy request on the KMS key.
     This reduces the risk that the KMS key becomes unmanageable. For
     more information, refer to the scenario in the
     ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
     section of the /&Key Management Service Developer Guide/ .¶Each statement in the key policy must contain one or more
     principals. The principals in the key policy must exist and be
     visible to KMS. When you create a new Amazon Web Services principal
     (for example, an IAM user or role), you might need to enforce a
     delay before including the new principal in a key policy because the
     new principal might not be immediately visible to KMS. For more
     information, see
     ô https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency6Changes that I make are not always immediately visibleÒ 
     in the /Amazon Web Services Identity and Access Management User
     Guide/.ò If you do not provide a key policy, KMS attaches a default key policy to
 the KMS key. For more information, see
 Ú https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-defaultDefault Key Policy	
 in the &Key Management Service Developer Guide.8The key policy size quota is 32 kilobytes (32768 bytes).Á For help writing and formatting a JSON policy document, see the
 È https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.htmlIAM JSON Policy Reference

 in the /)Identity and Access Management User Guide/ . É,  Õ¢ - Assigns one or more tags to the KMS key. Use this parameter to tag the
 KMS key when it is created. To tag an existing KMS key, use the
 TagResource operation.ß Tagging or untagging a KMS key can allow or deny permission to the KMS
 key. For details, see
 ?https://docs.aws.amazon.com/kms/latest/developerguide/abac.htmlABAC for KMS	
 in the &Key Management Service Developer Guide.&To use this parameter, you must have
 Ø https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.htmlkms:TagResource
 permission in an IAM policy.ÕEach tag consists of a tag key and a tag value. Both the tag key and the
 tag value are required, but the tag value can be an empty (null) string.
 You cannot have more than one tag on a KMS key with the same tag key. If
 you specify an existing tag key with a different tag value, KMS replaces
 the current tag value with the specified one.áWhen you add tags to an Amazon Web Services resource, Amazon Web
 Services generates a cost allocation report with usage and costs
 aggregated by tags. Tags can also be used to control access to a KMS
 key. For details, see
 Ç https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.htmlTagging Keys. Ê,  Ö - Identifies the
 á https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-keyexternal key5
 that serves as key material for the KMS key in an
 Ì https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.htmlexternal key store.
 Specify the ID that the
 Þ https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxyexternal key store proxyè 
 uses to refer to the external key. For help, see the documentation for
 your external key store proxy.1This parameter is required for a KMS key with an Origin value of
 EXTERNAL_KEY_STORE/. It is not valid for KMS keys with any other
 Origin value.ÆThe external key must be an existing 256-bit AES symmetric encryption
 key hosted outside of Amazon Web Services in an external key manager
 associated with the external key store specified by the
 CustomKeyStoreId· parameter. This key must be enabled and configured to
 perform encryption and decryption. Each KMS key in an external key store
 must use a different external key. For details, see
 Å https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements3Requirements for a KMS key in an external key store	
 in the &Key Management Service Developer Guide.ÂEach KMS key in an external key store is associated two backing keys.
 One is key material that KMS generates. The other is the external key
 specified by this parameter. When you use the KMS key in an external key
 store to encrypt data, the encryption operation is performed first by
 KMS using the KMS key material, and then by the external key manager
 using the specified external key, a process known as /double
 encryption/. For details, see
 æ https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryptionDouble encryption	
 in the &Key Management Service Developer Guide.Ì amazonka-kmsÊ A flag to indicate whether to bypass the key policy lockout safety
 check.…Setting this value to true increases the risk that the KMS key becomes
 unmanageable. Do not set this value to true indiscriminately.4For more information, refer to the scenario in the
 ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
 section in the /&Key Management Service Developer Guide/ .ÃUse this parameter only when you include a policy in the request and you
 intend to prevent the principal that is making the request from making a
 subsequent PutKeyPolicy request on the KMS key.The default value is false.Í amazonka-kms&Creates the KMS key in the specified
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlcustom key store.
 The ConnectionState! of the custom key store must be 	CONNECTEDß . To
 find the CustomKeyStoreID and ConnectionState use the
 DescribeCustomKeyStores operation.—This parameter is valid only for symmetric encryption KMS keys in a
 single Region. You cannot create any other type of KMS key in a custom
 key store.øWhen you create a KMS key in an CloudHSM key store, KMS generates a
 non-exportable 256-bit symmetric key in its associated CloudHSM cluster
 and associates it with the KMS key. When you create a KMS key in an
 external key store, you must use the XksKeyIdÓ  parameter to specify an
 external key that serves as key material for the KMS key.Î amazonka-kmsInstead, use the KeySpec parameter.The KeySpec and CustomerMasterKeySpecÑ  parameters work the same way.
 Only the names differ. We recommend that you use KeySpecÜ  parameter in
 your code. However, to avoid breaking changes, KMS supports both
 parameters.Ï amazonka-kmsA description of the KMS key.Use a description that helps you decide whether the KMS key is
 appropriate for a task. The default value is an empty string (no
 description).Õ To set or change the description after the key is created, use
 UpdateKeyDescription.Ð amazonka-kms=Specifies the type of KMS key to create. The default value,
 SYMMETRIC_DEFAULTî, creates a KMS key with a 256-bit AES-GCM key that
 is used for encryption and decryption, except in China Regions, where it
 creates a 128-bit symmetric key that uses SM4 encryption. For help
 choosing a key spec for your KMS key, see
 Ö https://docs.aws.amazon.com/kms/latest/developerguide/key-types.html#symm-asymm-chooseChoosing a KMS key type

 in the /&Key Management Service Developer Guide/ .The KeySpec¨ determines whether the KMS key contains a symmetric key or
 an asymmetric key pair. It also determines the algorithms that the KMS
 key supports. You can't change the KeySpec¸ after the KMS key is
 created. To further restrict the algorithms that can be used with the
 KMS key, use a condition key in its key policy or IAM policy. For more
 information, see
 ð https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithmkms:EncryptionAlgorithm,
 é https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-mac-algorithmkms:MacAlgorithm
 or
 í https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithmkms:Signing Algorithm

 in the /&Key Management Service Developer Guide/ .;http://aws.amazon.com/kms/features/#AWS_Service_Integration9Amazon Web Services services that are integrated with KMSþ 
 use symmetric encryption KMS keys to protect your data. These services
 do not support asymmetric KMS keys or HMAC KMS keys.2KMS supports the following key specs for KMS keys:"Symmetric encryption key (default)SYMMETRIC_DEFAULTHMAC keys (symmetric)HMAC_224HMAC_256HMAC_384HMAC_512Asymmetric RSA key pairsRSA_2048RSA_3072RSA_40964Asymmetric NIST-recommended elliptic curve key pairsECC_NIST_P256 (secp256r1)ECC_NIST_P384 (secp384r1)ECC_NIST_P521 (secp521r1))Other asymmetric elliptic curve key pairsECC_SECG_P256K15 (secp256k1), commonly used for
    cryptocurrencies."SM2 key pairs (China Regions only)SM2Ñ amazonka-kmsDetermines the
 Ü https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operationscryptographic operations;
 for which you can use the KMS key. The default value is
 ENCRYPT_DECRYPT…. This parameter is optional when you are creating a
 symmetric encryption KMS key; otherwise, it is required. You can't
 change the KeyUsage$ value after the KMS key is created.Select only one valid value.Æ For symmetric encryption KMS keys, omit the parameter or specify
     ENCRYPT_DECRYPT.'For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC.<For asymmetric KMS keys with RSA key material, specify
     ENCRYPT_DECRYPT or SIGN_VERIFY.<For asymmetric KMS keys with ECC key material, specify
     SIGN_VERIFY.Ñ For asymmetric KMS keys with SM2 key material (China Regions only),
     specify ENCRYPT_DECRYPT or SIGN_VERIFY.Ò amazonka-kmsžCreates a multi-Region primary key that you can replicate into other
 Amazon Web Services Regions. You cannot change this value after you
 create the KMS key..For a multi-Region key, set this parameter to TrueÁ . For a
 single-Region KMS key, omit this parameter or set it to False. The
 default value is False.This operation supports multi-Region keysÃ, an KMS feature that lets
 you create multiple interoperable KMS keys in different Amazon Web
 Services Regions. Because these KMS keys have the same key ID, key
 material, and other metadata, you can use them interchangeably to
 encrypt data in one Amazon Web Services Region and decrypt it in a
 different Amazon Web Services Region without re-encrypting the data or
 making a cross-Region call. For more information about multi-Region
 keys, see
 Õ https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.htmlMulti-Region keys in KMS	
 in the &Key Management Service Developer Guide.This value creates a primary keyÌ , not a replica. To create a /replica
 key/, use the ReplicateKey operation.ÃYou can create a symmetric or asymmetric multi-Region key, and you can
 create a multi-Region key with imported key material. However, you
 cannot create a multi-Region key in a custom key store.Ó amazonka-kmsû The source of the key material for the KMS key. You cannot change the
 origin after you create the KMS key. The default is AWS_KMS1, which
 means that KMS creates the key material.To
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html%create a KMS key with no key material1
 (for imported key material), set this value to EXTERNALÄ . For more
 information about importing key material into KMS, see
 É https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.htmlImporting Key Material	
 in the &Key Management Service Developer Guide. The EXTERNAL4 origin
 value is valid only for symmetric KMS keys.To
 Î https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html)create a KMS key in an CloudHSM key storeÕ 
 and create its key material in the associated CloudHSM cluster, set this
 value to AWS_CLOUDHSM. You must also use the CustomKeyStoreId4
 parameter to identify the CloudHSM key store. The KeySpec value must
 be SYMMETRIC_DEFAULT.To
 Ê https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html)create a KMS key in an external key store,
 set this value to EXTERNAL_KEY_STORE. You must also use the
 CustomKeyStoreId7 parameter to identify the external key store and the
 XksKeyId9 parameter to identify the associated external key. The
 KeySpec value must be SYMMETRIC_DEFAULT.Ô amazonka-kms(The key policy to attach to the KMS key.Á If you provide a key policy, it must meet the following criteria:If you don't set BypassPolicyLockoutSafetyCheckÊ  to true, the key
     policy must allow the principal that is making the 	CreateKeyÇ
     request to make a subsequent PutKeyPolicy request on the KMS key.
     This reduces the risk that the KMS key becomes unmanageable. For
     more information, refer to the scenario in the
     ð https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iamDefault Key Policy
     section of the /&Key Management Service Developer Guide/ .¶Each statement in the key policy must contain one or more
     principals. The principals in the key policy must exist and be
     visible to KMS. When you create a new Amazon Web Services principal
     (for example, an IAM user or role), you might need to enforce a
     delay before including the new principal in a key policy because the
     new principal might not be immediately visible to KMS. For more
     information, see
     ô https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency6Changes that I make are not always immediately visibleÒ 
     in the /Amazon Web Services Identity and Access Management User
     Guide/.ò If you do not provide a key policy, KMS attaches a default key policy to
 the KMS key. For more information, see
 Ú https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-defaultDefault Key Policy	
 in the &Key Management Service Developer Guide.8The key policy size quota is 32 kilobytes (32768 bytes).Á For help writing and formatting a JSON policy document, see the
 È https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.htmlIAM JSON Policy Reference

 in the /)Identity and Access Management User Guide/ .Õ amazonka-kmsŸAssigns one or more tags to the KMS key. Use this parameter to tag the
 KMS key when it is created. To tag an existing KMS key, use the
 TagResource operation.ß Tagging or untagging a KMS key can allow or deny permission to the KMS
 key. For details, see
 ?https://docs.aws.amazon.com/kms/latest/developerguide/abac.htmlABAC for KMS	
 in the &Key Management Service Developer Guide.&To use this parameter, you must have
 Ø https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.htmlkms:TagResource
 permission in an IAM policy.ÕEach tag consists of a tag key and a tag value. Both the tag key and the
 tag value are required, but the tag value can be an empty (null) string.
 You cannot have more than one tag on a KMS key with the same tag key. If
 you specify an existing tag key with a different tag value, KMS replaces
 the current tag value with the specified one.áWhen you add tags to an Amazon Web Services resource, Amazon Web
 Services generates a cost allocation report with usage and costs
 aggregated by tags. Tags can also be used to control access to a KMS
 key. For details, see
 Ç https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.htmlTagging Keys.Ö amazonka-kmsIdentifies the
 á https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-keyexternal key5
 that serves as key material for the KMS key in an
 Ì https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.htmlexternal key store.
 Specify the ID that the
 Þ https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-xks-proxyexternal key store proxyè 
 uses to refer to the external key. For help, see the documentation for
 your external key store proxy.1This parameter is required for a KMS key with an Origin value of
 EXTERNAL_KEY_STORE/. It is not valid for KMS keys with any other
 Origin value.ÆThe external key must be an existing 256-bit AES symmetric encryption
 key hosted outside of Amazon Web Services in an external key manager
 associated with the external key store specified by the
 CustomKeyStoreId· parameter. This key must be enabled and configured to
 perform encryption and decryption. Each KMS key in an external key store
 must use a different external key. For details, see
 Å https://docs.aws.amazon.com/create-xks-keys.html#xks-key-requirements3Requirements for a KMS key in an external key store	
 in the &Key Management Service Developer Guide.ÂEach KMS key in an external key store is associated two backing keys.
 One is key material that KMS generates. The other is the external key
 specified by this parameter. When you use the KMS key in an external key
 store to encrypt data, the encryption operation is performed first by
 KMS using the KMS key material, and then by the external key manager
 using the specified external key, a process known as /double
 encryption/. For details, see
 æ https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-double-encryptionDouble encryption	
 in the &Key Management Service Developer Guide.× amazonka-kmsCreate a value of  º" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ¼,  Ø( - Metadata associated with the KMS key. ½,  Ù# - The response's http status code.Ø amazonka-kms%Metadata associated with the KMS key.Ù amazonka-kms The response's http status code.×  amazonka-kms ½ º»½¼¾¿ÃÉÁÂÄÅÆÇÀÈÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙ ¾¿ÃÉÁÂÄÅÆÇÀÈÊËÌÍÎÏÐÑÒÓÔÕÖº»½¼×ØÙ    J  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  ò¤ê amazonka-kmsSee:  € smart constructor.ì amazonka-kms$The unique identifier for the grant.You can use the GrantId9 in a ListGrants, RetireGrant, or RevokeGrant
 operation.í amazonka-kmsThe grant token.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.î amazonka-kms The response's http status code.ï amazonka-kmsSee:  ø smart constructor.ñ amazonka-kmsSpecifies a grant constraint.KMS supports the EncryptionContextEquals and EncryptionContextSubset×
 grant constraints. Each constraint value can include up to 8 encryption
 context pairs. The encryption context value in each constraint cannot
 exceed 384 characters. For information about grant constraints, see
 â https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraintsUsing grant constraints	
 in the &Key Management Service Developer Guide7. For more information
 about encryption context, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context

 in the /&Key Management Service Developer Guide/ .‡The encryption context grant constraints allow the permissions in the
 grant only when the encryption context in the request matches
 (EncryptionContextEquals) or includes (EncryptionContextSubset6) the
 encryption context specified in this structure.À The encryption context grant constraints are supported only on
 Ø https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operationsgrant operations
 that include an EncryptionContext parameter, such as cryptographic
 operations on symmetric encryption KMS keys. Grants with grant
 constraints can include the DescribeKey and RetireGrant operations, but
 the constraint doesn't apply to these operations. If a grant with a
 grant constraint includes the CreateGrantÆ  operation, the constraint
 requires that any grants created with the CreateGrantÎ  permission have
 an equally strict or stricter encryption context constraint.¯You cannot use an encryption context grant constraint for cryptographic
 operations with asymmetric KMS keys or HMAC KMS keys. These keys don't
 support an encryption context.ò amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.ó amazonka-kmsA friendly name for the grant. Use this value to prevent the unintended
 creation of duplicate grants when retrying this request.When this value is absent, all CreateGrant/ requests result in a new
 grant with a unique GrantIdò  even if all the supplied parameters are
 identical. This can result in unintended duplicates when you retry the
 CreateGrant	 request.,When this value is present, you can retry a CreateGrantÐ  request with
 identical parameters; if the grant already exists, the original
 GrantIdä  is returned without creating a new grant. Note that the
 returned grant token is unique with every CreateGrant! request, even
 when a duplicate GrantIdÒ  is returned. All grant tokens for the same
 grant ID can be used interchangeably.ô amazonka-kmsØ The principal that has permission to use the RetireGrant operation to
 retire the grant.#To specify the principal, use the
 Ê https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.htmlAmazon Resource Name (ARN)÷
 of an Amazon Web Services principal. Valid Amazon Web Services
 principals include Amazon Web Services accounts (root), IAM users,
 federated users, and assumed role users. For examples of the ARN syntax
 to use for specifying a principal, see
 Ù https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam8Amazon Web Services Identity and Access Management (IAM)Î 
 in the Example ARNs section of the /Amazon Web Services General
 Reference/.¡The grant determines the retiring principal. Other principals might have
 permission to retire the grant or revoke the grant. For details, see
 RevokeGrant and
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-deleteRetiring and revoking grants	
 in the &Key Management Service Developer Guide.õ amazonka-kmsá Identifies the KMS key for the grant. The grant gives principals
 permission to use this KMS key.‰Specify the key ID or key ARN of the KMS key. To specify a KMS key in a
 different Amazon Web Services account, you must use the key ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.ö amazonka-kms>The identity that gets the permissions specified in the grant.#To specify the principal, use the
 Ê https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.htmlAmazon Resource Name (ARN)‚
 of an Amazon Web Services principal. Valid Amazon Web Services
 principals include Amazon Web Services accounts (root), IAM users, IAM
 roles, federated users, and assumed role users. For examples of the ARN
 syntax to use for specifying a principal, see
 Ù https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam8Amazon Web Services Identity and Access Management (IAM)Î 
 in the Example ARNs section of the /Amazon Web Services General
 Reference/.÷ amazonka-kms,A list of operations that the grant permits.ÔThis list must include only operations that are permitted in a grant.
 Also, the operation must be supported on the KMS key. For example, you
 cannot create a grant for a symmetric encryption KMS key that allows the
 Sign operation, or a grant for an asymmetric KMS key that allows the
 GenerateDataKey operation. If you try, KMS returns a ValidationError
 exception. For details, see
 Ø https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operationsGrant operations	
 in the &Key Management Service Developer Guide.ø amazonka-kmsCreate a value of  ï" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ï,  ù  - Specifies a grant constraint.KMS supports the EncryptionContextEquals and EncryptionContextSubset×
 grant constraints. Each constraint value can include up to 8 encryption
 context pairs. The encryption context value in each constraint cannot
 exceed 384 characters. For information about grant constraints, see
 â https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraintsUsing grant constraints	
 in the &Key Management Service Developer Guide7. For more information
 about encryption context, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context

 in the /&Key Management Service Developer Guide/ .‡The encryption context grant constraints allow the permissions in the
 grant only when the encryption context in the request matches
 (EncryptionContextEquals) or includes (EncryptionContextSubset6) the
 encryption context specified in this structure.À The encryption context grant constraints are supported only on
 Ø https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operationsgrant operations
 that include an EncryptionContext parameter, such as cryptographic
 operations on symmetric encryption KMS keys. Grants with grant
 constraints can include the DescribeKey and RetireGrant operations, but
 the constraint doesn't apply to these operations. If a grant with a
 grant constraint includes the CreateGrantÆ  operation, the constraint
 requires that any grants created with the CreateGrantÎ  permission have
 an equally strict or stricter encryption context constraint.¯You cannot use an encryption context grant constraint for cryptographic
 operations with asymmetric KMS keys or HMAC KMS keys. These keys don't
 support an encryption context. ò,  ú - A list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. ï,  û„ - A friendly name for the grant. Use this value to prevent the unintended
 creation of duplicate grants when retrying this request.When this value is absent, all CreateGrant/ requests result in a new
 grant with a unique GrantIdò  even if all the supplied parameters are
 identical. This can result in unintended duplicates when you retry the
 CreateGrant	 request.,When this value is present, you can retry a CreateGrantÐ  request with
 identical parameters; if the grant already exists, the original
 GrantIdä  is returned without creating a new grant. Note that the
 returned grant token is unique with every CreateGrant! request, even
 when a duplicate GrantIdÒ  is returned. All grant tokens for the same
 grant ID can be used interchangeably. ï,  üÛ  - The principal that has permission to use the RetireGrant operation to
 retire the grant.#To specify the principal, use the
 Ê https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.htmlAmazon Resource Name (ARN)÷
 of an Amazon Web Services principal. Valid Amazon Web Services
 principals include Amazon Web Services accounts (root), IAM users,
 federated users, and assumed role users. For examples of the ARN syntax
 to use for specifying a principal, see
 Ù https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam8Amazon Web Services Identity and Access Management (IAM)Î 
 in the Example ARNs section of the /Amazon Web Services General
 Reference/.¡The grant determines the retiring principal. Other principals might have
 permission to retire the grant or revoke the grant. For details, see
 RevokeGrant and
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-deleteRetiring and revoking grants	
 in the &Key Management Service Developer Guide. ï,  ýä  - Identifies the KMS key for the grant. The grant gives principals
 permission to use this KMS key.‰Specify the key ID or key ARN of the KMS key. To specify a KMS key in a
 different Amazon Web Services account, you must use the key ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. ï,  þÁ  - The identity that gets the permissions specified in the grant.#To specify the principal, use the
 Ê https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.htmlAmazon Resource Name (ARN)‚
 of an Amazon Web Services principal. Valid Amazon Web Services
 principals include Amazon Web Services accounts (root), IAM users, IAM
 roles, federated users, and assumed role users. For examples of the ARN
 syntax to use for specifying a principal, see
 Ù https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam8Amazon Web Services Identity and Access Management (IAM)Î 
 in the Example ARNs section of the /Amazon Web Services General
 Reference/. ï,  ÿ/ - A list of operations that the grant permits.ÔThis list must include only operations that are permitted in a grant.
 Also, the operation must be supported on the KMS key. For example, you
 cannot create a grant for a symmetric encryption KMS key that allows the
 Sign operation, or a grant for an asymmetric KMS key that allows the
 GenerateDataKey operation. If you try, KMS returns a ValidationError
 exception. For details, see
 Ø https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operationsGrant operations	
 in the &Key Management Service Developer Guide.ù amazonka-kmsSpecifies a grant constraint.KMS supports the EncryptionContextEquals and EncryptionContextSubset×
 grant constraints. Each constraint value can include up to 8 encryption
 context pairs. The encryption context value in each constraint cannot
 exceed 384 characters. For information about grant constraints, see
 â https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraintsUsing grant constraints	
 in the &Key Management Service Developer Guide7. For more information
 about encryption context, see
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_contextEncryption context

 in the /&Key Management Service Developer Guide/ .‡The encryption context grant constraints allow the permissions in the
 grant only when the encryption context in the request matches
 (EncryptionContextEquals) or includes (EncryptionContextSubset6) the
 encryption context specified in this structure.À The encryption context grant constraints are supported only on
 Ø https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operationsgrant operations
 that include an EncryptionContext parameter, such as cryptographic
 operations on symmetric encryption KMS keys. Grants with grant
 constraints can include the DescribeKey and RetireGrant operations, but
 the constraint doesn't apply to these operations. If a grant with a
 grant constraint includes the CreateGrantÆ  operation, the constraint
 requires that any grants created with the CreateGrantÎ  permission have
 an equally strict or stricter encryption context constraint.¯You cannot use an encryption context grant constraint for cryptographic
 operations with asymmetric KMS keys or HMAC KMS keys. These keys don't
 support an encryption context.ú amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.û amazonka-kmsA friendly name for the grant. Use this value to prevent the unintended
 creation of duplicate grants when retrying this request.When this value is absent, all CreateGrant/ requests result in a new
 grant with a unique GrantIdò  even if all the supplied parameters are
 identical. This can result in unintended duplicates when you retry the
 CreateGrant	 request.,When this value is present, you can retry a CreateGrantÐ  request with
 identical parameters; if the grant already exists, the original
 GrantIdä  is returned without creating a new grant. Note that the
 returned grant token is unique with every CreateGrant! request, even
 when a duplicate GrantIdÒ  is returned. All grant tokens for the same
 grant ID can be used interchangeably.ü amazonka-kmsØ The principal that has permission to use the RetireGrant operation to
 retire the grant.#To specify the principal, use the
 Ê https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.htmlAmazon Resource Name (ARN)÷
 of an Amazon Web Services principal. Valid Amazon Web Services
 principals include Amazon Web Services accounts (root), IAM users,
 federated users, and assumed role users. For examples of the ARN syntax
 to use for specifying a principal, see
 Ù https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam8Amazon Web Services Identity and Access Management (IAM)Î 
 in the Example ARNs section of the /Amazon Web Services General
 Reference/.¡The grant determines the retiring principal. Other principals might have
 permission to retire the grant or revoke the grant. For details, see
 RevokeGrant and
 Ô https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-deleteRetiring and revoking grants	
 in the &Key Management Service Developer Guide.ý amazonka-kmsá Identifies the KMS key for the grant. The grant gives principals
 permission to use this KMS key.‰Specify the key ID or key ARN of the KMS key. To specify a KMS key in a
 different Amazon Web Services account, you must use the key ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.þ amazonka-kms>The identity that gets the permissions specified in the grant.#To specify the principal, use the
 Ê https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.htmlAmazon Resource Name (ARN)‚
 of an Amazon Web Services principal. Valid Amazon Web Services
 principals include Amazon Web Services accounts (root), IAM users, IAM
 roles, federated users, and assumed role users. For examples of the ARN
 syntax to use for specifying a principal, see
 Ù https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam8Amazon Web Services Identity and Access Management (IAM)Î 
 in the Example ARNs section of the /Amazon Web Services General
 Reference/.ÿ amazonka-kms,A list of operations that the grant permits.ÔThis list must include only operations that are permitted in a grant.
 Also, the operation must be supported on the KMS key. For example, you
 cannot create a grant for a symmetric encryption KMS key that allows the
 Sign operation, or a grant for an asymmetric KMS key that allows the
 GenerateDataKey operation. If you try, KMS returns a ValidationError
 exception. For details, see
 Ø https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operationsGrant operations	
 in the &Key Management Service Developer Guide.€ amazonka-kmsCreate a value of  ê" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ê,  ' - The unique identifier for the grant.You can use the GrantId9 in a ListGrants, RetireGrant, or RevokeGrant
 operation. í,  ‚ - The grant token.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. î,  ƒ# - The response's http status code. amazonka-kms$The unique identifier for the grant.You can use the GrantId9 in a ListGrants, RetireGrant, or RevokeGrant
 operation.‚ amazonka-kmsThe grant token.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.ƒ amazonka-kms The response's http status code.ø  amazonka-kms ï amazonka-kms ï€  amazonka-kms îêëìîíïðóñöõ÷ôòøùúûüýþÿ€‚ƒïðóñöõ÷ôòøùúûüýþÿêëìîí€‚ƒ    K  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  Xw” amazonka-kmsSee:  ¯ smart constructor.– amazonka-kms1A unique identifier for the new custom key store.— amazonka-kms The response's http status code.˜ amazonka-kmsSee:  ¤ smart constructor.š amazonka-kmsò Identifies the CloudHSM cluster for an CloudHSM key store. This
 parameter is required for custom key stores with CustomKeyStoreType of
 AWS_CLOUDHSM.ŽEnter the cluster ID of any active CloudHSM cluster that is not already
 associated with a custom key store. To find the cluster ID, use the
 Ò https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.htmlDescribeClusters
 operation.› amazonka-kms>Specifies the type of custom key store. The default value is
 AWS_CLOUDHSM.Ó For a custom key store backed by an CloudHSM cluster, omit the parameter
 or enter AWS_CLOUDHSMâ . For a custom key store backed by an external
 key manager outside of Amazon Web Services, enter EXTERNAL_KEY_STOREÂ .
 You cannot change this property after the key store is created.œ amazonka-kmsSpecifies the kmsuserÞ  password for an CloudHSM key store. This
 parameter is required for custom key stores with a CustomKeyStoreType
 of AWS_CLOUDHSM.Enter the password of the
 Ý https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser kmsuser crypto user (CU) accountó 
 in the specified CloudHSM cluster. KMS logs into the cluster as this
 user to manage key material on your behalf.Ò The password must be a string of 7 to 32 characters. Its value is case
 sensitive.This parameter tells KMS the kmsuserÌ  account password; it does not
 change the password in the CloudHSM cluster. amazonka-kmsî Specifies the certificate for an CloudHSM key store. This parameter is
 required for custom key stores with a CustomKeyStoreType of
 AWS_CLOUDHSM.è Enter the content of the trust anchor certificate for the CloudHSM
 cluster. This is the content of the customerCA.crt" file that you
 created when you
 Í https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.htmlinitialized the cluster.ž amazonka-kms“Specifies an authentication credential for the external key store proxy
 (XKS proxy). This parameter is required for all custom key stores with a
 CustomKeyStoreType of EXTERNAL_KEY_STORE.The  XksProxyAuthenticationCredential has two required elements:
 RawSecretAccessKey, a secret key, and AccessKeyId, a unique
 identifier for the RawSecretAccessKey#. For character requirements, see
 Å kms/latest/APIReference/API_XksProxyAuthenticationCredentialType.html$XksProxyAuthenticationCredentialType.ÔKMS uses this authentication credential to sign requests to the external
 key store proxy on your behalf. This credential is unrelated to Identity
 and Access Management (IAM) and Amazon Web Services credentials.²This parameter doesn't set or change the authentication credentials on
 the XKS proxy. It just tells KMS the credential that you established on
 your external key store proxy. If you rotate your proxy authentication
 credential, use the UpdateCustomKeyStore operation to provide the new
 credential to KMS.Ÿ amazonka-kmsû Indicates how KMS communicates with the external key store proxy. This
 parameter is required for custom key stores with a CustomKeyStoreType
 of EXTERNAL_KEY_STORE.Á If the external key store proxy uses a public endpoint, specify
 PUBLIC_ENDPOINTë . If the external key store proxy uses a Amazon VPC
 endpoint service for communication with KMS, specify
 VPC_ENDPOINT_SERVICE$. For help making this choice, see
 ä https://docs.aws.amazon.com/kms/latest/developerguide/plan-xks-keystore.html#choose-xks-connectivityChoosing a connectivity option	
 in the &Key Management Service Developer Guide.”An Amazon VPC endpoint service keeps your communication with KMS in a
 private address space entirely within Amazon Web Services, but it
 requires more configuration, including establishing a Amazon VPC with
 multiple subnets, a VPC endpoint service, a network load balancer, and a
 verified private DNS name. A public endpoint is simpler to set up, but
 it might be slower and might not fulfill your security requirements. You
 might consider testing with a public endpoint, and then establishing a
 VPC endpoint service for production tasks. Note that this choice does
 not determine the location of the external key store proxy. Even if you
 choose a VPC endpoint service, the proxy can be hosted within the VPC or
 outside of Amazon Web Services such as in your corporate data center.  amazonka-kmsSpecifies the endpoint that KMS uses to send requests to the external
 key store proxy (XKS proxy). This parameter is required for custom key
 stores with a CustomKeyStoreType of EXTERNAL_KEY_STORE.Ú The protocol must be HTTPS. KMS communicates on port 443. Do not specify
 the port in the XksProxyUriEndpoint value.For external key stores with XksProxyConnectivity value of
 VPC_ENDPOINT_SERVICE
, specify https://? followed by the private DNS
 name of the VPC endpoint service.For external key stores with PUBLIC_ENDPOINTÉ connectivity, this
 endpoint must be reachable before you create the custom key store. KMS
 connects to the external key store proxy while creating the custom key
 store. For external key stores with VPC_ENDPOINT_SERVICEÏ  connectivity,
 KMS connects when you call the ConnectCustomKeyStore operation.,The value of this parameter must begin with https://ß . The remainder
 can contain upper and lower case letters (A-Z and a-z), numbers (0-9),
 dots (.), and hyphens (-). Additional slashes (/ and \) are
 not permitted.Uniqueness requirements:The combined XksProxyUriEndpoint and XksProxyUriPathÊ  values must
     be unique in the Amazon Web Services account and Region.An external key store with PUBLIC_ENDPOINT' connectivity cannot use
     the same XksProxyUriEndpoint* value as an external key store with
     VPC_ENDPOINT_SERVICE: connectivity in the same Amazon Web Services
     Region.Each external key store with VPC_ENDPOINT_SERVICE; connectivity
     must have its own private DNS name. The XksProxyUriEndpoint) value
     for external key stores with VPC_ENDPOINT_SERVICEè  connectivity
     (private DNS name) must be unique in the Amazon Web Services account
     and Region.¡ amazonka-kmsÓSpecifies the base path to the proxy APIs for this external key store.
 To find this value, see the documentation for your external key store
 proxy. This parameter is required for all custom key stores with a
 CustomKeyStoreType of EXTERNAL_KEY_STORE.The value must start with / and must end with /kms/xks/v1 where
 v1’ represents the version of the KMS external key store proxy API.
 This path can include an optional prefix between the required elements
 such as /prefix/kms/xks/v1.Uniqueness requirements:The combined XksProxyUriEndpoint and XksProxyUriPathÊ  values must
     be unique in the Amazon Web Services account and Region.¢ amazonka-kmsÊSpecifies the name of the Amazon VPC endpoint service for interface
 endpoints that is used to communicate with your external key store proxy
 (XKS proxy). This parameter is required when the value of
 CustomKeyStoreType is EXTERNAL_KEY_STORE and the value of
 XksProxyConnectivity is VPC_ENDPOINT_SERVICE.&The Amazon VPC endpoint service must
 ß https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirementsfulfill all requirements%
 for use with an external key store.Uniqueness requirements:External key stores with VPC_ENDPOINT_SERVICE‰ connectivity can
     share an Amazon VPC, but each external key store must have its own
     VPC endpoint service and private DNS name.£ amazonka-kms³Specifies a friendly name for the custom key store. The name must be
 unique in your Amazon Web Services account and Region. This parameter is
 required for all custom key stores.¤ amazonka-kmsCreate a value of  ˜" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ˜,  ¥õ  - Identifies the CloudHSM cluster for an CloudHSM key store. This
 parameter is required for custom key stores with CustomKeyStoreType of
 AWS_CLOUDHSM.ŽEnter the cluster ID of any active CloudHSM cluster that is not already
 associated with a custom key store. To find the cluster ID, use the
 Ò https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.htmlDescribeClusters
 operation. ˜,  ¦Á  - Specifies the type of custom key store. The default value is
 AWS_CLOUDHSM.Ó For a custom key store backed by an CloudHSM cluster, omit the parameter
 or enter AWS_CLOUDHSMâ . For a custom key store backed by an external
 key manager outside of Amazon Web Services, enter EXTERNAL_KEY_STOREÂ .
 You cannot change this property after the key store is created. œ,  § - Specifies the kmsuserÞ  password for an CloudHSM key store. This
 parameter is required for custom key stores with a CustomKeyStoreType
 of AWS_CLOUDHSM.Enter the password of the
 Ý https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser kmsuser crypto user (CU) accountó 
 in the specified CloudHSM cluster. KMS logs into the cluster as this
 user to manage key material on your behalf.Ò The password must be a string of 7 to 32 characters. Its value is case
 sensitive.This parameter tells KMS the kmsuserÌ  account password; it does not
 change the password in the CloudHSM cluster. ˜,  ¨ñ  - Specifies the certificate for an CloudHSM key store. This parameter is
 required for custom key stores with a CustomKeyStoreType of
 AWS_CLOUDHSM.è Enter the content of the trust anchor certificate for the CloudHSM
 cluster. This is the content of the customerCA.crt" file that you
 created when you
 Í https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.htmlinitialized the cluster. ž,  ©– - Specifies an authentication credential for the external key store proxy
 (XKS proxy). This parameter is required for all custom key stores with a
 CustomKeyStoreType of EXTERNAL_KEY_STORE.The  XksProxyAuthenticationCredential has two required elements:
 RawSecretAccessKey, a secret key, and AccessKeyId, a unique
 identifier for the RawSecretAccessKey#. For character requirements, see
 Å kms/latest/APIReference/API_XksProxyAuthenticationCredentialType.html$XksProxyAuthenticationCredentialType.ÔKMS uses this authentication credential to sign requests to the external
 key store proxy on your behalf. This credential is unrelated to Identity
 and Access Management (IAM) and Amazon Web Services credentials.²This parameter doesn't set or change the authentication credentials on
 the XKS proxy. It just tells KMS the credential that you established on
 your external key store proxy. If you rotate your proxy authentication
 credential, use the UpdateCustomKeyStore operation to provide the new
 credential to KMS. Ÿ,  ªþ  - Indicates how KMS communicates with the external key store proxy. This
 parameter is required for custom key stores with a CustomKeyStoreType
 of EXTERNAL_KEY_STORE.Á If the external key store proxy uses a public endpoint, specify
 PUBLIC_ENDPOINTë . If the external key store proxy uses a Amazon VPC
 endpoint service for communication with KMS, specify
 VPC_ENDPOINT_SERVICE$. For help making this choice, see
 ä https://docs.aws.amazon.com/kms/latest/developerguide/plan-xks-keystore.html#choose-xks-connectivityChoosing a connectivity option	
 in the &Key Management Service Developer Guide.”An Amazon VPC endpoint service keeps your communication with KMS in a
 private address space entirely within Amazon Web Services, but it
 requires more configuration, including establishing a Amazon VPC with
 multiple subnets, a VPC endpoint service, a network load balancer, and a
 verified private DNS name. A public endpoint is simpler to set up, but
 it might be slower and might not fulfill your security requirements. You
 might consider testing with a public endpoint, and then establishing a
 VPC endpoint service for production tasks. Note that this choice does
 not determine the location of the external key store proxy. Even if you
 choose a VPC endpoint service, the proxy can be hosted within the VPC or
 outside of Amazon Web Services such as in your corporate data center.  ,  «  - Specifies the endpoint that KMS uses to send requests to the external
 key store proxy (XKS proxy). This parameter is required for custom key
 stores with a CustomKeyStoreType of EXTERNAL_KEY_STORE.Ú The protocol must be HTTPS. KMS communicates on port 443. Do not specify
 the port in the XksProxyUriEndpoint value.For external key stores with XksProxyConnectivity value of
 VPC_ENDPOINT_SERVICE
, specify https://? followed by the private DNS
 name of the VPC endpoint service.For external key stores with PUBLIC_ENDPOINTÉ connectivity, this
 endpoint must be reachable before you create the custom key store. KMS
 connects to the external key store proxy while creating the custom key
 store. For external key stores with VPC_ENDPOINT_SERVICEÏ  connectivity,
 KMS connects when you call the ConnectCustomKeyStore operation.,The value of this parameter must begin with https://ß . The remainder
 can contain upper and lower case letters (A-Z and a-z), numbers (0-9),
 dots (.), and hyphens (-). Additional slashes (/ and \) are
 not permitted.Uniqueness requirements:The combined XksProxyUriEndpoint and XksProxyUriPathÊ  values must
     be unique in the Amazon Web Services account and Region.An external key store with PUBLIC_ENDPOINT' connectivity cannot use
     the same XksProxyUriEndpoint* value as an external key store with
     VPC_ENDPOINT_SERVICE: connectivity in the same Amazon Web Services
     Region.Each external key store with VPC_ENDPOINT_SERVICE; connectivity
     must have its own private DNS name. The XksProxyUriEndpoint) value
     for external key stores with VPC_ENDPOINT_SERVICEè  connectivity
     (private DNS name) must be unique in the Amazon Web Services account
     and Region. ¡,  ¬Ö - Specifies the base path to the proxy APIs for this external key store.
 To find this value, see the documentation for your external key store
 proxy. This parameter is required for all custom key stores with a
 CustomKeyStoreType of EXTERNAL_KEY_STORE.The value must start with / and must end with /kms/xks/v1 where
 v1’ represents the version of the KMS external key store proxy API.
 This path can include an optional prefix between the required elements
 such as /prefix/kms/xks/v1.Uniqueness requirements:The combined XksProxyUriEndpoint and XksProxyUriPathÊ  values must
     be unique in the Amazon Web Services account and Region. ¢,  ­Í - Specifies the name of the Amazon VPC endpoint service for interface
 endpoints that is used to communicate with your external key store proxy
 (XKS proxy). This parameter is required when the value of
 CustomKeyStoreType is EXTERNAL_KEY_STORE and the value of
 XksProxyConnectivity is VPC_ENDPOINT_SERVICE.&The Amazon VPC endpoint service must
 ß https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirementsfulfill all requirements%
 for use with an external key store.Uniqueness requirements:External key stores with VPC_ENDPOINT_SERVICE‰ connectivity can
     share an Amazon VPC, but each external key store must have its own
     VPC endpoint service and private DNS name. ˜,  ®¶ - Specifies a friendly name for the custom key store. The name must be
 unique in your Amazon Web Services account and Region. This parameter is
 required for all custom key stores.¥ amazonka-kmsò Identifies the CloudHSM cluster for an CloudHSM key store. This
 parameter is required for custom key stores with CustomKeyStoreType of
 AWS_CLOUDHSM.ŽEnter the cluster ID of any active CloudHSM cluster that is not already
 associated with a custom key store. To find the cluster ID, use the
 Ò https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.htmlDescribeClusters
 operation.¦ amazonka-kms>Specifies the type of custom key store. The default value is
 AWS_CLOUDHSM.Ó For a custom key store backed by an CloudHSM cluster, omit the parameter
 or enter AWS_CLOUDHSMâ . For a custom key store backed by an external
 key manager outside of Amazon Web Services, enter EXTERNAL_KEY_STOREÂ .
 You cannot change this property after the key store is created.§ amazonka-kmsSpecifies the kmsuserÞ  password for an CloudHSM key store. This
 parameter is required for custom key stores with a CustomKeyStoreType
 of AWS_CLOUDHSM.Enter the password of the
 Ý https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser kmsuser crypto user (CU) accountó 
 in the specified CloudHSM cluster. KMS logs into the cluster as this
 user to manage key material on your behalf.Ò The password must be a string of 7 to 32 characters. Its value is case
 sensitive.This parameter tells KMS the kmsuserÌ  account password; it does not
 change the password in the CloudHSM cluster.¨ amazonka-kmsî Specifies the certificate for an CloudHSM key store. This parameter is
 required for custom key stores with a CustomKeyStoreType of
 AWS_CLOUDHSM.è Enter the content of the trust anchor certificate for the CloudHSM
 cluster. This is the content of the customerCA.crt" file that you
 created when you
 Í https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.htmlinitialized the cluster.© amazonka-kms“Specifies an authentication credential for the external key store proxy
 (XKS proxy). This parameter is required for all custom key stores with a
 CustomKeyStoreType of EXTERNAL_KEY_STORE.The  XksProxyAuthenticationCredential has two required elements:
 RawSecretAccessKey, a secret key, and AccessKeyId, a unique
 identifier for the RawSecretAccessKey#. For character requirements, see
 Å kms/latest/APIReference/API_XksProxyAuthenticationCredentialType.html$XksProxyAuthenticationCredentialType.ÔKMS uses this authentication credential to sign requests to the external
 key store proxy on your behalf. This credential is unrelated to Identity
 and Access Management (IAM) and Amazon Web Services credentials.²This parameter doesn't set or change the authentication credentials on
 the XKS proxy. It just tells KMS the credential that you established on
 your external key store proxy. If you rotate your proxy authentication
 credential, use the UpdateCustomKeyStore operation to provide the new
 credential to KMS.ª amazonka-kmsû Indicates how KMS communicates with the external key store proxy. This
 parameter is required for custom key stores with a CustomKeyStoreType
 of EXTERNAL_KEY_STORE.Á If the external key store proxy uses a public endpoint, specify
 PUBLIC_ENDPOINTë . If the external key store proxy uses a Amazon VPC
 endpoint service for communication with KMS, specify
 VPC_ENDPOINT_SERVICE$. For help making this choice, see
 ä https://docs.aws.amazon.com/kms/latest/developerguide/plan-xks-keystore.html#choose-xks-connectivityChoosing a connectivity option	
 in the &Key Management Service Developer Guide.”An Amazon VPC endpoint service keeps your communication with KMS in a
 private address space entirely within Amazon Web Services, but it
 requires more configuration, including establishing a Amazon VPC with
 multiple subnets, a VPC endpoint service, a network load balancer, and a
 verified private DNS name. A public endpoint is simpler to set up, but
 it might be slower and might not fulfill your security requirements. You
 might consider testing with a public endpoint, and then establishing a
 VPC endpoint service for production tasks. Note that this choice does
 not determine the location of the external key store proxy. Even if you
 choose a VPC endpoint service, the proxy can be hosted within the VPC or
 outside of Amazon Web Services such as in your corporate data center.« amazonka-kmsSpecifies the endpoint that KMS uses to send requests to the external
 key store proxy (XKS proxy). This parameter is required for custom key
 stores with a CustomKeyStoreType of EXTERNAL_KEY_STORE.Ú The protocol must be HTTPS. KMS communicates on port 443. Do not specify
 the port in the XksProxyUriEndpoint value.For external key stores with XksProxyConnectivity value of
 VPC_ENDPOINT_SERVICE
, specify https://? followed by the private DNS
 name of the VPC endpoint service.For external key stores with PUBLIC_ENDPOINTÉ connectivity, this
 endpoint must be reachable before you create the custom key store. KMS
 connects to the external key store proxy while creating the custom key
 store. For external key stores with VPC_ENDPOINT_SERVICEÏ  connectivity,
 KMS connects when you call the ConnectCustomKeyStore operation.,The value of this parameter must begin with https://ß . The remainder
 can contain upper and lower case letters (A-Z and a-z), numbers (0-9),
 dots (.), and hyphens (-). Additional slashes (/ and \) are
 not permitted.Uniqueness requirements:The combined XksProxyUriEndpoint and XksProxyUriPathÊ  values must
     be unique in the Amazon Web Services account and Region.An external key store with PUBLIC_ENDPOINT' connectivity cannot use
     the same XksProxyUriEndpoint* value as an external key store with
     VPC_ENDPOINT_SERVICE: connectivity in the same Amazon Web Services
     Region.Each external key store with VPC_ENDPOINT_SERVICE; connectivity
     must have its own private DNS name. The XksProxyUriEndpoint) value
     for external key stores with VPC_ENDPOINT_SERVICEè  connectivity
     (private DNS name) must be unique in the Amazon Web Services account
     and Region.¬ amazonka-kmsÓSpecifies the base path to the proxy APIs for this external key store.
 To find this value, see the documentation for your external key store
 proxy. This parameter is required for all custom key stores with a
 CustomKeyStoreType of EXTERNAL_KEY_STORE.The value must start with / and must end with /kms/xks/v1 where
 v1’ represents the version of the KMS external key store proxy API.
 This path can include an optional prefix between the required elements
 such as /prefix/kms/xks/v1.Uniqueness requirements:The combined XksProxyUriEndpoint and XksProxyUriPathÊ  values must
     be unique in the Amazon Web Services account and Region.­ amazonka-kmsÊSpecifies the name of the Amazon VPC endpoint service for interface
 endpoints that is used to communicate with your external key store proxy
 (XKS proxy). This parameter is required when the value of
 CustomKeyStoreType is EXTERNAL_KEY_STORE and the value of
 XksProxyConnectivity is VPC_ENDPOINT_SERVICE.&The Amazon VPC endpoint service must
 ß https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirementsfulfill all requirements%
 for use with an external key store.Uniqueness requirements:External key stores with VPC_ENDPOINT_SERVICE‰ connectivity can
     share an Amazon VPC, but each external key store must have its own
     VPC endpoint service and private DNS name.® amazonka-kms³Specifies a friendly name for the custom key store. The name must be
 unique in your Amazon Web Services account and Region. This parameter is
 required for all custom key stores.¯ amazonka-kmsCreate a value of  ”" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ”,  °4 - A unique identifier for the new custom key store. —,  ±# - The response's http status code.° amazonka-kms1A unique identifier for the new custom key store.± amazonka-kms The response's http status code.¤  amazonka-kms ˜¯  amazonka-kms —”•–—˜™š£›œžŸ ¡¢¤¥¦§¨©ª«¬­®¯°±˜™š£›œžŸ ¡¢¤¥¦§¨©ª«¬­®”•–—¯°±    L  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  mÁ amazonka-kmsSee:  Ê smart constructor.Ã amazonka-kmsSee:  Ç smart constructor.Å amazonka-kms5Specifies the alias name. This value must begin with alias/ followed
 by a name, such as alias/ExampleAlias.The 	AliasName± value must be string of 1-256 characters. It can contain
 only alphanumeric characters, forward slashes (/), underscores (_), and
 dashes (-). The alias name cannot begin with 
alias/aws/. The
 
alias/aws/ prefix is reserved for
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk Amazon Web Services managed keys.Æ amazonka-kms)Associates the alias with the specified
 Ð https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmkcustomer managed key>.
 The KMS key must be in the same Amazon Web Services Region.é A valid key ID is required. If you supply a null or empty string value,
 this operation returns an error.*For help finding the key ID and ARN, see
 × https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arnFinding the Key ID and ARN

 in the /&Key Management Service Developer Guide/ .-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Ç amazonka-kmsCreate a value of  Ã" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Ã,  È8 - Specifies the alias name. This value must begin with alias/ followed
 by a name, such as alias/ExampleAlias.The 	AliasName± value must be string of 1-256 characters. It can contain
 only alphanumeric characters, forward slashes (/), underscores (_), and
 dashes (-). The alias name cannot begin with 
alias/aws/. The
 
alias/aws/ prefix is reserved for
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk Amazon Web Services managed keys. Ã,  É, - Associates the alias with the specified
 Ð https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmkcustomer managed key>.
 The KMS key must be in the same Amazon Web Services Region.é A valid key ID is required. If you supply a null or empty string value,
 this operation returns an error.*For help finding the key ID and ARN, see
 × https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arnFinding the Key ID and ARN

 in the /&Key Management Service Developer Guide/ .-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.È amazonka-kms5Specifies the alias name. This value must begin with alias/ followed
 by a name, such as alias/ExampleAlias.The 	AliasName± value must be string of 1-256 characters. It can contain
 only alphanumeric characters, forward slashes (/), underscores (_), and
 dashes (-). The alias name cannot begin with 
alias/aws/. The
 
alias/aws/ prefix is reserved for
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk Amazon Web Services managed keys.É amazonka-kms)Associates the alias with the specified
 Ð https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmkcustomer managed key>.
 The KMS key must be in the same Amazon Web Services Region.é A valid key ID is required. If you supply a null or empty string value,
 this operation returns an error.*For help finding the key ID and ARN, see
 × https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arnFinding the Key ID and ARN

 in the /&Key Management Service Developer Guide/ .-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Ê amazonka-kmsCreate a value of  Á" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.Ç  amazonka-kms Ã amazonka-kms Ã
ÁÂÃÄÅÆÇÈÉÊ
ÃÄÅÆÇÈÉÁÂÊ    M  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  tÛ amazonka-kmsSee:  ã smart constructor.Ý amazonka-kms The response's http status code.Þ amazonka-kmsSee:  á smart constructor.à amazonka-kms›Enter the key store ID of the custom key store that you want to connect.
 To find the ID of a custom key store, use the DescribeCustomKeyStores
 operation.á amazonka-kmsCreate a value of  Þ" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Þ,  âž - Enter the key store ID of the custom key store that you want to connect.
 To find the ID of a custom key store, use the DescribeCustomKeyStores
 operation.â amazonka-kms›Enter the key store ID of the custom key store that you want to connect.
 To find the ID of a custom key store, use the DescribeCustomKeyStores
 operation.ã amazonka-kmsCreate a value of  Û" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Ý,  ä# - The response's http status code.ä amazonka-kms The response's http status code.á  amazonka-kms Þã  amazonka-kms Ý
ÛÜÝÞßàáâãä
ÞßàáâÛÜÝãä    N  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  ‘
õ amazonka-kmsSee:  þ smart constructor.÷ amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN-)
 of the KMS key whose deletion is canceled.ø amazonka-kms The response's http status code.ù amazonka-kmsSee:  ü smart constructor.û amazonka-kms8Identifies the KMS key whose deletion is being canceled.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.ü amazonka-kmsCreate a value of  ù" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ù,  ý; - Identifies the KMS key whose deletion is being canceled.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.ý amazonka-kms8Identifies the KMS key whose deletion is being canceled.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.þ amazonka-kmsCreate a value of  õ" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ù,  ÿ - The Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN-)
 of the KMS key whose deletion is canceled. ø,  €# - The response's http status code.ÿ amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARN-)
 of the KMS key whose deletion is canceled.€ amazonka-kms The response's http status code.ü  amazonka-kms ùþ  amazonka-kms øõö÷øùúûüýþÿ€ùúûüýõö÷øþÿ€    O  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  ˆÃ‘ amazonka-kmsSee:  š smart constructor.“ amazonka-kmsSee:  — smart constructor.• amazonka-kms8Identifies the KMS key from which you are removing tags.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.– amazonka-kmsÄ One or more tag keys. Specify only the tag keys, not the tag values.— amazonka-kmsCreate a value of  “" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: “,  ˜; - Identifies the KMS key from which you are removing tags.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. –,  ™Ç  - One or more tag keys. Specify only the tag keys, not the tag values.˜ amazonka-kms8Identifies the KMS key from which you are removing tags.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.™ amazonka-kmsÄ One or more tag keys. Specify only the tag keys, not the tag values.š amazonka-kmsCreate a value of  ‘" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.—  amazonka-kms “
‘’“”•–—˜™š
“”•–—˜™‘’š    P  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  ›« amazonka-kmsSee:  ´ smart constructor.­ amazonka-kmsSee:  ± smart constructor.¯ amazonka-kmsÏ Identifies the alias that is changing its KMS key. This value must begin
 with alias/& followed by the alias name, such as
 alias/ExampleAlias. You cannot use UpdateAlias to change the alias
 name.° amazonka-kmsIdentifies the
 Ð https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmkcustomer managed keyÙ 
 to associate with the alias. You don't have permission to associate an
 alias with an
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmkAmazon Web Services managed key.€The KMS key must be in the same Amazon Web Services account and Region
 as the alias. Also, the new target KMS key must be the same type as the
 current target KMS key (both symmetric or both asymmetric or both HMAC)
 and they must have the same key usage.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Ì To verify that the alias is mapped to the correct KMS key, use
 ListAliases.± amazonka-kmsCreate a value of  ­" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ­,  ²Ò  - Identifies the alias that is changing its KMS key. This value must begin
 with alias/& followed by the alias name, such as
 alias/ExampleAlias. You cannot use UpdateAlias to change the alias
 name. ­,  ³ - Identifies the
 Ð https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmkcustomer managed keyÙ 
 to associate with the alias. You don't have permission to associate an
 alias with an
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmkAmazon Web Services managed key.€The KMS key must be in the same Amazon Web Services account and Region
 as the alias. Also, the new target KMS key must be the same type as the
 current target KMS key (both symmetric or both asymmetric or both HMAC)
 and they must have the same key usage.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Ì To verify that the alias is mapped to the correct KMS key, use
 ListAliases.² amazonka-kmsÏ Identifies the alias that is changing its KMS key. This value must begin
 with alias/& followed by the alias name, such as
 alias/ExampleAlias. You cannot use UpdateAlias to change the alias
 name.³ amazonka-kmsIdentifies the
 Ð https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmkcustomer managed keyÙ 
 to associate with the alias. You don't have permission to associate an
 alias with an
 Ó https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmkAmazon Web Services managed key.€The KMS key must be in the same Amazon Web Services account and Region
 as the alias. Also, the new target KMS key must be the same type as the
 current target KMS key (both symmetric or both asymmetric or both HMAC)
 and they must have the same key usage.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.Ì To verify that the alias is mapped to the correct KMS key, use
 ListAliases.´ amazonka-kmsCreate a value of  «" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.±  amazonka-kms ­ amazonka-kms ­
«¬­®¯°±²³´
­®¯°±²³«¬´    Q  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  áÅ amazonka-kmsSee:  Ý smart constructor.Ç amazonka-kms The response's http status code.È amazonka-kmsSee:  Ó smart constructor.Ê amazonka-kmsý Associates the custom key store with a related CloudHSM cluster. This
 parameter is valid only for custom key stores with a
 CustomKeyStoreType of AWS_CLOUDHSM.ÁEnter the cluster ID of the cluster that you used to create the custom
 key store or a cluster that shares a backup history and has the same
 cluster certificate as the original cluster. You cannot use this
 parameter to associate a custom key store with an unrelated cluster. In
 addition, the replacement cluster must
 Ú https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystorefulfill the requirementsì 
 for a cluster associated with a custom key store. To view the cluster
 certificate of a cluster, use the
 Ò https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.htmlDescribeClusters
 operation.Â To change this value, the CloudHSM key store must be disconnected.Ë amazonka-kms"Enter the current password of the kmsuser• crypto user (CU) in the
 CloudHSM cluster that is associated with the custom key store. This
 parameter is valid only for custom key stores with a
 CustomKeyStoreType of AWS_CLOUDHSM.5This parameter tells KMS the current password of the kmsuserá  crypto
 user (CU). It does not set or change the password of any users in the
 CloudHSM cluster.Â To change this value, the CloudHSM key store must be disconnected.Ì amazonka-kmsŸChanges the friendly name of the custom key store to the value that you
 specify. The custom key store name must be unique in the Amazon Web
 Services account.ú To change this value, an CloudHSM key store must be disconnected. An
 external key store can be connected or disconnected.Í amazonka-kms Changes the credentials that KMS uses to sign requests to the external
 key store proxy (XKS proxy). This parameter is valid only for custom key
 stores with a CustomKeyStoreType of EXTERNAL_KEY_STORE.You must specify both the AccessKeyId and SecretAccessKeyÒ  value in
 the authentication credential, even if you are only updating one value.¾This parameter doesn't establish or change your authentication
 credentials on the proxy. It just tells KMS the credential that you
 established with your external key store proxy. For example, if you
 rotate the credential on your external key store proxy, you can use this
 parameter to update the credential in KMS.Ô You can change this value when the external key store is connected or
 disconnected.Î amazonka-kms±Changes the connectivity setting for the external key store. To indicate
 that the external key store proxy uses a Amazon VPC endpoint service to
 communicate with KMS, specify VPC_ENDPOINT_SERVICE. Otherwise, specify
 PUBLIC_ENDPOINT.If you change the XksProxyConnectivity to VPC_ENDPOINT_SERVICE, you
 must also change the XksProxyUriEndpoint and add an
 XksProxyVpcEndpointServiceName value.If you change the XksProxyConnectivity to PUBLIC_ENDPOINT, you must
 also change the XksProxyUriEndpoint- and specify a null or empty string
 for the XksProxyVpcEndpointServiceName value.Â To change this value, the external key store must be disconnected.Ï amazonka-kmsœChanges the URI endpoint that KMS uses to connect to your external key
 store proxy (XKS proxy). This parameter is valid only for custom key
 stores with a CustomKeyStoreType of EXTERNAL_KEY_STORE. For external key stores with an XksProxyConnectivity value of
 PUBLIC_ENDPOINT, the protocol must be HTTPS. For external key stores with an XksProxyConnectivity value of
 VPC_ENDPOINT_SERVICE
, specify https://Œ followed by the private DNS
 name associated with the VPC endpoint service. Each external key store
 must use a different private DNS name.The combined XksProxyUriEndpoint and XksProxyUriPathÆ  values must be
 unique in the Amazon Web Services account and Region.Â To change this value, the external key store must be disconnected.Ð amazonka-kmsôChanges the base path to the proxy APIs for this external key store. To
 find this value, see the documentation for your external key manager and
 external key store proxy (XKS proxy). This parameter is valid only for
 custom key stores with a CustomKeyStoreType of EXTERNAL_KEY_STORE.The value must start with / and must end with /kms/xks/v1	, where
 v1Œ represents the version of the KMS external key store proxy API. You
 can include an optional prefix between the required elements such as
 /example/kms/xks/v1.The combined XksProxyUriEndpoint and XksProxyUriPathÆ  values must be
 unique in the Amazon Web Services account and Region.Ô You can change this value when the external key store is connected or
 disconnected.Ñ amazonka-kmsChanges the name that KMS uses to identify the Amazon VPC endpoint
 service for your external key store proxy (XKS proxy). This parameter is
 valid when the CustomKeyStoreType is EXTERNAL_KEY_STORE
 and the
 XksProxyConnectivity is VPC_ENDPOINT_SERVICE.Â To change this value, the external key store must be disconnected.Ò amazonka-kms±Identifies the custom key store that you want to update. Enter the ID of
 the custom key store. To find the ID of a custom key store, use the
 DescribeCustomKeyStores operation.Ó amazonka-kmsCreate a value of  È" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: È,  Ô€ - Associates the custom key store with a related CloudHSM cluster. This
 parameter is valid only for custom key stores with a
 CustomKeyStoreType of AWS_CLOUDHSM.ÁEnter the cluster ID of the cluster that you used to create the custom
 key store or a cluster that shares a backup history and has the same
 cluster certificate as the original cluster. You cannot use this
 parameter to associate a custom key store with an unrelated cluster. In
 addition, the replacement cluster must
 Ú https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystorefulfill the requirementsì 
 for a cluster associated with a custom key store. To view the cluster
 certificate of a cluster, use the
 Ò https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.htmlDescribeClusters
 operation.Â To change this value, the CloudHSM key store must be disconnected. Ë,  Õ% - Enter the current password of the kmsuser• crypto user (CU) in the
 CloudHSM cluster that is associated with the custom key store. This
 parameter is valid only for custom key stores with a
 CustomKeyStoreType of AWS_CLOUDHSM.5This parameter tells KMS the current password of the kmsuserá  crypto
 user (CU). It does not set or change the password of any users in the
 CloudHSM cluster.Â To change this value, the CloudHSM key store must be disconnected. Ì,  Ö¢ - Changes the friendly name of the custom key store to the value that you
 specify. The custom key store name must be unique in the Amazon Web
 Services account.ú To change this value, an CloudHSM key store must be disconnected. An
 external key store can be connected or disconnected. Í,  ×£ - Changes the credentials that KMS uses to sign requests to the external
 key store proxy (XKS proxy). This parameter is valid only for custom key
 stores with a CustomKeyStoreType of EXTERNAL_KEY_STORE.You must specify both the AccessKeyId and SecretAccessKeyÒ  value in
 the authentication credential, even if you are only updating one value.¾This parameter doesn't establish or change your authentication
 credentials on the proxy. It just tells KMS the credential that you
 established with your external key store proxy. For example, if you
 rotate the credential on your external key store proxy, you can use this
 parameter to update the credential in KMS.Ô You can change this value when the external key store is connected or
 disconnected. Î,  Ø´ - Changes the connectivity setting for the external key store. To indicate
 that the external key store proxy uses a Amazon VPC endpoint service to
 communicate with KMS, specify VPC_ENDPOINT_SERVICE. Otherwise, specify
 PUBLIC_ENDPOINT.If you change the XksProxyConnectivity to VPC_ENDPOINT_SERVICE, you
 must also change the XksProxyUriEndpoint and add an
 XksProxyVpcEndpointServiceName value.If you change the XksProxyConnectivity to PUBLIC_ENDPOINT, you must
 also change the XksProxyUriEndpoint- and specify a null or empty string
 for the XksProxyVpcEndpointServiceName value.Â To change this value, the external key store must be disconnected. Ï,  ÙŸ - Changes the URI endpoint that KMS uses to connect to your external key
 store proxy (XKS proxy). This parameter is valid only for custom key
 stores with a CustomKeyStoreType of EXTERNAL_KEY_STORE. For external key stores with an XksProxyConnectivity value of
 PUBLIC_ENDPOINT, the protocol must be HTTPS. For external key stores with an XksProxyConnectivity value of
 VPC_ENDPOINT_SERVICE
, specify https://Œ followed by the private DNS
 name associated with the VPC endpoint service. Each external key store
 must use a different private DNS name.The combined XksProxyUriEndpoint and XksProxyUriPathÆ  values must be
 unique in the Amazon Web Services account and Region.Â To change this value, the external key store must be disconnected. Ð,  Ú÷ - Changes the base path to the proxy APIs for this external key store. To
 find this value, see the documentation for your external key manager and
 external key store proxy (XKS proxy). This parameter is valid only for
 custom key stores with a CustomKeyStoreType of EXTERNAL_KEY_STORE.The value must start with / and must end with /kms/xks/v1	, where
 v1Œ represents the version of the KMS external key store proxy API. You
 can include an optional prefix between the required elements such as
 /example/kms/xks/v1.The combined XksProxyUriEndpoint and XksProxyUriPathÆ  values must be
 unique in the Amazon Web Services account and Region.Ô You can change this value when the external key store is connected or
 disconnected. Ñ,  Û  - Changes the name that KMS uses to identify the Amazon VPC endpoint
 service for your external key store proxy (XKS proxy). This parameter is
 valid when the CustomKeyStoreType is EXTERNAL_KEY_STORE
 and the
 XksProxyConnectivity is VPC_ENDPOINT_SERVICE.Â To change this value, the external key store must be disconnected. È,  Ü´ - Identifies the custom key store that you want to update. Enter the ID of
 the custom key store. To find the ID of a custom key store, use the
 DescribeCustomKeyStores operation.Ô amazonka-kmsý Associates the custom key store with a related CloudHSM cluster. This
 parameter is valid only for custom key stores with a
 CustomKeyStoreType of AWS_CLOUDHSM.ÁEnter the cluster ID of the cluster that you used to create the custom
 key store or a cluster that shares a backup history and has the same
 cluster certificate as the original cluster. You cannot use this
 parameter to associate a custom key store with an unrelated cluster. In
 addition, the replacement cluster must
 Ú https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystorefulfill the requirementsì 
 for a cluster associated with a custom key store. To view the cluster
 certificate of a cluster, use the
 Ò https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.htmlDescribeClusters
 operation.Â To change this value, the CloudHSM key store must be disconnected.Õ amazonka-kms"Enter the current password of the kmsuser• crypto user (CU) in the
 CloudHSM cluster that is associated with the custom key store. This
 parameter is valid only for custom key stores with a
 CustomKeyStoreType of AWS_CLOUDHSM.5This parameter tells KMS the current password of the kmsuserá  crypto
 user (CU). It does not set or change the password of any users in the
 CloudHSM cluster.Â To change this value, the CloudHSM key store must be disconnected.Ö amazonka-kmsŸChanges the friendly name of the custom key store to the value that you
 specify. The custom key store name must be unique in the Amazon Web
 Services account.ú To change this value, an CloudHSM key store must be disconnected. An
 external key store can be connected or disconnected.× amazonka-kms Changes the credentials that KMS uses to sign requests to the external
 key store proxy (XKS proxy). This parameter is valid only for custom key
 stores with a CustomKeyStoreType of EXTERNAL_KEY_STORE.You must specify both the AccessKeyId and SecretAccessKeyÒ  value in
 the authentication credential, even if you are only updating one value.¾This parameter doesn't establish or change your authentication
 credentials on the proxy. It just tells KMS the credential that you
 established with your external key store proxy. For example, if you
 rotate the credential on your external key store proxy, you can use this
 parameter to update the credential in KMS.Ô You can change this value when the external key store is connected or
 disconnected.Ø amazonka-kms±Changes the connectivity setting for the external key store. To indicate
 that the external key store proxy uses a Amazon VPC endpoint service to
 communicate with KMS, specify VPC_ENDPOINT_SERVICE. Otherwise, specify
 PUBLIC_ENDPOINT.If you change the XksProxyConnectivity to VPC_ENDPOINT_SERVICE, you
 must also change the XksProxyUriEndpoint and add an
 XksProxyVpcEndpointServiceName value.If you change the XksProxyConnectivity to PUBLIC_ENDPOINT, you must
 also change the XksProxyUriEndpoint- and specify a null or empty string
 for the XksProxyVpcEndpointServiceName value.Â To change this value, the external key store must be disconnected.Ù amazonka-kmsœChanges the URI endpoint that KMS uses to connect to your external key
 store proxy (XKS proxy). This parameter is valid only for custom key
 stores with a CustomKeyStoreType of EXTERNAL_KEY_STORE. For external key stores with an XksProxyConnectivity value of
 PUBLIC_ENDPOINT, the protocol must be HTTPS. For external key stores with an XksProxyConnectivity value of
 VPC_ENDPOINT_SERVICE
, specify https://Œ followed by the private DNS
 name associated with the VPC endpoint service. Each external key store
 must use a different private DNS name.The combined XksProxyUriEndpoint and XksProxyUriPathÆ  values must be
 unique in the Amazon Web Services account and Region.Â To change this value, the external key store must be disconnected.Ú amazonka-kmsôChanges the base path to the proxy APIs for this external key store. To
 find this value, see the documentation for your external key manager and
 external key store proxy (XKS proxy). This parameter is valid only for
 custom key stores with a CustomKeyStoreType of EXTERNAL_KEY_STORE.The value must start with / and must end with /kms/xks/v1	, where
 v1Œ represents the version of the KMS external key store proxy API. You
 can include an optional prefix between the required elements such as
 /example/kms/xks/v1.The combined XksProxyUriEndpoint and XksProxyUriPathÆ  values must be
 unique in the Amazon Web Services account and Region.Ô You can change this value when the external key store is connected or
 disconnected.Û amazonka-kmsChanges the name that KMS uses to identify the Amazon VPC endpoint
 service for your external key store proxy (XKS proxy). This parameter is
 valid when the CustomKeyStoreType is EXTERNAL_KEY_STORE
 and the
 XksProxyConnectivity is VPC_ENDPOINT_SERVICE.Â To change this value, the external key store must be disconnected.Ü amazonka-kms±Identifies the custom key store that you want to update. Enter the ID of
 the custom key store. To find the ID of a custom key store, use the
 DescribeCustomKeyStores operation.Ý amazonka-kmsCreate a value of  Å" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Ç,  Þ# - The response's http status code.Þ amazonka-kms The response's http status code.Ó  amazonka-kms ÈÝ  amazonka-kms ÇÅÆÇÈÉÊÒËÍÎÏÐÑÌÓÔÕÖ×ØÙÚÛÜÝÞÈÉÊÒËÍÎÏÐÑÌÓÔÕÖ×ØÙÚÛÜÅÆÇÝÞ    R  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  êî amazonka-kmsSee:  ÷ smart constructor.ð amazonka-kmsSee:  ô smart constructor.ò amazonka-kms1Updates the description of the specified KMS key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.ó amazonka-kms New description for the KMS key.ô amazonka-kmsCreate a value of  ð" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ð,  õ4 - Updates the description of the specified KMS key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. ð,  ö# - New description for the KMS key.õ amazonka-kms1Updates the description of the specified KMS key.-Specify the key ID or key ARN of the KMS key.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey.ö amazonka-kms New description for the KMS key.÷ amazonka-kmsCreate a value of  î" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ô  amazonka-kms ð amazonka-kms ð
îïðñóòôõö÷
ðñóòôõöîï÷    S  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  öqˆ amazonka-kmsSee:  ‘ smart constructor.Š amazonka-kmsSee:  Ž smart constructor.Œ amazonka-kmsæ Identifies the current primary key. When the operation completes, this
 KMS key will be a replica key.<Specify the key ID or key ARN of a multi-Region primary key.For example:Key ID: $mrk-1234abcd12ab34cd56ef1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. amazonka-kmsÕ The Amazon Web Services Region of the new primary key. Enter the Region
 ID, such as 	us-east-1 or ap-southeast-28. There must be an existing
 replica key in this Region.Û When the operation completes, the multi-Region key in this Region will
 be the primary key.Ž amazonka-kmsCreate a value of  Š" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Š,  é  - Identifies the current primary key. When the operation completes, this
 KMS key will be a replica key.<Specify the key ID or key ARN of a multi-Region primary key.For example:Key ID: $mrk-1234abcd12ab34cd56ef1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. ,  Ø  - The Amazon Web Services Region of the new primary key. Enter the Region
 ID, such as 	us-east-1 or ap-southeast-28. There must be an existing
 replica key in this Region.Û When the operation completes, the multi-Region key in this Region will
 be the primary key. amazonka-kmsæ Identifies the current primary key. When the operation completes, this
 KMS key will be a replica key.<Specify the key ID or key ARN of a multi-Region primary key.For example:Key ID: $mrk-1234abcd12ab34cd56ef1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890abÊ To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. amazonka-kmsÕ The Amazon Web Services Region of the new primary key. Enter the Region
 ID, such as 	us-east-1 or ap-southeast-28. There must be an existing
 replica key in this Region.Û When the operation completes, the multi-Region key in this Region will
 be the primary key.‘ amazonka-kmsCreate a value of  ˆ" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.Ž  amazonka-kms Š amazonka-kms 
ˆ‰Š‹ŒŽ‘
Š‹ŒŽˆ‰‘    T  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  %<¢ amazonka-kmsSee:  · smart constructor.¤ amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARNÃ )
 of the asymmetric KMS key that was used to verify the signature.¥ amazonka-kmsÏ A Boolean value that indicates whether the signature was verified. A
 value of True indicates that the 	Signature was produced by signing
 the Message with the specified KeyID and SigningAlgorithm.( If the
 signature is not verified, the Verify operation fails with a
 KMSInvalidSignatureException exception.¦ amazonka-kms<The signing algorithm that was used to verify the signature.§ amazonka-kms The response's http status code.¨ amazonka-kmsSee:  ° smart constructor.ª amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.« amazonka-kms#Tells KMS whether the value of the Messageþ  parameter is a message or
 message digest. The default value, RAW, indicates a message. To indicate
 a message digest, enter DIGEST.Use the DIGEST" value only when the value of the Message0 parameter is
 a message digest. If you use the DIGESTÚ  value with a raw message, the
 security of the verification operation can be compromised.¬ amazonka-kmsÜIdentifies the asymmetric KMS key that will be used to verify the
 signature. This must be the same KMS key that was used to generate the
 signature. If you specify a different KMS key, the signature
 verification fails.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.­ amazonka-kmsœSpecifies the message that was signed. You can submit a raw message of
 up to 4096 bytes, or a hash digest of the message. If you submit a
 digest, use the MessageType parameter with a value of DIGEST.µIf the message specified here is different from the message that was
 signed, the signature verification fails. A message and its hash digest
 are considered to be the same message.® amazonka-kmsThe signature that the Sign operation generated.¯ amazonka-kms€The signing algorithm that was used to sign the message. If you submit a
 different algorithm, the signature verification fails.° amazonka-kmsCreate a value of  ¨" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ª,  ± - A list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. «,  ²& - Tells KMS whether the value of the Messageþ  parameter is a message or
 message digest. The default value, RAW, indicates a message. To indicate
 a message digest, enter DIGEST.Use the DIGEST" value only when the value of the Message0 parameter is
 a message digest. If you use the DIGESTÚ  value with a raw message, the
 security of the verification operation can be compromised. ¨,  ³ß - Identifies the asymmetric KMS key that will be used to verify the
 signature. This must be the same KMS key that was used to generate the
 signature. If you specify a different KMS key, the signature
 verification fails.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases. ­,  ´Ÿ - Specifies the message that was signed. You can submit a raw message of
 up to 4096 bytes, or a hash digest of the message. If you submit a
 digest, use the MessageType parameter with a value of DIGEST.¼If the message specified here is different from the message that was
 signed, the signature verification fails. A message and its hash digest
 are considered to be the same message.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. ®,  µ - The signature that the Sign operation generated.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. ¨,  ¶ƒ - The signing algorithm that was used to sign the message. If you submit a
 different algorithm, the signature verification fails.± amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.² amazonka-kms#Tells KMS whether the value of the Messageþ  parameter is a message or
 message digest. The default value, RAW, indicates a message. To indicate
 a message digest, enter DIGEST.Use the DIGEST" value only when the value of the Message0 parameter is
 a message digest. If you use the DIGESTÚ  value with a raw message, the
 security of the verification operation can be compromised.³ amazonka-kmsÜIdentifies the asymmetric KMS key that will be used to verify the
 signature. This must be the same KMS key that was used to generate the
 signature. If you specify a different KMS key, the signature
 verification fails.ó To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
 When using an alias name, prefix it with "alias/"ë . To specify a KMS
 key in a different Amazon Web Services account, you must use the key ARN
 or alias ARN.For example:Key ID: $1234abcd-12ab-34cd-56ef-1234567890abKey ARN:
     Ë arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abAlias name: alias/ExampleAliasAlias ARN: 5arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias€To get the key ID and key ARN for a KMS key, use ListKeys or
 DescribeKey. To get the alias name and alias ARN, use ListAliases.´ amazonka-kmsœSpecifies the message that was signed. You can submit a raw message of
 up to 4096 bytes, or a hash digest of the message. If you submit a
 digest, use the MessageType parameter with a value of DIGEST.¼If the message specified here is different from the message that was
 signed, the signature verification fails. A message and its hash digest
 are considered to be the same message.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.µ amazonka-kmsThe signature that the Sign operation generated.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.¶ amazonka-kms€The signing algorithm that was used to sign the message. If you submit a
 different algorithm, the signature verification fails.· amazonka-kmsCreate a value of  ¢" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: ¨,  ¸ - The Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARNÃ )
 of the asymmetric KMS key that was used to verify the signature. ¥,  ¹Ò  - A Boolean value that indicates whether the signature was verified. A
 value of True indicates that the 	Signature was produced by signing
 the Message with the specified KeyID and SigningAlgorithm.( If the
 signature is not verified, the Verify operation fails with a
 KMSInvalidSignatureException exception. ¨,  º? - The signing algorithm that was used to verify the signature. §,  »# - The response's http status code.¸ amazonka-kmsThe Amazon Resource Name
 (Ò https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARNkey ARNÃ )
 of the asymmetric KMS key that was used to verify the signature.¹ amazonka-kmsÏ A Boolean value that indicates whether the signature was verified. A
 value of True indicates that the 	Signature was produced by signing
 the Message with the specified KeyID and SigningAlgorithm.( If the
 signature is not verified, the Verify operation fails with a
 KMSInvalidSignatureException exception.º amazonka-kms<The signing algorithm that was used to verify the signature.» amazonka-kms The response's http status code.°  amazonka-kms ¨ amazonka-kms ­ amazonka-kms ® amazonka-kms ¨·  amazonka-kms §¢£¤¦§¥¨©®­¬ª«¯°±²³´µ¶·¸¹º»¨©®­¬ª«¯°±²³´µ¶¢£¤¦§¥·¸¹º»    U  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%&';Ì Ú è ñ  GßË amazonka-kmsSee:  Þ smart constructor.Í amazonka-kms*The HMAC KMS key used in the verification.Î amazonka-kms+The MAC algorithm used in the verification.Ï amazonka-kmsÊ A Boolean value that indicates whether the HMAC was verified. A value of
 True indicates that the HMAC (Mac$) was generated with the specified
 Message, HMAC KMS key (KeyID) and MacAlgorithm..!If the HMAC is not verified, the 	VerifyMac operation fails with a
 KMSInvalidMacExceptioné  exception. This exception indicates that one or
 more of the inputs changed since the HMAC was computed.Ð amazonka-kms The response's http status code.Ñ amazonka-kmsSee:  Ø smart constructor.Ó amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.Ô amazonka-kmsî The message that will be used in the verification. Enter the same
 message that was used to generate the HMAC.GenerateMac and 	VerifyMac£ do not provide special handling for message
 digests. If you generated an HMAC for a hash digest of a message, you
 must verify the HMAC for the same hash digest.Õ amazonka-kms2The KMS key that will be used in the verification.ì Enter a key ID of the KMS key that was used to generate the HMAC. If you
 identify a different KMS key, the 	VerifyMac operation fails.Ö amazonka-kmsÂThe MAC algorithm that will be used in the verification. Enter the same
 MAC algorithm that was used to compute the HMAC. This algorithm must be
 supported by the HMAC KMS key identified by the KeyId parameter.× amazonka-kmsÂThe HMAC to verify. Enter the HMAC that was generated by the GenerateMac
 operation when you specified the same message, HMAC KMS key, and MAC
 algorithm as the values specified in this request.Ø amazonka-kmsCreate a value of  Ñ" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Ó,  Ù - A list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide. Ô,  Úñ  - The message that will be used in the verification. Enter the same
 message that was used to generate the HMAC.GenerateMac and 	VerifyMacª do not provide special handling for message
 digests. If you generated an HMAC for a hash digest of a message, you
 must verify the HMAC for the same hash digest.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data. Ñ,  Û5 - The KMS key that will be used in the verification.ì Enter a key ID of the KMS key that was used to generate the HMAC. If you
 identify a different KMS key, the 	VerifyMac operation fails. Ñ,  ÜÅ - The MAC algorithm that will be used in the verification. Enter the same
 MAC algorithm that was used to compute the HMAC. This algorithm must be
 supported by the HMAC KMS key identified by the KeyId parameter. ×,  ÝÌ - The HMAC to verify. Enter the HMAC that was generated by the GenerateMac
 operation when you specified the same message, HMAC KMS key, and MAC
 algorithm as the values specified in this request.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.Ù amazonka-kmsA list of grant tokens.ð Use a grant token when your permission to call this operation comes from
 a new grant that has not yet achieved eventual consistency. For more
 information, see
 Í https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_tokenGrant token
 and
 Ù https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-tokenUsing a grant token	
 in the &Key Management Service Developer Guide.Ú amazonka-kmsî The message that will be used in the verification. Enter the same
 message that was used to generate the HMAC.GenerateMac and 	VerifyMacª do not provide special handling for message
 digests. If you generated an HMAC for a hash digest of a message, you
 must verify the HMAC for the same hash digest.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.Û amazonka-kms2The KMS key that will be used in the verification.ì Enter a key ID of the KMS key that was used to generate the HMAC. If you
 identify a different KMS key, the 	VerifyMac operation fails.Ü amazonka-kmsÂThe MAC algorithm that will be used in the verification. Enter the same
 MAC algorithm that was used to compute the HMAC. This algorithm must be
 supported by the HMAC KMS key identified by the KeyId parameter.Ý amazonka-kmsÉThe HMAC to verify. Enter the HMAC that was generated by the GenerateMac
 operation when you specified the same message, HMAC KMS key, and MAC
 algorithm as the values specified in this request.--
 -- Note: This LensÕ automatically encodes and decodes Base64 data.
 -- The underlying isomorphism will encode to Base64 representation during
 -- serialisation, and decode from Base64 representation during deserialisation.
 -- This Lens- accepts and returns only raw unencoded data.Þ amazonka-kmsCreate a value of  Ë" with all optional fields omitted.Use 0https://hackage.haskell.org/package/generic-lensgeneric-lens or *https://hackage.haskell.org/package/opticsoptics! to modify other optional fields.ï The following record fields are available, with the corresponding lenses provided
 for backwards compatibility: Ñ,  ß- - The HMAC KMS key used in the verification. Ñ,  à. - The MAC algorithm used in the verification. Ï,  áÍ  - A Boolean value that indicates whether the HMAC was verified. A value of
 True indicates that the HMAC (Mac$) was generated with the specified
 Message, HMAC KMS key (KeyID) and MacAlgorithm..!If the HMAC is not verified, the 	VerifyMac operation fails with a
 KMSInvalidMacExceptioné  exception. This exception indicates that one or
 more of the inputs changed since the HMAC was computed. Ð,  â# - The response's http status code.ß amazonka-kms*The HMAC KMS key used in the verification.à amazonka-kms+The MAC algorithm used in the verification.á amazonka-kmsÊ A Boolean value that indicates whether the HMAC was verified. A value of
 True indicates that the HMAC (Mac$) was generated with the specified
 Message, HMAC KMS key (KeyID) and MacAlgorithm..!If the HMAC is not verified, the 	VerifyMac operation fails with a
 KMSInvalidMacExceptioné  exception. This exception indicates that one or
 more of the inputs changed since the HMAC was computed.â amazonka-kms The response's http status code.Ø  amazonka-kms Ô amazonka-kms Ñ amazonka-kms Ñ amazonka-kms ×Þ  amazonka-kms ÐËÌÍÐÎÏÑÒÔÕÓÖ×ØÙÚÛÜÝÞßàáâÑÒÔÕÓÖ×ØÙÚÛÜÝËÌÍÐÎÏÞßàáâ    V  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred  HØ  á!"#$%˜™ÔÕÖ×ØÙÚÛÜéêêëì«¬ÒÓÔ›œÀãäåæçèéêëìíîïðñòóôõö÷øùú‡ˆ¯°±²³ÆÇÈÉÊËÌÍÎ‹Œ¬­®¯°²³´µÑÒÔÕÖ×Øðñ‹Œ®¯°±²³µ¶·¸ÜÝÞßàáâãåæçèéê„	…	†	‡	Ÿ	 	¡	º	»	¼	¾	¿	À	Á	Þ	ß	á	â	ã	ä	‚
ƒ
„
†
‡
ˆ
‰
£
¤
¥
¦
§
À
Á
Â
Ä
Å
Æ
Ç
ä
å
æ
ç
è
ê
Š‹Ž‘’“”²³´¶·¸¹ºÒÔÕïðòóŽ‘®¯°±³´µ¶ÓÔÕÖ×ÙÚÛúûüýÿ€‚ƒ£¤¥¦¨©ª«¬­ËÌÍÎÏÑÒÓÔòóôõöøùúû‘©ÂÄÛóŽ‘’°±²³µ¶·¸Ïèê¡¢£¤¥§¨©ªÌÍÎÏÐÑÒÓÔÕÖØÙùúûüýþÿ‚ƒ¥¦§¨©ª«¬­®°±ÈÉâäýÿ€˜™²³ÔÕÖ×ØÙÚÛÜÞõö±²³´µ¶¸¹º»ÙÚÛÜÝßàáâçýÿ€âäÈÉ¥¦§¨©ª«¬­®°±ùúûüýþÿ‚ƒÌÍÎÏÐÑÒÓÔÕÖØÙ¡¢£¤¥§¨©ªèêÏ°±²³µ¶·¸Ž‘’óÛÂÄ©‘òóôõöøùúûËÌÍÎÏÑÒÓÔ£¤¥¦¨©ª«¬­úûüýÿ€‚ƒÓÔÕÖ×ÙÚÛ®¯°±³´µ¶Ž‘ïðòóÒÔÕ²³´¶·¸¹ºŠ‹Ž‘’“”ä
å
æ
ç
è
ê
À
Á
Â
Ä
Å
Æ
Ç
£
¤
¥
¦
§
êëì‚
ƒ
„
†
‡
ˆ
‰
Þ	ß	á	â	ã	ä	º	»	¼	¾	¿	À	Á	Ÿ	 	¡	êëì„	…	†	‡	ÜÝÞßàáâãåæçèéê®¯°±²³µ¶·¸‹ŒðñÑÒÔÕÖ×Ø¬­®¯°²³´µ‹Œ˜™²³ÔÕÖ×ØÙÚÛÜÞõö±²³´µ¶¸¹º»ÙÚÛÜÝßàáâ!"#$%ÆÇÈÉÊËÌÍÎ˜™ÔÕÖ×ØÙÚÛÜéêãäåæçèéêëìíîïðñòóôõö÷øùúêëìÒÓÔ«¬›œÀ‡ˆ¯°±²³    W  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred"%Ì Ú ñ  O        X  (c) 2013-2023 Brendan HayMozilla Public License, v. 2.0.Brendan Hayauto-generatednon-portable (GHC extensions)Safe-Inferred  Oœ  ·  -A@?>=<;:9876543210./U\[ZYXVWptsqrˆ—–•”“’‘ŽŒ‹‰Š«µ´³²±°¯®¬­ÉÍÌÊËáçæåäâãûÿþüý“”—¢´³²±°¯®­¬«ª©¨§¦¥£¤ÈÉÓäåèòöõóôŠ™˜—–•”“’‘Ž‹Œ­·¶µ´³²±°®¯ËÐÏÎÌÍäåéôúùø÷õöŽ’‘¦§ª´¸·µ¶ÌÍÑÜâáàßÝÞö‚€ÿþýüûúù÷ø–—š¥¨¦§¼½¿ÈÉâ‚ƒ†“’‘§¨®º»ÅÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ƒ„…†‡ŠžŸ¤¥«±ÅÆÌÍÐÓéêëìïòƒ„…†ŠŽŸ ¥¦­´ÉÊÑÒÛäûüýþƒ	ˆ	™	š	ž	®	¯	´	µ	¹	½	Ó	Ô	Ù	Ú	Ý	à	ö	÷	ü	ý	
…
›
œ
¢
´
µ
º
»
¿
Ã
Ù
Ú
Ü
Ý
ã
é
û
ü
…†‰Œ¥¦¬­±µÊËÎÏÑÓæçêëîñ„…ˆ‰Œ¡¢§¨­²ÆÇËÌÒØìíóôùþ”•œ¢§½¾ÃÄÊÐäåêëñ÷‹ŒŽ’£¤¥¦¨ª»¼¾¿ÁÃÕÖ×ØÚÜíîïðòô…†‰Š£¤©ª¯´ÉÊËÌÎÐáâäåçéûüýþ€‚“”™š ¦º»¾¿Ë×êëïðø€”•˜™¤¯ÁÂÃÄÇÊÛÜÞßáãõöùúüþ‘’“”—š«¬­®±´ÅÆÈÉÓÝîïðñô÷ˆ‰Š‹Ž‘¢£¨©°·ËÌÑÒØÞ¹ÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ƒùúüõöþÞßáÛÜãÃÄÇÁÂÊ˜™¤”•¯ïðøêë€¾¿Ëº»×™š “”¦ýþ€ûü‚äåçáâéËÌÎÉÊÐ©ª¯£¤´‰Š…†ïðòíîô×ØÚÕÖÜ¾¿Á»¼Ã¥¦¨£¤ªŽ‹Œ’êëñäå÷ÃÄÊ½¾Ðœ¢”•§óôùìíþËÌÒÆÇØ§¨­¡¢²ˆ‰Œ„…êëîæçñÎÏÑÊËÓ¬­±¥¦µ…†‰û
ü
ŒÜ
Ý
ã
Ù
Ú
é
º
»
¿
´
µ
Ã
›
œ
¢
äåéü	ý	
ö	÷	…
Ù	Ú	Ý	Ó	Ô	à	´	µ	¹	®	¯	½	™	š	ž	äåéýþƒ	ûüˆ	ÑÒÛÉÊä¥¦­Ÿ ´…†Šƒ„ŽëìïéêòÌÍÐÅÆÓ¤¥«žŸ±†‡Š„…“”—‘’š­®±«¬´ÈÉÓÅÆÝðñôîï÷Š‹Žˆ‰‘¨©°¢£·ÑÒØËÌÞ -A@?>=<;:9876543210./A@?>=<;:9876543210U\[ZYXVW\[ZYXptsqrtsˆ—–•”“’‘ŽŒ‹‰Š—–•”“’‘ŽŒ‹«µ´³²±°¯®¬­µ´³²±°¯®ÉÍÌÊËÍÌáçæåäâãçæåäûÿþüýÿþ¢´³²±°¯®­¬«ª©¨§¦¥£¤´³²±°¯®­¬«ª©¨§¦¥òöõóôöõŠ™˜—–•”“’‘Ž‹Œ™˜—–•”“’‘Ž­·¶µ´³²±°®¯·¶µ´³²±°ËÐÏÎÌÍÐÏÎôúùø÷õöúùø÷Ž’‘’‘´¸·µ¶¸·ÜâáàßÝÞâáàßö‚€ÿþýüûúù÷ø‚€ÿþýüûúù¥¨¦§¨“’‘“’ º»Å“”—ÈÉÓäåèÈÉâäåéÌÍÑ¦§ª–—š¼½¿‚ƒ†§¨®  ò  Y  Z   [  \  ]  ^   _   `   a   b   c   d   e   f   g   h   i   j   k   l   m   n   o   p   q  r  s   t   u   v   w   x   y   z   {   |   }   ~      €      ‚   ƒ   „   …  †  ‡   ˆ  ‰  Š  ‹  Œ    Ž      ‘  ’  “  ”  •  –  —  ˜  ™  š   ›   œ      ž   Ÿ       ¡   ¢   £   ¤   ¥   ¦   §   ¨   ©   ª   «   ¬   ­  ®  ¯   °  ±  ²  ³  ´  µ   ¶   ·   ¸   ¹   º   »   ¼   ½   ¾   ¿   À   Á   Â   Ã   Ä   Å   Æ   Ç   È  É  Ê   Ë  Ì  Í   Î   Ï   Ð   Ñ   Ò   Ó   Ô   Õ   Ö   ×   Ø   Ù   Ú   Û   Ü   Ý   Þ   ß   à  á  â   ã  ä  å  æ  ç  è  é  ê  ë  ì  í  î  ï  ð   ñ   ò   ó   ô   õ   ö   ÷   ø   ù   ú   û   ü   ý   þ   ÿ   €      ‚   ƒ  „  …   †  ‡  ˆ  ‰  Š  ‹  Œ    Ž         ‘   ’   “   ”   •   –   —   ˜   ™   š   ›   œ      ž   Ÿ       ¡  ¢  £   ¤  ¥  ¦   §   ¨   ©   ª   «   ¬   ­   ®   ¯   °   ±   ²   ³   ´   µ   ¶   ·   ¸   ¹  	º  	»  	 ¼  	½  	¾  	¿  	À  	 Á  	 Â  	 Ã  	 Ä  	 Å  	 Æ  	 Ç  	 È  	 É  	 Ê  	 Ë  	 Ì  	 Í  	 Î  	 Ï  	 Ð  	 Ñ  	 Ò  	 Ó  
Ô  
Õ  
 Ö  
×  
Ø  
 Ù  
 Ú  
 Û  
 Ü  
 Ý  
 Þ  
 ß  
 à  
 á  
 â  
 ã  
 ä  
 å  
 æ  
 ç  
 è  
 é  
 ê  
 ë  ì  í   î   ï   ð   ñ   ò   ó   ô   õ   ö   ÷   ø   ù   ú  û  ü   ý  þ  ÿ  €    ‚  ƒ  „  …  †  ‡  ˆ  ‰  Š  ‹  Œ     Ž         ‘   ’   “   ”   •   –   —   ˜   ™   š   ›   œ      ž   Ÿ      ¡  ¢   £   ¤   ¥   ¦   §   ¨   ©   ª   «   ¬   ­   ®   ¯   °   ±   ²   ³   ´   µ   ¶   ·   ¸   ¹   º   »   ¼  ½  ¾   ¿   À   Á   Â   Ã   Ä   Å   Æ   Ç   È   É   Ê  Ë  Ì   Í  Î  Ï   Ð   Ñ   Ò   Ó   Ô   Õ   Ö   ×   Ø   Ù   Ú   Û   Ü   Ý   Þ   ß   à   á   â  ã  ä   å  æ  ç  è  é  ê  ë  ì  í  î  ï  ð  ñ  ò   ó   ô   õ   ö   ÷   ø   ù   ú   û   ü   ý   þ   ÿ   €      ‚   ƒ   „   …  †  ‡   ˆ  ‰  Š  ‹  Œ    Ž       ‘   ’   “   ”   •   –   —   ˜   ™   š   ›   œ      ž   Ÿ       ¡   ¢   £  ¤  ¥   ¦  §  ¨  ©   ª   «   ¬   ­   ®   ¯   °   ±   ²   ³   ´   µ   ¶   ·   ¸   ¹   º   »   ¼  ½  ¾   ¿   À   Á   Â   Ã   Ä   Å   Æ   Ç   È   É   Ê   Ë   Ì  Í  Î   Ï  Ð  Ñ  Ò  Ó   Ô   Õ   Ö   ×   Ø   Ù   Ú   Û   Ü   Ý   Þ   ß   à   á   â   ã   ä   å   æ  ç  è   é  ê  ë   ì   í   î   ï   ð   ñ   ò   ó   ô   õ   ö   ÷   ø   ù   ú   û   ü   ý   þ  ÿ  €      ‚   ƒ   „   …   †   ‡   ˆ   ‰   Š   ‹   Œ    Ž       ‘   ’   “   ”   •   –   —   ˜   ™   š   ›   œ      ž   Ÿ       ¡   ¢   £   ¤  ¥  ¦   §   ¨   ©   ª   «   ¬   ­   ®   ¯   °   ±   ²   ³   ´  µ  ¶   ·  ¸  ¹  º  »   ¼   ½   ¾   ¿   À   Á   Â   Ã   Ä   Å   Æ   Ç   È   É   Ê   Ë   Ì   Í   Î  Ï  Ð   Ñ  Ò  Ó  Ô  Õ  Ö  ×  Ø  Ù  Ú  Û   Ü   Ý   Þ   ß   à   á   â   ã   ä   å   æ   ç   è   é   ê   ë   ì   í   î  ï  ð   ñ   ò   ó   ô   õ   ö   ÷   ø   ù   ú   û   ü   ý  þ  ÿ   €     ‚   ƒ   „   …   †   ‡   ˆ   ‰   Š   ‹   Œ      Ž         ‘   ’   “   ”  •  –   —   ˜   ™   š   ›   œ      ž   Ÿ      ¡  ¢   £   ¤   ¥   ¦   §   ¨   ©   ª   «   ¬   ­   ®   ¯   °   ±   ²   ³   ´   µ   ¶   ·   ¸   ¹   º   »   ¼   ½   ¾   ¿   À   Á   Â   Ã   Ä   Å   Æ   Ç   È   É   Ê   Ë   Ì   Í   Î   Ï   Ð   Ñ   Ò   Ó   Ô   Õ   Ö   ×   Ø   Ù   Ú  Û  Ü   Ý   Þ   ß   à   á   â   ã   ä   å   æ   ç   è   é    ê   ë   ì    í    î    ï    ð    ñ    ò    ó    ô    õ    ö    ÷    ø    ù    ú    û    ü    ý    þ    ÿ  !€  !  ! ‚  ! ƒ  ! „  ! …  ! †  ! ‡  ! ˆ  ! ‰  ! Š  ! ‹  ! Œ  !   ! Ž  !   !   ! ‘  ! ’  "“  "”  " •  " –  " —  " ˜  " ™  " š  " ›  " œ  "   " ž  " Ÿ  "    " ¡  " ¢  " £  " ¤  " ¥  " ¦  " §  " ¨  " ©  " ª  " «  " ¬  " ­  # ®  # ¯  # °  # ±  # ²  # ³  # ´  # µ  # ¶  # ·  # ¸  # ¹  # º  # »  # ¼  # ½  # ¾  # ¿  # À  # Á  # Â  # Ã  # Ä  # Å  # Æ  # Ç  # È  # É  # Ê  # Ë  # Ì  # Í  # Î  # Ï  # Ð  # Ñ  # Ò  # Ó  # Ô  # Õ  # Ö  # ×  # Ø  # Ù  # Ú  # Û  # Ü  $Ý  $Þ  $ß  $à  $ á  $ â  $ ã  $ ä  $ å  $ æ  $ ç  $ è  $ é  $ ê  $ ë  $ ì  $ í  $ î  $ ï  $ ð  $ ñ  $ ò  $ ó  $ ô  $ õ  $ ö  %÷  %ø  % ù  % ú  % û  % ü  %ý  %þ  % ÿ  % €  %   % ‚  % ƒ  % „  % …  % †  % ‡  % ˆ  % ‰  % Š  % ‹  % Œ  %   % Ž  %   %   % ‘  % ’  % “  % ”  % •  % –  % —  % ˜  % ™  % š  % ›  % œ  %   &ž  &Ÿ  &    & ¡  & ¢  & £  & ¤  &¥  &¦  & §  & ¨  & ©  & ª  & «  & ¬  & ­  & ®  & ¯  & °  & ±  & ²  & ³  & ´  & µ  & ¶  & ·  & ¸  & ¹  & º  & »  & ¼  & ½  & ¾  & ¿  & À  & Á  'Â  'Ã  'Ä  'Å  ' Æ  ' Ç  ' È  ' É  ' Ê  ' Ë  ' Ì  ' Í  ' Î  ' Ï  ' Ð  ' Ñ  ' Ò  ' Ó  ' Ô  ' Õ  ' Ö  ' ×  ' Ø  ' Ù  ' Ú  ' Û  (Ü  (Ý  (Þ  (ß  ( à  ( á  ( â  ( ã  ( ä  ( å  ( æ  ( ç  ( è  ( é  ( ê  ( ë  ( ì  ( í  ( î  ( ï  ( ð  ( ñ  ( ò  ( ó  ( ô  ( õ  ( ö  ( ÷  )ø  )ù  ) ú  ) û  ) ü  ) ý  )þ  )ÿ  ) €	  ) 	  ) ‚	  ) ƒ	  ) „	  ) …	  ) †	  ) ‡	  ) ˆ	  ) ‰	  ) Š	  ) ‹	  ) Œ	  ) 	  ) Ž	  ) 	  ) 	  ) ‘	  ) ’	  ) “	  ) ”	  ) •	  ) –	  ) —	  ) ˜	  ) ™	  ) š	  ) ›	  ) œ	  ) 	  ) ž	  ) Ÿ	  )  	  ) ¡	  *¢	  *£	  * ¤	  * ¥	  * ¦	  * §	  * ¨	  * ©	  *ª	  *«	  * ¬	  * ­	  * ®	  * ¯	  * °	  * ±	  * ²	  * ³	  * ´	  * µ	  * ¶	  * ·	  * ¸	  * ¹	  * º	  * »	  * ¼	  * ½	  * ¾	  * ¿	  * À	  * Á	  * Â	  * Ã	  * Ä	  * Å	  * Æ	  * Ç	  * È	  * É	  * Ê	  * Ë	  * Ì	  * Í	  * Î	  * Ï	  * Ð	  * Ñ	  * Ò	  * Ó	  +Ô	  +Õ	  +Ö	  +×	  + Ø	  + Ù	  + Ú	  + Û	  + Ü	  + Ý	  + Þ	  + ß	  + à	  + á	  + â	  + ã	  + ä	  + å	  + æ	  + ç	  + è	  + é	  + ê	  + ë	  + ì	  + í	  + î	  + ï	  + ð	  + ñ	  ,ò	  ,ó	  , ô	  , õ	  , ö	  , ÷	  , ø	  , ù	  , ú	  , û	  , ü	  , ý	  , þ	  , ÿ	  , €
  , 
  , ‚
  , ƒ
  , „
  , …
  , †
  -‡
  -ˆ
  - ‰
  - Š
  - ‹
  - Œ
  -
  -Ž
  - 
  - 
  - ‘
  - ’
  - “
  - ”
  - •
  - –
  - —
  - ˜
  - ™
  - š
  - ›
  - œ
  - 
  - ž
  - Ÿ
  -  
  - ¡
  - ¢
  - £
  - ¤
  - ¥
  - ¦
  - §
  - ¨
  - ©
  - ª
  - «
  .¬
  .­
  . ®
  . ¯
  . °
  . ±
  .²
  .³
  . ´
  . µ
  . ¶
  . ·
  . ¸
  . ¹
  . º
  . »
  . ¼
  . ½
  . ¾
  . ¿
  . À
  . Á
  . Â
  . Ã
  . Ä
  . Å
  . Æ
  . Ç
  . È
  . É
  . Ê
  . Ë
  . Ì
  . Í
  . Î
  /Ï
  /Ð
  / Ñ
  / Ò
  / Ó
  / Ô
  /Õ
  /Ö
  / ×
  / Ø
  / Ù
  / Ú
  / Û
  / Ü
  / Ý
  / Þ
  / ß
  / à
  / á
  / â
  / ã
  / ä
  / å
  / æ
  / ç
  / è
  / é
  / ê
  / ë
  / ì
  / í
  / î
  / ï
  / ð
  / ñ
  / ò
  / ó
  0ô
  0õ
  0 ö
  0 ÷
  0 ø
  0 ù
  0 ú
  0 û
  0 ü
  0 ý
  0 þ
  0 ÿ
  0 €  0   0 ‚  0 ƒ  0 „  0 …  0 †  0 ‡  0 ˆ  0 ‰  0 Š  0 ‹  0 Œ  1  1Ž  1   1   1 ‘  1 ’  1“  1”  1 •  1 –  1 —  1 ˜  1 ™  1 š  1 ›  1 œ  1   1 ž  1 Ÿ  1    1 ¡  1 ¢  1 £  1 ¤  1 ¥  1 ¦  1 §  1 ¨  1 ©  1 ª  1 «  1 ¬  1 ­  1 ®  1 ¯  1 °  1 ±  2²  2³  2 ´  2µ  2¶  2 ·  2 ¸  2 ¹  2 º  2 »  2 ¼  2 ½  2 ¾  2 ¿  2 À  2 Á  2 Â  2 Ã  2 Ä  2 Å  2 Æ  2 Ç  2 È  2 É  2 Ê  2 Ë  2 Ì  2 Í  2 Î  2 Ï  2 Ð  2 Ñ  2 Ò  2 Ó  3Ô  3Õ  3 Ö  3 ×  3 Ø  3 Ù  3 Ú  3 Û  3 Ü  3 Ý  3Þ  3ß  3 à  3 á  3 â  3 ã  3 ä  3 å  3 æ  3 ç  3 è  3 é  3 ê  3 ë  3 ì  3 í  3 î  3 ï  3 ð  3 ñ  3 ò  3 ó  3 ô  3 õ  3 ö  3 ÷  3 ø  3 ù  3 ú  3 û  3 ü  3 ý  4þ  4ÿ  4 €  4   4 ‚  4 ƒ  4 „  4…  4†  4 ‡  4 ˆ  4 ‰  4 Š  4 ‹  4 Œ  4   4 Ž  4   4   4 ‘  4 ’  4 “  4 ”  4 •  4 –  4 —  4 ˜  4 ™  4 š  4 ›  4 œ  4   4 ž  4 Ÿ  4    4 ¡  4 ¢  5£  5¤  5 ¥  5 ¦  5§  5¨  5 ©  5 ª  5 «  5 ¬  5 ­  5 ®  5 ¯  5 °  5 ±  5 ²  5 ³  5 ´  5 µ  5 ¶  5 ·  5 ¸  5 ¹  5 º  5 »  5 ¼  5 ½  5 ¾  6¿  6À  6 Á  6 Â  6Ã  6Ä  6 Å  6 Æ  6 Ç  6 È  6 É  6 Ê  6 Ë  6 Ì  6 Í  6 Î  6 Ï  6 Ð  6 Ñ  6 Ò  6 Ó  6 Ô  6 Õ  6 Ö  6 ×  6 Ø  6 Ù  6 Ú  6 Û  6 Ü  7Ý  7Þ  7 ß  7 à  7á  7â  7 ã  7 ä  7 å  7 æ  7 ç  7 è  7 é  7 ê  7 ë  7 ì  7 í  7 î  7 ï  7 ð  7 ñ  7 ò  7 ó  7 ô  7 õ  7 ö  7 ÷  7 ø  7 ù  8ú  8û  8 ü  8 ý  8 þ  8 ÿ  8€  8  8 ‚  8 ƒ  8 „  8 …  8 †  8 ‡  8 ˆ  8 ‰  8 Š  8 ‹  8 Œ  8   8 Ž  8   8   8 ‘  8 ’  8 “  8 ”  8 •  8 –  8 —  8 ˜  8 ™  8 š  8 ›  8 œ  8   8 ž  9Ÿ  9   9 ¡  9 ¢  9 £  9¤  9¥  9 ¦  9 §  9 ¨  9 ©  9 ª  9 «  9 ¬  9 ­  9 ®  9 ¯  9 °  9 ±  9 ²  9 ³  9 ´  9 µ  9 ¶  9 ·  9 ¸  9 ¹  9 º  9 »  9 ¼  9 ½  9 ¾  9 ¿  9 À  9 Á  9 Â  9 Ã  9 Ä  :Å  :Æ  : Ç  : È  : É  : Ê  : Ë  :Ì  :Í  : Î  : Ï  : Ð  : Ñ  : Ò  : Ó  : Ô  : Õ  : Ö  : ×  : Ø  : Ù  : Ú  : Û  : Ü  : Ý  : Þ  : ß  : à  : á  : â  : ã  : ä  : å  : æ  : ç  : è  : é  : ê  : ë  : ì  ;í  ;î  ; ï  ; ð  ; ñ  ; ò  ; ó  ; ô  ;õ  ;ö  ; ÷  ; ø  ; ù  ; ú  ; û  ; ü  ; ý  ; þ  ; ÿ  ; €  ;   ; ‚  ; ƒ  ; „  ; …  ; †  ; ‡  ; ˆ  ; ‰  ; Š  ; ‹  ; Œ  ;   ; Ž  ;   ;   ; ‘  ; ’  ; “  ; ”  ; •  <–  <—  < ˜  < ™  < š  < ›  <œ  <  < ž  < Ÿ  <    < ¡  < ¢  < £  < ¤  < ¥  < ¦  < §  < ¨  < ©  < ª  < «  < ¬  < ­  < ®  < ¯  < °  < ±  < ²  < ³  < ´  < µ  < ¶  < ·  < ¸  < ¹  < º  < »  < ¼  =½  =¾  = ¿  = À  = Á  = Â  =Ã  =Ä  = Å  = Æ  = Ç  = È  = É  = Ê  = Ë  = Ì  = Í  = Î  = Ï  = Ð  = Ñ  = Ò  = Ó  = Ô  = Õ  = Ö  = ×  = Ø  = Ù  = Ú  = Û  = Ü  = Ý  = Þ  = ß  = à  = á  = â  = ã  >ä  >å  >æ  >ç  > è  > é  > ê  > ë  > ì  > í  > î  > ï  > ð  > ñ  > ò  > ó  > ô  > õ  > ö  > ÷  > ø  > ù  > ú  > û  ?ü  ?ý  ?þ  ?ÿ  ? €  ?   ? ‚  ? ƒ  ? „  ? …  ? †  ? ‡  ? ˆ  ? ‰  ? Š  ? ‹  ? Œ  ?   ? Ž  ?   ?   ? ‘  ? ’  ? “  @”  @•  @ –  @—  @˜  @ ™  @ š  @ ›  @ œ  @   @ ž  @ Ÿ  @    @ ¡  @ ¢  @ £  @ ¤  @ ¥  @ ¦  @ §  @ ¨  @ ©  @ ª  @ «  @ ¬  @ ­  A®  A¯  A°  A±  A ²  A ³  A ´  A µ  A ¶  A ·  A ¸  A ¹  A º  A »  A ¼  A ½  A ¾  A ¿  A À  A Á  A Â  A Ã  A Ä  A Å  BÆ  BÇ  BÈ  BÉ  B Ê  B Ë  B Ì  B Í  B Î  B Ï  B Ð  B Ñ  B Ò  B Ó  B Ô  B Õ  B Ö  B ×  B Ø  B Ù  B Ú  B Û  B Ü  B Ý  CÞ  Cß  C à  C á  Câ  Cã  C ä  C å  C æ  C ç  C è  C é  C ê  C ë  C ì  C í  C î  C ï  C ð  C ñ  C ò  C ó  C ô  C õ  C ö  C ÷  C ø  C ù  C ú  C û  Dü  Dý  D þ  D ÿ  D €  D   D‚  Dƒ  D „  D …  D †  D ‡  D ˆ  D ‰  D Š  D ‹  D Œ  D   D Ž  D   D   D ‘  D ’  D “  D ”  D •  D –  D —  D ˜  D ™  D š  D ›  D œ  D   D ž  D Ÿ  D    D ¡  E¢  E£  E¤  E¥  E ¦  E §  E ¨  E ©  E ª  E «  E ¬  E ­  E ®  E ¯  E °  E ±  E ²  E ³  E ´  E µ  E ¶  E ·  E ¸  E ¹  Fº  F»  F ¼  F½  F¾  F ¿  F À  F Á  F Â  F Ã  F Ä  F Å  F Æ  F Ç  F È  F É  F Ê  F Ë  F Ì  F Í  F Î  F Ï  F Ð  F Ñ  F Ò  F Ó  GÔ  GÕ  GÖ  G×  G Ø  G Ù  G Ú  G Û  G Ü  G Ý  G Þ  G ß  G à  G á  G â  G ã  G ä  G å  G æ  G ç  G è  G é  G ê  G ë  Hì  Hí  H î  H ï  H ð  H ñ  Hò  Hó  H ô  H õ  H ö  H ÷  H ø  H ù  H ú  H û  H ü  H ý  H þ  H ÿ  H €  H   H ‚  H ƒ  H „  H …  H †  H ‡  H ˆ  H ‰  H Š  H ‹  H Œ  H   H Ž  H   H   H ‘  H ’  I“  I”  I •  I –  I—  I˜  I ™  I š  I ›  I œ  I   I ž  I Ÿ  I    I ¡  I ¢  I £  I ¤  I ¥  I ¦  I §  I ¨  I ©  I ª  I «  I ¬  I ­  I ®  I ¯  I °  I ±  I ²  I ³  I ´  I µ  I ¶  I ·  I ¸  I ¹  I º  I »  I ¼  I ½  I ¾  I ¿  I À  I Á  I Â  JÃ  JÄ  J Å  J Æ  J Ç  JÈ  JÉ  J Ê  J Ë  J Ì  J Í  J Î  J Ï  J Ð  J Ñ  J Ò  J Ó  J Ô  J Õ  J Ö  J ×  J Ø  J Ù  J Ú  J Û  J Ü  J Ý  J Þ  J ß  J à  J á  J â  J ã  J ä  J å  J æ  J ç  J è  J é  J ê  J ë  J ì  Kí  Kî  K ï  K ð  Kñ  Kò  K ó  K ô  K õ  K ö  K ÷  K ø  K ù  K ú  K û  K ü  K ý  K þ  K ÿ  K €  K   K ‚  K ƒ  K „  K …  K †  K ‡  K ˆ  K ‰  K Š  K ‹  K Œ  K   K Ž  K   K   K ‘  K ’  K “  K ”  K •  K –  K —  K ˜  K ™  Lš  L›  Lœ  L  L ž  L Ÿ  L    L ¡  L ¢  L £  L ¤  L ¥  L ¦  L §  L ¨  L ©  L ª  L «  L ¬  L ­  L ®  L ¯  L °  L ±  L ²  L ³  M´  Mµ  M ¶  M·  M¸  M ¹  M º  M »  M ¼  M ½  M ¾  M ¿  M À  M Á  M Â  M Ã  M Ä  M Å  M Æ  M Ç  M È  M É  M Ê  M Ë  M Ì  M Í  NÎ  NÏ  N Ð  N Ñ  NÒ  NÓ  N Ô  N Õ  N Ö  N ×  N Ø  N Ù  N Ú  N Û  N Ü  N Ý  N Þ  N ß  N à  N á  N â  N ã  N ä  N å  N æ  N ç  N è  N é  Oê  Oë  Oì  Oí  O î  O ï  O ð  O ñ  O ò  O ó  O ô  O õ  O ö  O ÷  O ø  O ù  O ú  O û  O ü  O ý  O þ  O ÿ  O €  O   O ‚  O ƒ  P„  P…  P†  P‡  P ˆ  P ‰  P Š  P ‹  P Œ  P   P Ž  P   P   P ‘  P ’  P “  P ”  P •  P –  P —  P ˜  P ™  P š  P ›  P œ  P   Qž  QŸ  Q    Q¡  Q¢  Q £  Q ¤  Q ¥  Q ¦  Q §  Q ¨  Q ©  Q ª  Q «  Q ¬  Q ­  Q ®  Q ¯  Q °  Q ±  Q ²  Q ³  Q ´  Q µ  Q ¶  Q ·  Q ¸  Q ¹  Q º  Q »  Q ¼  Q ½  Q ¾  Q ¿  Q À  Q Á  Q Â  Q Ã  Q Ä  Q Å  Q Æ  RÇ  RÈ  RÉ  RÊ  R Ë  R Ì  R Í  R Î  R Ï  R Ð  R Ñ  R Ò  R Ó  R Ô  R Õ  R Ö  R ×  R Ø  R Ù  R Ú  R Û  R Ü  R Ý  R Þ  R ß  R à  Sá  Sâ  Sã  Sä  S å  S æ  S ç  S è  S é  S ê  S ë  S ì  S í  S î  S ï  S ð  S ñ  S ò  S ó  S ô  S õ  S ö  S ÷  S ø  S ù  S ú  Tû  Tü  T ý  T þ  T ÿ  T €  T  T‚  T ƒ  T „  T …  T †  T ‡  T ˆ  T ‰  T Š  T ‹  T Œ  T   T Ž  T   T   T ‘  T ’  T “  T ”  T •  T –  T —  T ˜  T ™  T š  T ›  T œ  T   T ž  T Ÿ  T    T ¡  T ¢  T £  U¤  U¥  U ¦  U §  U ¨  U ©  Uª  U«  U ¬  U ­  U ®  U ¯  U °  U ±  U ²  U ³  U ´  U µ  U ¶  U ·  U ¸  U ¹  U º  U »  U ¼  U ½  U ¾  U ¿  U À  U Á  U Â  U Ã  U Ä  U Å  U Æ  U Ç  U È  U É  U ÊË'amazonka-kms-2.0-6YhT3Ymbf9Z5PoaGoz7tbG Amazonka.KMS.Types.AlgorithmSpec!Amazonka.KMS.Types.AliasListEntry*Amazonka.KMS.Types.ConnectionErrorCodeType&Amazonka.KMS.Types.ConnectionStateType%Amazonka.KMS.Types.CustomKeyStoreType(Amazonka.KMS.Types.CustomerMasterKeySpec"Amazonka.KMS.Types.DataKeyPairSpecAmazonka.KMS.Types.DataKeySpec*Amazonka.KMS.Types.EncryptionAlgorithmSpec&Amazonka.KMS.Types.ExpirationModelType#Amazonka.KMS.Types.GrantConstraints!Amazonka.KMS.Types.GrantOperation!Amazonka.KMS.Types.GrantListEntryAmazonka.KMS.Types.KeyListEntry!Amazonka.KMS.Types.KeyManagerTypeAmazonka.KMS.Types.KeySpecAmazonka.KMS.Types.KeyStateAmazonka.KMS.Types.KeyUsageType%Amazonka.KMS.Types.ListGrantsResponse#Amazonka.KMS.Types.MacAlgorithmSpecAmazonka.KMS.Types.MessageType!Amazonka.KMS.Types.MultiRegionKey%Amazonka.KMS.Types.MultiRegionKeyType+Amazonka.KMS.Types.MultiRegionConfigurationAmazonka.KMS.Types.OriginType'Amazonka.KMS.Types.SigningAlgorithmSpecAmazonka.KMS.Types.Tag"Amazonka.KMS.Types.WrappingKeySpec*Amazonka.KMS.Types.XksKeyConfigurationTypeAmazonka.KMS.Types.KeyMetadata7Amazonka.KMS.Types.XksProxyAuthenticationCredentialType+Amazonka.KMS.Types.XksProxyConnectivityType,Amazonka.KMS.Types.XksProxyConfigurationType+Amazonka.KMS.Types.CustomKeyStoresListEntryAmazonka.KMS.TypesAmazonka.KMS.TagResourceAmazonka.KMS.Sign Amazonka.KMS.ScheduleKeyDeletionAmazonka.KMS.RevokeGrantAmazonka.KMS.RetireGrantAmazonka.KMS.ReplicateKeyAmazonka.KMS.ReEncryptAmazonka.KMS.PutKeyPolicy Amazonka.KMS.ListRetirableGrantsAmazonka.KMS.ListResourceTagsAmazonka.KMS.ListKeysAmazonka.KMS.ListKeyPoliciesAmazonka.KMS.ListGrantsAmazonka.KMS.ListAliasesAmazonka.KMS.ImportKeyMaterialAmazonka.KMS.GetPublicKey#Amazonka.KMS.GetParametersForImport!Amazonka.KMS.GetKeyRotationStatusAmazonka.KMS.GetKeyPolicyAmazonka.KMS.GenerateRandomAmazonka.KMS.GenerateMac,Amazonka.KMS.GenerateDataKeyWithoutPlaintext0Amazonka.KMS.GenerateDataKeyPairWithoutPlaintext Amazonka.KMS.GenerateDataKeyPairAmazonka.KMS.GenerateDataKeyAmazonka.KMS.EncryptAmazonka.KMS.EnableKeyRotationAmazonka.KMS.EnableKey%Amazonka.KMS.DisconnectCustomKeyStoreAmazonka.KMS.DisableKeyRotationAmazonka.KMS.DisableKeyAmazonka.KMS.DescribeKey$Amazonka.KMS.DescribeCustomKeyStores&Amazonka.KMS.DeleteImportedKeyMaterial!Amazonka.KMS.DeleteCustomKeyStoreAmazonka.KMS.DeleteAliasAmazonka.KMS.DecryptAmazonka.KMS.CreateKeyAmazonka.KMS.CreateGrant!Amazonka.KMS.CreateCustomKeyStoreAmazonka.KMS.CreateAlias"Amazonka.KMS.ConnectCustomKeyStoreAmazonka.KMS.CancelKeyDeletionAmazonka.KMS.UntagResourceAmazonka.KMS.UpdateAlias!Amazonka.KMS.UpdateCustomKeyStore!Amazonka.KMS.UpdateKeyDescription Amazonka.KMS.UpdatePrimaryRegionAmazonka.KMS.VerifyAmazonka.KMS.VerifyMacAmazonka.KMS.LensAmazonka.KMS.WaitersAmazonka.KMSAlgorithmSpecAlgorithmSpec'fromAlgorithmSpecAlgorithmSpec_RSAES_PKCS1_V1_5 AlgorithmSpec_RSAES_OAEP_SHA_256AlgorithmSpec_RSAES_OAEP_SHA_1$fShowAlgorithmSpec$fReadAlgorithmSpec$fEqAlgorithmSpec$fOrdAlgorithmSpec$fGenericAlgorithmSpec$fHashableAlgorithmSpec$fNFDataAlgorithmSpec$fFromTextAlgorithmSpec$fToTextAlgorithmSpec$fToByteStringAlgorithmSpec$fToLogAlgorithmSpec$fToHeaderAlgorithmSpec$fToQueryAlgorithmSpec$fFromJSONAlgorithmSpec$fFromJSONKeyAlgorithmSpec$fToJSONAlgorithmSpec$fToJSONKeyAlgorithmSpec$fFromXMLAlgorithmSpec$fToXMLAlgorithmSpecAliasListEntryAliasListEntry'$sel:aliasArn:AliasListEntry'$sel:aliasName:AliasListEntry'!$sel:creationDate:AliasListEntry'$$sel:lastUpdatedDate:AliasListEntry' $sel:targetKeyId:AliasListEntry'newAliasListEntryaliasListEntry_aliasArnaliasListEntry_aliasNamealiasListEntry_creationDatealiasListEntry_lastUpdatedDatealiasListEntry_targetKeyId$fNFDataAliasListEntry$fHashableAliasListEntry$fFromJSONAliasListEntry$fEqAliasListEntry$fReadAliasListEntry$fShowAliasListEntry$fGenericAliasListEntryConnectionErrorCodeTypeConnectionErrorCodeType'fromConnectionErrorCodeType:ConnectionErrorCodeType_XKS_VPC_ENDPOINT_SERVICE_NOT_FOUNDÆ ConnectionErrorCodeType_XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION+ConnectionErrorCodeType_XKS_PROXY_TIMED_OUT/ConnectionErrorCodeType_XKS_PROXY_NOT_REACHABLE;ConnectionErrorCodeType_XKS_PROXY_INVALID_TLS_CONFIGURATION2ConnectionErrorCodeType_XKS_PROXY_INVALID_RESPONSE7ConnectionErrorCodeType_XKS_PROXY_INVALID_CONFIGURATION/ConnectionErrorCodeType_XKS_PROXY_ACCESS_DENIED&ConnectionErrorCodeType_USER_NOT_FOUND&ConnectionErrorCodeType_USER_LOGGED_IN'ConnectionErrorCodeType_USER_LOCKED_OUT(ConnectionErrorCodeType_SUBNET_NOT_FOUND&ConnectionErrorCodeType_NETWORK_ERRORS+ConnectionErrorCodeType_INVALID_CREDENTIALS&ConnectionErrorCodeType_INTERNAL_ERROR=ConnectionErrorCodeType_INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET2ConnectionErrorCodeType_INSUFFICIENT_CLOUDHSM_HSMS)ConnectionErrorCodeType_CLUSTER_NOT_FOUND$fShowConnectionErrorCodeType$fReadConnectionErrorCodeType$fEqConnectionErrorCodeType$fOrdConnectionErrorCodeType $fGenericConnectionErrorCodeType!$fHashableConnectionErrorCodeType$fNFDataConnectionErrorCodeType!$fFromTextConnectionErrorCodeType$fToTextConnectionErrorCodeType%$fToByteStringConnectionErrorCodeType$fToLogConnectionErrorCodeType!$fToHeaderConnectionErrorCodeType $fToQueryConnectionErrorCodeType!$fFromJSONConnectionErrorCodeType$$fFromJSONKeyConnectionErrorCodeType$fToJSONConnectionErrorCodeType"$fToJSONKeyConnectionErrorCodeType $fFromXMLConnectionErrorCodeType$fToXMLConnectionErrorCodeTypeConnectionStateTypeConnectionStateType'fromConnectionStateTypeConnectionStateType_FAILED!ConnectionStateType_DISCONNECTING ConnectionStateType_DISCONNECTEDConnectionStateType_CONNECTINGConnectionStateType_CONNECTED$fShowConnectionStateType$fReadConnectionStateType$fEqConnectionStateType$fOrdConnectionStateType$fGenericConnectionStateType$fHashableConnectionStateType$fNFDataConnectionStateType$fFromTextConnectionStateType$fToTextConnectionStateType!$fToByteStringConnectionStateType$fToLogConnectionStateType$fToHeaderConnectionStateType$fToQueryConnectionStateType$fFromJSONConnectionStateType $fFromJSONKeyConnectionStateType$fToJSONConnectionStateType$fToJSONKeyConnectionStateType$fFromXMLConnectionStateType$fToXMLConnectionStateTypeCustomKeyStoreTypeCustomKeyStoreType'fromCustomKeyStoreType%CustomKeyStoreType_EXTERNAL_KEY_STORECustomKeyStoreType_AWS_CLOUDHSM$fShowCustomKeyStoreType$fReadCustomKeyStoreType$fEqCustomKeyStoreType$fOrdCustomKeyStoreType$fGenericCustomKeyStoreType$fHashableCustomKeyStoreType$fNFDataCustomKeyStoreType$fFromTextCustomKeyStoreType$fToTextCustomKeyStoreType $fToByteStringCustomKeyStoreType$fToLogCustomKeyStoreType$fToHeaderCustomKeyStoreType$fToQueryCustomKeyStoreType$fFromJSONCustomKeyStoreType$fFromJSONKeyCustomKeyStoreType$fToJSONCustomKeyStoreType$fToJSONKeyCustomKeyStoreType$fFromXMLCustomKeyStoreType$fToXMLCustomKeyStoreTypeCustomerMasterKeySpecCustomerMasterKeySpec'fromCustomerMasterKeySpec'CustomerMasterKeySpec_SYMMETRIC_DEFAULTCustomerMasterKeySpec_SM2CustomerMasterKeySpec_RSA_4096CustomerMasterKeySpec_RSA_3072CustomerMasterKeySpec_RSA_2048CustomerMasterKeySpec_HMAC_512CustomerMasterKeySpec_HMAC_384CustomerMasterKeySpec_HMAC_256CustomerMasterKeySpec_HMAC_224%CustomerMasterKeySpec_ECC_SECG_P256K1#CustomerMasterKeySpec_ECC_NIST_P521#CustomerMasterKeySpec_ECC_NIST_P384#CustomerMasterKeySpec_ECC_NIST_P256$fShowCustomerMasterKeySpec$fReadCustomerMasterKeySpec$fEqCustomerMasterKeySpec$fOrdCustomerMasterKeySpec$fGenericCustomerMasterKeySpec$fHashableCustomerMasterKeySpec$fNFDataCustomerMasterKeySpec$fFromTextCustomerMasterKeySpec$fToTextCustomerMasterKeySpec#$fToByteStringCustomerMasterKeySpec$fToLogCustomerMasterKeySpec$fToHeaderCustomerMasterKeySpec$fToQueryCustomerMasterKeySpec$fFromJSONCustomerMasterKeySpec"$fFromJSONKeyCustomerMasterKeySpec$fToJSONCustomerMasterKeySpec $fToJSONKeyCustomerMasterKeySpec$fFromXMLCustomerMasterKeySpec$fToXMLCustomerMasterKeySpecDataKeyPairSpecDataKeyPairSpec'fromDataKeyPairSpecDataKeyPairSpec_SM2DataKeyPairSpec_RSA_4096DataKeyPairSpec_RSA_3072DataKeyPairSpec_RSA_2048DataKeyPairSpec_ECC_SECG_P256K1DataKeyPairSpec_ECC_NIST_P521DataKeyPairSpec_ECC_NIST_P384DataKeyPairSpec_ECC_NIST_P256$fShowDataKeyPairSpec$fReadDataKeyPairSpec$fEqDataKeyPairSpec$fOrdDataKeyPairSpec$fGenericDataKeyPairSpec$fHashableDataKeyPairSpec$fNFDataDataKeyPairSpec$fFromTextDataKeyPairSpec$fToTextDataKeyPairSpec$fToByteStringDataKeyPairSpec$fToLogDataKeyPairSpec$fToHeaderDataKeyPairSpec$fToQueryDataKeyPairSpec$fFromJSONDataKeyPairSpec$fFromJSONKeyDataKeyPairSpec$fToJSONDataKeyPairSpec$fToJSONKeyDataKeyPairSpec$fFromXMLDataKeyPairSpec$fToXMLDataKeyPairSpecDataKeySpecDataKeySpec'fromDataKeySpecDataKeySpec_AES_256DataKeySpec_AES_128$fShowDataKeySpec$fReadDataKeySpec$fEqDataKeySpec$fOrdDataKeySpec$fGenericDataKeySpec$fHashableDataKeySpec$fNFDataDataKeySpec$fFromTextDataKeySpec$fToTextDataKeySpec$fToByteStringDataKeySpec$fToLogDataKeySpec$fToHeaderDataKeySpec$fToQueryDataKeySpec$fFromJSONDataKeySpec$fFromJSONKeyDataKeySpec$fToJSONDataKeySpec$fToJSONKeyDataKeySpec$fFromXMLDataKeySpec$fToXMLDataKeySpecEncryptionAlgorithmSpecEncryptionAlgorithmSpec'fromEncryptionAlgorithmSpec)EncryptionAlgorithmSpec_SYMMETRIC_DEFAULTEncryptionAlgorithmSpec_SM2PKE*EncryptionAlgorithmSpec_RSAES_OAEP_SHA_256(EncryptionAlgorithmSpec_RSAES_OAEP_SHA_1$fShowEncryptionAlgorithmSpec$fReadEncryptionAlgorithmSpec$fEqEncryptionAlgorithmSpec$fOrdEncryptionAlgorithmSpec $fGenericEncryptionAlgorithmSpec!$fHashableEncryptionAlgorithmSpec$fNFDataEncryptionAlgorithmSpec!$fFromTextEncryptionAlgorithmSpec$fToTextEncryptionAlgorithmSpec%$fToByteStringEncryptionAlgorithmSpec$fToLogEncryptionAlgorithmSpec!$fToHeaderEncryptionAlgorithmSpec $fToQueryEncryptionAlgorithmSpec!$fFromJSONEncryptionAlgorithmSpec$$fFromJSONKeyEncryptionAlgorithmSpec$fToJSONEncryptionAlgorithmSpec"$fToJSONKeyEncryptionAlgorithmSpec $fFromXMLEncryptionAlgorithmSpec$fToXMLEncryptionAlgorithmSpecExpirationModelTypeExpirationModelType'fromExpirationModelType(ExpirationModelType_KEY_MATERIAL_EXPIRES0ExpirationModelType_KEY_MATERIAL_DOES_NOT_EXPIRE$fShowExpirationModelType$fReadExpirationModelType$fEqExpirationModelType$fOrdExpirationModelType$fGenericExpirationModelType$fHashableExpirationModelType$fNFDataExpirationModelType$fFromTextExpirationModelType$fToTextExpirationModelType!$fToByteStringExpirationModelType$fToLogExpirationModelType$fToHeaderExpirationModelType$fToQueryExpirationModelType$fFromJSONExpirationModelType $fFromJSONKeyExpirationModelType$fToJSONExpirationModelType$fToJSONKeyExpirationModelType$fFromXMLExpirationModelType$fToXMLExpirationModelTypeGrantConstraintsGrantConstraints'.$sel:encryptionContextEquals:GrantConstraints'.$sel:encryptionContextSubset:GrantConstraints'newGrantConstraints(grantConstraints_encryptionContextEquals(grantConstraints_encryptionContextSubset$fToJSONGrantConstraints$fNFDataGrantConstraints$fHashableGrantConstraints$fFromJSONGrantConstraints$fEqGrantConstraints$fReadGrantConstraints$fShowGrantConstraints$fGenericGrantConstraintsGrantOperationGrantOperation'fromGrantOperationGrantOperation_VerifyMacGrantOperation_VerifyGrantOperation_SignGrantOperation_RetireGrantGrantOperation_ReEncryptToGrantOperation_ReEncryptFromGrantOperation_GetPublicKeyGrantOperation_GenerateMac.GrantOperation_GenerateDataKeyWithoutPlaintext2GrantOperation_GenerateDataKeyPairWithoutPlaintext"GrantOperation_GenerateDataKeyPairGrantOperation_GenerateDataKeyGrantOperation_EncryptGrantOperation_DescribeKeyGrantOperation_DecryptGrantOperation_CreateGrant$fShowGrantOperation$fReadGrantOperation$fEqGrantOperation$fOrdGrantOperation$fGenericGrantOperation$fHashableGrantOperation$fNFDataGrantOperation$fFromTextGrantOperation$fToTextGrantOperation$fToByteStringGrantOperation$fToLogGrantOperation$fToHeaderGrantOperation$fToQueryGrantOperation$fFromJSONGrantOperation$fFromJSONKeyGrantOperation$fToJSONGrantOperation$fToJSONKeyGrantOperation$fFromXMLGrantOperation$fToXMLGrantOperationGrantListEntryGrantListEntry' $sel:constraints:GrantListEntry'!$sel:creationDate:GrantListEntry'$sel:grantId:GrantListEntry'%$sel:granteePrincipal:GrantListEntry'#$sel:issuingAccount:GrantListEntry'$sel:keyId:GrantListEntry'$sel:name:GrantListEntry'$sel:operations:GrantListEntry'&$sel:retiringPrincipal:GrantListEntry'newGrantListEntrygrantListEntry_constraintsgrantListEntry_creationDategrantListEntry_grantIdgrantListEntry_granteePrincipalgrantListEntry_issuingAccountgrantListEntry_keyIdgrantListEntry_namegrantListEntry_operations grantListEntry_retiringPrincipal$fNFDataGrantListEntry$fHashableGrantListEntry$fFromJSONGrantListEntry$fEqGrantListEntry$fReadGrantListEntry$fShowGrantListEntry$fGenericGrantListEntryKeyListEntryKeyListEntry'$sel:keyArn:KeyListEntry'$sel:keyId:KeyListEntry'newKeyListEntrykeyListEntry_keyArnkeyListEntry_keyId$fNFDataKeyListEntry$fHashableKeyListEntry$fFromJSONKeyListEntry$fEqKeyListEntry$fReadKeyListEntry$fShowKeyListEntry$fGenericKeyListEntryKeyManagerTypeKeyManagerType'fromKeyManagerTypeKeyManagerType_CUSTOMERKeyManagerType_AWS$fShowKeyManagerType$fReadKeyManagerType$fEqKeyManagerType$fOrdKeyManagerType$fGenericKeyManagerType$fHashableKeyManagerType$fNFDataKeyManagerType$fFromTextKeyManagerType$fToTextKeyManagerType$fToByteStringKeyManagerType$fToLogKeyManagerType$fToHeaderKeyManagerType$fToQueryKeyManagerType$fFromJSONKeyManagerType$fFromJSONKeyKeyManagerType$fToJSONKeyManagerType$fToJSONKeyKeyManagerType$fFromXMLKeyManagerType$fToXMLKeyManagerTypeKeySpecKeySpec'fromKeySpecKeySpec_SYMMETRIC_DEFAULTKeySpec_SM2KeySpec_RSA_4096KeySpec_RSA_3072KeySpec_RSA_2048KeySpec_HMAC_512KeySpec_HMAC_384KeySpec_HMAC_256KeySpec_HMAC_224KeySpec_ECC_SECG_P256K1KeySpec_ECC_NIST_P521KeySpec_ECC_NIST_P384KeySpec_ECC_NIST_P256$fShowKeySpec$fReadKeySpec$fEqKeySpec$fOrdKeySpec$fGenericKeySpec$fHashableKeySpec$fNFDataKeySpec$fFromTextKeySpec$fToTextKeySpec$fToByteStringKeySpec$fToLogKeySpec$fToHeaderKeySpec$fToQueryKeySpec$fFromJSONKeySpec$fFromJSONKeyKeySpec$fToJSONKeySpec$fToJSONKeyKeySpec$fFromXMLKeySpec$fToXMLKeySpecKeyState	KeyState'fromKeyStateKeyState_UpdatingKeyState_UnavailableKeyState_PendingReplicaDeletionKeyState_PendingImportKeyState_PendingDeletionKeyState_EnabledKeyState_DisabledKeyState_Creating$fShowKeyState$fReadKeyState$fEqKeyState$fOrdKeyState$fGenericKeyState$fHashableKeyState$fNFDataKeyState$fFromTextKeyState$fToTextKeyState$fToByteStringKeyState$fToLogKeyState$fToHeaderKeyState$fToQueryKeyState$fFromJSONKeyState$fFromJSONKeyKeyState$fToJSONKeyState$fToJSONKeyKeyState$fFromXMLKeyState$fToXMLKeyStateKeyUsageTypeKeyUsageType'fromKeyUsageTypeKeyUsageType_SIGN_VERIFY KeyUsageType_GENERATE_VERIFY_MACKeyUsageType_ENCRYPT_DECRYPT$fShowKeyUsageType$fReadKeyUsageType$fEqKeyUsageType$fOrdKeyUsageType$fGenericKeyUsageType$fHashableKeyUsageType$fNFDataKeyUsageType$fFromTextKeyUsageType$fToTextKeyUsageType$fToByteStringKeyUsageType$fToLogKeyUsageType$fToHeaderKeyUsageType$fToQueryKeyUsageType$fFromJSONKeyUsageType$fFromJSONKeyKeyUsageType$fToJSONKeyUsageType$fToJSONKeyKeyUsageType$fFromXMLKeyUsageType$fToXMLKeyUsageTypeListGrantsResponseListGrantsResponse'$sel:grants:ListGrantsResponse'#$sel:nextMarker:ListGrantsResponse'"$sel:truncated:ListGrantsResponse'newListGrantsResponselistGrantsResponse_grantslistGrantsResponse_nextMarkerlistGrantsResponse_truncated$fNFDataListGrantsResponse$fHashableListGrantsResponse$fFromJSONListGrantsResponse$fEqListGrantsResponse$fReadListGrantsResponse$fShowListGrantsResponse$fGenericListGrantsResponseMacAlgorithmSpecMacAlgorithmSpec'fromMacAlgorithmSpecMacAlgorithmSpec_HMAC_SHA_512MacAlgorithmSpec_HMAC_SHA_384MacAlgorithmSpec_HMAC_SHA_256MacAlgorithmSpec_HMAC_SHA_224$fShowMacAlgorithmSpec$fReadMacAlgorithmSpec$fEqMacAlgorithmSpec$fOrdMacAlgorithmSpec$fGenericMacAlgorithmSpec$fHashableMacAlgorithmSpec$fNFDataMacAlgorithmSpec$fFromTextMacAlgorithmSpec$fToTextMacAlgorithmSpec$fToByteStringMacAlgorithmSpec$fToLogMacAlgorithmSpec$fToHeaderMacAlgorithmSpec$fToQueryMacAlgorithmSpec$fFromJSONMacAlgorithmSpec$fFromJSONKeyMacAlgorithmSpec$fToJSONMacAlgorithmSpec$fToJSONKeyMacAlgorithmSpec$fFromXMLMacAlgorithmSpec$fToXMLMacAlgorithmSpecMessageTypeMessageType'fromMessageTypeMessageType_RAWMessageType_DIGEST$fShowMessageType$fReadMessageType$fEqMessageType$fOrdMessageType$fGenericMessageType$fHashableMessageType$fNFDataMessageType$fFromTextMessageType$fToTextMessageType$fToByteStringMessageType$fToLogMessageType$fToHeaderMessageType$fToQueryMessageType$fFromJSONMessageType$fFromJSONKeyMessageType$fToJSONMessageType$fToJSONKeyMessageType$fFromXMLMessageType$fToXMLMessageTypeMultiRegionKeyMultiRegionKey'$sel:arn:MultiRegionKey'$sel:region:MultiRegionKey'newMultiRegionKeymultiRegionKey_arnmultiRegionKey_region$fNFDataMultiRegionKey$fHashableMultiRegionKey$fFromJSONMultiRegionKey$fEqMultiRegionKey$fReadMultiRegionKey$fShowMultiRegionKey$fGenericMultiRegionKeyMultiRegionKeyTypeMultiRegionKeyType'fromMultiRegionKeyTypeMultiRegionKeyType_REPLICAMultiRegionKeyType_PRIMARY$fShowMultiRegionKeyType$fReadMultiRegionKeyType$fEqMultiRegionKeyType$fOrdMultiRegionKeyType$fGenericMultiRegionKeyType$fHashableMultiRegionKeyType$fNFDataMultiRegionKeyType$fFromTextMultiRegionKeyType$fToTextMultiRegionKeyType $fToByteStringMultiRegionKeyType$fToLogMultiRegionKeyType$fToHeaderMultiRegionKeyType$fToQueryMultiRegionKeyType$fFromJSONMultiRegionKeyType$fFromJSONKeyMultiRegionKeyType$fToJSONMultiRegionKeyType$fToJSONKeyMultiRegionKeyType$fFromXMLMultiRegionKeyType$fToXMLMultiRegionKeyTypeMultiRegionConfigurationMultiRegionConfiguration'1$sel:multiRegionKeyType:MultiRegionConfiguration')$sel:primaryKey:MultiRegionConfiguration'*$sel:replicaKeys:MultiRegionConfiguration'newMultiRegionConfiguration+multiRegionConfiguration_multiRegionKeyType#multiRegionConfiguration_primaryKey$multiRegionConfiguration_replicaKeys $fNFDataMultiRegionConfiguration"$fHashableMultiRegionConfiguration"$fFromJSONMultiRegionConfiguration$fEqMultiRegionConfiguration$fReadMultiRegionConfiguration$fShowMultiRegionConfiguration!$fGenericMultiRegionConfiguration
OriginTypeOriginType'fromOriginTypeOriginType_EXTERNAL_KEY_STOREOriginType_EXTERNALOriginType_AWS_KMSOriginType_AWS_CLOUDHSM$fShowOriginType$fReadOriginType$fEqOriginType$fOrdOriginType$fGenericOriginType$fHashableOriginType$fNFDataOriginType$fFromTextOriginType$fToTextOriginType$fToByteStringOriginType$fToLogOriginType$fToHeaderOriginType$fToQueryOriginType$fFromJSONOriginType$fFromJSONKeyOriginType$fToJSONOriginType$fToJSONKeyOriginType$fFromXMLOriginType$fToXMLOriginTypeSigningAlgorithmSpecSigningAlgorithmSpec'fromSigningAlgorithmSpecSigningAlgorithmSpec_SM2DSA'SigningAlgorithmSpec_RSASSA_PSS_SHA_512'SigningAlgorithmSpec_RSASSA_PSS_SHA_384'SigningAlgorithmSpec_RSASSA_PSS_SHA_256.SigningAlgorithmSpec_RSASSA_PKCS1_V1_5_SHA_512.SigningAlgorithmSpec_RSASSA_PKCS1_V1_5_SHA_384.SigningAlgorithmSpec_RSASSA_PKCS1_V1_5_SHA_256"SigningAlgorithmSpec_ECDSA_SHA_512"SigningAlgorithmSpec_ECDSA_SHA_384"SigningAlgorithmSpec_ECDSA_SHA_256$fShowSigningAlgorithmSpec$fReadSigningAlgorithmSpec$fEqSigningAlgorithmSpec$fOrdSigningAlgorithmSpec$fGenericSigningAlgorithmSpec$fHashableSigningAlgorithmSpec$fNFDataSigningAlgorithmSpec$fFromTextSigningAlgorithmSpec$fToTextSigningAlgorithmSpec"$fToByteStringSigningAlgorithmSpec$fToLogSigningAlgorithmSpec$fToHeaderSigningAlgorithmSpec$fToQuerySigningAlgorithmSpec$fFromJSONSigningAlgorithmSpec!$fFromJSONKeySigningAlgorithmSpec$fToJSONSigningAlgorithmSpec$fToJSONKeySigningAlgorithmSpec$fFromXMLSigningAlgorithmSpec$fToXMLSigningAlgorithmSpecTagTag'$sel:tagKey:Tag'$sel:tagValue:Tag'newTag
tag_tagKeytag_tagValue$fToJSONTag$fNFDataTag$fHashableTag$fFromJSONTag$fEqTag	$fReadTag	$fShowTag$fGenericTagWrappingKeySpecWrappingKeySpec'fromWrappingKeySpecWrappingKeySpec_RSA_2048$fShowWrappingKeySpec$fReadWrappingKeySpec$fEqWrappingKeySpec$fOrdWrappingKeySpec$fGenericWrappingKeySpec$fHashableWrappingKeySpec$fNFDataWrappingKeySpec$fFromTextWrappingKeySpec$fToTextWrappingKeySpec$fToByteStringWrappingKeySpec$fToLogWrappingKeySpec$fToHeaderWrappingKeySpec$fToQueryWrappingKeySpec$fFromJSONWrappingKeySpec$fFromJSONKeyWrappingKeySpec$fToJSONWrappingKeySpec$fToJSONKeyWrappingKeySpec$fFromXMLWrappingKeySpec$fToXMLWrappingKeySpecXksKeyConfigurationTypeXksKeyConfigurationType' $sel:id:XksKeyConfigurationType'newXksKeyConfigurationTypexksKeyConfigurationType_id$fNFDataXksKeyConfigurationType!$fHashableXksKeyConfigurationType!$fFromJSONXksKeyConfigurationType$fEqXksKeyConfigurationType$fReadXksKeyConfigurationType$fShowXksKeyConfigurationType $fGenericXksKeyConfigurationTypeKeyMetadataKeyMetadata'$sel:aWSAccountId:KeyMetadata'$sel:arn:KeyMetadata'#$sel:cloudHsmClusterId:KeyMetadata'$sel:creationDate:KeyMetadata'"$sel:customKeyStoreId:KeyMetadata''$sel:customerMasterKeySpec:KeyMetadata'$sel:deletionDate:KeyMetadata'$sel:description:KeyMetadata'$sel:enabled:KeyMetadata'&$sel:encryptionAlgorithms:KeyMetadata'!$sel:expirationModel:KeyMetadata'$sel:keyManager:KeyMetadata'$sel:keySpec:KeyMetadata'$sel:keyState:KeyMetadata'$sel:keyUsage:KeyMetadata'$sel:macAlgorithms:KeyMetadata'$sel:multiRegion:KeyMetadata'*$sel:multiRegionConfiguration:KeyMetadata'$sel:origin:KeyMetadata'-$sel:pendingDeletionWindowInDays:KeyMetadata'#$sel:signingAlgorithms:KeyMetadata'$sel:validTo:KeyMetadata'%$sel:xksKeyConfiguration:KeyMetadata'$sel:keyId:KeyMetadata'newKeyMetadatakeyMetadata_aWSAccountIdkeyMetadata_arnkeyMetadata_cloudHsmClusterIdkeyMetadata_creationDatekeyMetadata_customKeyStoreId!keyMetadata_customerMasterKeySpeckeyMetadata_deletionDatekeyMetadata_descriptionkeyMetadata_enabled keyMetadata_encryptionAlgorithmskeyMetadata_expirationModelkeyMetadata_keyManagerkeyMetadata_keySpeckeyMetadata_keyStatekeyMetadata_keyUsagekeyMetadata_macAlgorithmskeyMetadata_multiRegion$keyMetadata_multiRegionConfigurationkeyMetadata_origin'keyMetadata_pendingDeletionWindowInDayskeyMetadata_signingAlgorithmskeyMetadata_validTokeyMetadata_xksKeyConfigurationkeyMetadata_keyId$fNFDataKeyMetadata$fHashableKeyMetadata$fFromJSONKeyMetadata$fEqKeyMetadata$fReadKeyMetadata$fShowKeyMetadata$fGenericKeyMetadata$XksProxyAuthenticationCredentialType%XksProxyAuthenticationCredentialType'6$sel:accessKeyId:XksProxyAuthenticationCredentialType'=$sel:rawSecretAccessKey:XksProxyAuthenticationCredentialType''newXksProxyAuthenticationCredentialType0xksProxyAuthenticationCredentialType_accessKeyId7xksProxyAuthenticationCredentialType_rawSecretAccessKey,$fToJSONXksProxyAuthenticationCredentialType,$fNFDataXksProxyAuthenticationCredentialType.$fHashableXksProxyAuthenticationCredentialType($fEqXksProxyAuthenticationCredentialType*$fShowXksProxyAuthenticationCredentialType-$fGenericXksProxyAuthenticationCredentialTypeXksProxyConnectivityTypeXksProxyConnectivityType'fromXksProxyConnectivityType-XksProxyConnectivityType_VPC_ENDPOINT_SERVICE(XksProxyConnectivityType_PUBLIC_ENDPOINT$fShowXksProxyConnectivityType$fReadXksProxyConnectivityType$fEqXksProxyConnectivityType$fOrdXksProxyConnectivityType!$fGenericXksProxyConnectivityType"$fHashableXksProxyConnectivityType $fNFDataXksProxyConnectivityType"$fFromTextXksProxyConnectivityType $fToTextXksProxyConnectivityType&$fToByteStringXksProxyConnectivityType$fToLogXksProxyConnectivityType"$fToHeaderXksProxyConnectivityType!$fToQueryXksProxyConnectivityType"$fFromJSONXksProxyConnectivityType%$fFromJSONKeyXksProxyConnectivityType $fToJSONXksProxyConnectivityType#$fToJSONKeyXksProxyConnectivityType!$fFromXMLXksProxyConnectivityType$fToXMLXksProxyConnectivityTypeXksProxyConfigurationTypeXksProxyConfigurationType'+$sel:accessKeyId:XksProxyConfigurationType',$sel:connectivity:XksProxyConfigurationType'+$sel:uriEndpoint:XksProxyConfigurationType''$sel:uriPath:XksProxyConfigurationType'6$sel:vpcEndpointServiceName:XksProxyConfigurationType'newXksProxyConfigurationType%xksProxyConfigurationType_accessKeyId&xksProxyConfigurationType_connectivity%xksProxyConfigurationType_uriEndpoint!xksProxyConfigurationType_uriPath0xksProxyConfigurationType_vpcEndpointServiceName!$fNFDataXksProxyConfigurationType#$fHashableXksProxyConfigurationType#$fFromJSONXksProxyConfigurationType$fEqXksProxyConfigurationType$fShowXksProxyConfigurationType"$fGenericXksProxyConfigurationTypeCustomKeyStoresListEntryCustomKeyStoresListEntry'0$sel:cloudHsmClusterId:CustomKeyStoresListEntry'2$sel:connectionErrorCode:CustomKeyStoresListEntry'.$sel:connectionState:CustomKeyStoresListEntry'+$sel:creationDate:CustomKeyStoresListEntry'/$sel:customKeyStoreId:CustomKeyStoresListEntry'1$sel:customKeyStoreName:CustomKeyStoresListEntry'1$sel:customKeyStoreType:CustomKeyStoresListEntry'5$sel:trustAnchorCertificate:CustomKeyStoresListEntry'4$sel:xksProxyConfiguration:CustomKeyStoresListEntry'newCustomKeyStoresListEntry*customKeyStoresListEntry_cloudHsmClusterId,customKeyStoresListEntry_connectionErrorCode(customKeyStoresListEntry_connectionState%customKeyStoresListEntry_creationDate)customKeyStoresListEntry_customKeyStoreId+customKeyStoresListEntry_customKeyStoreName+customKeyStoresListEntry_customKeyStoreType/customKeyStoresListEntry_trustAnchorCertificate.customKeyStoresListEntry_xksProxyConfiguration $fNFDataCustomKeyStoresListEntry"$fHashableCustomKeyStoresListEntry"$fFromJSONCustomKeyStoresListEntry$fEqCustomKeyStoresListEntry$fShowCustomKeyStoresListEntry!$fGenericCustomKeyStoresListEntrydefaultService_AlreadyExistsException_CloudHsmClusterInUseException-_CloudHsmClusterInvalidConfigurationException"_CloudHsmClusterNotActiveException!_CloudHsmClusterNotFoundException#_CloudHsmClusterNotRelatedException_CustomKeyStoreHasCMKsException$_CustomKeyStoreInvalidStateException!_CustomKeyStoreNameInUseException _CustomKeyStoreNotFoundException_DependencyTimeoutException_DisabledException_ExpiredImportTokenException_IncorrectKeyException_IncorrectKeyMaterialException_IncorrectTrustAnchorException_InvalidAliasNameException_InvalidArnException_InvalidCiphertextException_InvalidGrantIdException_InvalidGrantTokenException_InvalidImportTokenException_InvalidKeyUsageException_InvalidMarkerException_KMSInternalException_KMSInvalidMacException_KMSInvalidSignatureException_KMSInvalidStateException_KeyUnavailableException_LimitExceededException!_MalformedPolicyDocumentException_NotFoundException_TagException_UnsupportedOperationException_XksKeyAlreadyInUseException$_XksKeyInvalidConfigurationException_XksKeyNotFoundException3_XksProxyIncorrectAuthenticationCredentialException&_XksProxyInvalidConfigurationException!_XksProxyInvalidResponseException"_XksProxyUriEndpointInUseException_XksProxyUriInUseException _XksProxyUriUnreachableException)_XksProxyVpcEndpointServiceInUseException8_XksProxyVpcEndpointServiceInvalidConfigurationException,_XksProxyVpcEndpointServiceNotFoundExceptionTagResourceResponseTagResourceResponse'TagResourceTagResource'$sel:keyId:TagResource'$sel:tags:TagResource'newTagResourcetagResource_keyIdtagResource_tagsnewTagResourceResponse$fToQueryTagResource$fToPathTagResource$fToJSONTagResource$fToHeadersTagResource$fNFDataTagResource$fHashableTagResource$fNFDataTagResourceResponse$fAWSRequestTagResource$fEqTagResourceResponse$fReadTagResourceResponse$fShowTagResourceResponse$fGenericTagResourceResponse$fEqTagResource$fReadTagResource$fShowTagResource$fGenericTagResourceSignResponseSignResponse'$sel:keyId:SignResponse'$sel:signature:SignResponse'#$sel:signingAlgorithm:SignResponse'$sel:httpStatus:SignResponse'SignSign'$sel:grantTokens:Sign'$sel:messageType:Sign'$sel:keyId:Sign'$sel:message:Sign'$sel:signingAlgorithm:Sign'newSignsign_grantTokenssign_messageType
sign_keyIdsign_messagesign_signingAlgorithmnewSignResponsesignResponse_keyIdsignResponse_signaturesignResponse_signingAlgorithmsignResponse_httpStatus$fToQuerySign$fToPathSign$fToJSONSign$fToHeadersSign$fNFDataSign$fHashableSign$fNFDataSignResponse$fAWSRequestSign$fEqSignResponse$fReadSignResponse$fShowSignResponse$fGenericSignResponse$fEqSign
$fShowSign$fGenericSignScheduleKeyDeletionResponseScheduleKeyDeletionResponse'.$sel:deletionDate:ScheduleKeyDeletionResponse''$sel:keyId:ScheduleKeyDeletionResponse'*$sel:keyState:ScheduleKeyDeletionResponse'5$sel:pendingWindowInDays:ScheduleKeyDeletionResponse',$sel:httpStatus:ScheduleKeyDeletionResponse'ScheduleKeyDeletionScheduleKeyDeletion'-$sel:pendingWindowInDays:ScheduleKeyDeletion'$sel:keyId:ScheduleKeyDeletion'newScheduleKeyDeletion'scheduleKeyDeletion_pendingWindowInDaysscheduleKeyDeletion_keyIdnewScheduleKeyDeletionResponse(scheduleKeyDeletionResponse_deletionDate!scheduleKeyDeletionResponse_keyId$scheduleKeyDeletionResponse_keyState/scheduleKeyDeletionResponse_pendingWindowInDays&scheduleKeyDeletionResponse_httpStatus$fToQueryScheduleKeyDeletion$fToPathScheduleKeyDeletion$fToJSONScheduleKeyDeletion$fToHeadersScheduleKeyDeletion$fNFDataScheduleKeyDeletion$fHashableScheduleKeyDeletion#$fNFDataScheduleKeyDeletionResponse$fAWSRequestScheduleKeyDeletion$fEqScheduleKeyDeletionResponse!$fReadScheduleKeyDeletionResponse!$fShowScheduleKeyDeletionResponse$$fGenericScheduleKeyDeletionResponse$fEqScheduleKeyDeletion$fReadScheduleKeyDeletion$fShowScheduleKeyDeletion$fGenericScheduleKeyDeletionRevokeGrantResponseRevokeGrantResponse'RevokeGrantRevokeGrant'$sel:keyId:RevokeGrant'$sel:grantId:RevokeGrant'newRevokeGrantrevokeGrant_keyIdrevokeGrant_grantIdnewRevokeGrantResponse$fToQueryRevokeGrant$fToPathRevokeGrant$fToJSONRevokeGrant$fToHeadersRevokeGrant$fNFDataRevokeGrant$fHashableRevokeGrant$fNFDataRevokeGrantResponse$fAWSRequestRevokeGrant$fEqRevokeGrantResponse$fReadRevokeGrantResponse$fShowRevokeGrantResponse$fGenericRevokeGrantResponse$fEqRevokeGrant$fReadRevokeGrant$fShowRevokeGrant$fGenericRevokeGrantRetireGrantResponseRetireGrantResponse'RetireGrantRetireGrant'$sel:grantId:RetireGrant'$sel:grantToken:RetireGrant'$sel:keyId:RetireGrant'newRetireGrantretireGrant_grantIdretireGrant_grantTokenretireGrant_keyIdnewRetireGrantResponse$fToQueryRetireGrant$fToPathRetireGrant$fToJSONRetireGrant$fToHeadersRetireGrant$fNFDataRetireGrant$fHashableRetireGrant$fNFDataRetireGrantResponse$fAWSRequestRetireGrant$fEqRetireGrantResponse$fReadRetireGrantResponse$fShowRetireGrantResponse$fGenericRetireGrantResponse$fEqRetireGrant$fReadRetireGrant$fShowRetireGrant$fGenericRetireGrantReplicateKeyResponseReplicateKeyResponse'-$sel:replicaKeyMetadata:ReplicateKeyResponse'($sel:replicaPolicy:ReplicateKeyResponse'&$sel:replicaTags:ReplicateKeyResponse'%$sel:httpStatus:ReplicateKeyResponse'ReplicateKeyReplicateKey'1$sel:bypassPolicyLockoutSafetyCheck:ReplicateKey'$sel:description:ReplicateKey'$sel:policy:ReplicateKey'$sel:tags:ReplicateKey'$sel:keyId:ReplicateKey' $sel:replicaRegion:ReplicateKey'newReplicateKey+replicateKey_bypassPolicyLockoutSafetyCheckreplicateKey_descriptionreplicateKey_policyreplicateKey_tagsreplicateKey_keyIdreplicateKey_replicaRegionnewReplicateKeyResponse'replicateKeyResponse_replicaKeyMetadata"replicateKeyResponse_replicaPolicy replicateKeyResponse_replicaTagsreplicateKeyResponse_httpStatus$fToQueryReplicateKey$fToPathReplicateKey$fToJSONReplicateKey$fToHeadersReplicateKey$fNFDataReplicateKey$fHashableReplicateKey$fNFDataReplicateKeyResponse$fAWSRequestReplicateKey$fEqReplicateKeyResponse$fReadReplicateKeyResponse$fShowReplicateKeyResponse$fGenericReplicateKeyResponse$fEqReplicateKey$fReadReplicateKey$fShowReplicateKey$fGenericReplicateKeyReEncryptResponseReEncryptResponse'&$sel:ciphertextBlob:ReEncryptResponse'6$sel:destinationEncryptionAlgorithm:ReEncryptResponse'$sel:keyId:ReEncryptResponse'1$sel:sourceEncryptionAlgorithm:ReEncryptResponse'#$sel:sourceKeyId:ReEncryptResponse'"$sel:httpStatus:ReEncryptResponse'	ReEncrypt
ReEncrypt'.$sel:destinationEncryptionAlgorithm:ReEncrypt',$sel:destinationEncryptionContext:ReEncrypt'$sel:grantTokens:ReEncrypt')$sel:sourceEncryptionAlgorithm:ReEncrypt''$sel:sourceEncryptionContext:ReEncrypt'$sel:sourceKeyId:ReEncrypt'$sel:ciphertextBlob:ReEncrypt' $sel:destinationKeyId:ReEncrypt'newReEncrypt(reEncrypt_destinationEncryptionAlgorithm&reEncrypt_destinationEncryptionContextreEncrypt_grantTokens#reEncrypt_sourceEncryptionAlgorithm!reEncrypt_sourceEncryptionContextreEncrypt_sourceKeyIdreEncrypt_ciphertextBlobreEncrypt_destinationKeyIdnewReEncryptResponse reEncryptResponse_ciphertextBlob0reEncryptResponse_destinationEncryptionAlgorithmreEncryptResponse_keyId+reEncryptResponse_sourceEncryptionAlgorithmreEncryptResponse_sourceKeyIdreEncryptResponse_httpStatus$fToQueryReEncrypt$fToPathReEncrypt$fToJSONReEncrypt$fToHeadersReEncrypt$fNFDataReEncrypt$fHashableReEncrypt$fNFDataReEncryptResponse$fAWSRequestReEncrypt$fEqReEncryptResponse$fReadReEncryptResponse$fShowReEncryptResponse$fGenericReEncryptResponse$fEqReEncrypt$fReadReEncrypt$fShowReEncrypt$fGenericReEncryptPutKeyPolicyResponsePutKeyPolicyResponse'PutKeyPolicyPutKeyPolicy'1$sel:bypassPolicyLockoutSafetyCheck:PutKeyPolicy'$sel:keyId:PutKeyPolicy'$sel:policyName:PutKeyPolicy'$sel:policy:PutKeyPolicy'newPutKeyPolicy+putKeyPolicy_bypassPolicyLockoutSafetyCheckputKeyPolicy_keyIdputKeyPolicy_policyNameputKeyPolicy_policynewPutKeyPolicyResponse$fToQueryPutKeyPolicy$fToPathPutKeyPolicy$fToJSONPutKeyPolicy$fToHeadersPutKeyPolicy$fNFDataPutKeyPolicy$fHashablePutKeyPolicy$fNFDataPutKeyPolicyResponse$fAWSRequestPutKeyPolicy$fEqPutKeyPolicyResponse$fReadPutKeyPolicyResponse$fShowPutKeyPolicyResponse$fGenericPutKeyPolicyResponse$fEqPutKeyPolicy$fReadPutKeyPolicy$fShowPutKeyPolicy$fGenericPutKeyPolicyListRetirableGrantsListRetirableGrants'$sel:limit:ListRetirableGrants' $sel:marker:ListRetirableGrants'+$sel:retiringPrincipal:ListRetirableGrants'newListRetirableGrantslistRetirableGrants_limitlistRetirableGrants_marker%listRetirableGrants_retiringPrincipal$fToQueryListRetirableGrants$fToPathListRetirableGrants$fToJSONListRetirableGrants$fToHeadersListRetirableGrants$fNFDataListRetirableGrants$fHashableListRetirableGrants$fAWSRequestListRetirableGrants$fAWSPagerListRetirableGrants$fEqListRetirableGrants$fReadListRetirableGrants$fShowListRetirableGrants$fGenericListRetirableGrantsListResourceTagsResponseListResourceTagsResponse')$sel:nextMarker:ListResourceTagsResponse'#$sel:tags:ListResourceTagsResponse'($sel:truncated:ListResourceTagsResponse')$sel:httpStatus:ListResourceTagsResponse'ListResourceTagsListResourceTags'$sel:limit:ListResourceTags'$sel:marker:ListResourceTags'$sel:keyId:ListResourceTags'newListResourceTagslistResourceTags_limitlistResourceTags_markerlistResourceTags_keyIdnewListResourceTagsResponse#listResourceTagsResponse_nextMarkerlistResourceTagsResponse_tags"listResourceTagsResponse_truncated#listResourceTagsResponse_httpStatus$fToQueryListResourceTags$fToPathListResourceTags$fToJSONListResourceTags$fToHeadersListResourceTags$fNFDataListResourceTags$fHashableListResourceTags$fAWSPagerListResourceTags $fNFDataListResourceTagsResponse$fAWSRequestListResourceTags$fEqListResourceTagsResponse$fReadListResourceTagsResponse$fShowListResourceTagsResponse!$fGenericListResourceTagsResponse$fEqListResourceTags$fReadListResourceTags$fShowListResourceTags$fGenericListResourceTagsListKeysResponseListKeysResponse'$sel:keys:ListKeysResponse'!$sel:nextMarker:ListKeysResponse' $sel:truncated:ListKeysResponse'!$sel:httpStatus:ListKeysResponse'ListKeys	ListKeys'$sel:limit:ListKeys'$sel:marker:ListKeys'newListKeyslistKeys_limitlistKeys_markernewListKeysResponselistKeysResponse_keyslistKeysResponse_nextMarkerlistKeysResponse_truncatedlistKeysResponse_httpStatus$fToQueryListKeys$fToPathListKeys$fToJSONListKeys$fToHeadersListKeys$fNFDataListKeys$fHashableListKeys$fAWSPagerListKeys$fNFDataListKeysResponse$fAWSRequestListKeys$fEqListKeysResponse$fReadListKeysResponse$fShowListKeysResponse$fGenericListKeysResponse$fEqListKeys$fReadListKeys$fShowListKeys$fGenericListKeysListKeyPoliciesResponseListKeyPoliciesResponse'($sel:nextMarker:ListKeyPoliciesResponse')$sel:policyNames:ListKeyPoliciesResponse''$sel:truncated:ListKeyPoliciesResponse'($sel:httpStatus:ListKeyPoliciesResponse'ListKeyPoliciesListKeyPolicies'$sel:limit:ListKeyPolicies'$sel:marker:ListKeyPolicies'$sel:keyId:ListKeyPolicies'newListKeyPolicieslistKeyPolicies_limitlistKeyPolicies_markerlistKeyPolicies_keyIdnewListKeyPoliciesResponse"listKeyPoliciesResponse_nextMarker#listKeyPoliciesResponse_policyNames!listKeyPoliciesResponse_truncated"listKeyPoliciesResponse_httpStatus$fToQueryListKeyPolicies$fToPathListKeyPolicies$fToJSONListKeyPolicies$fToHeadersListKeyPolicies$fNFDataListKeyPolicies$fHashableListKeyPolicies$fAWSPagerListKeyPolicies$fNFDataListKeyPoliciesResponse$fAWSRequestListKeyPolicies$fEqListKeyPoliciesResponse$fReadListKeyPoliciesResponse$fShowListKeyPoliciesResponse $fGenericListKeyPoliciesResponse$fEqListKeyPolicies$fReadListKeyPolicies$fShowListKeyPolicies$fGenericListKeyPolicies
ListGrantsListGrants'$sel:grantId:ListGrants'!$sel:granteePrincipal:ListGrants'$sel:limit:ListGrants'$sel:marker:ListGrants'$sel:keyId:ListGrants'newListGrantslistGrants_grantIdlistGrants_granteePrincipallistGrants_limitlistGrants_markerlistGrants_keyId$fToQueryListGrants$fToPathListGrants$fToJSONListGrants$fToHeadersListGrants$fNFDataListGrants$fHashableListGrants$fAWSRequestListGrants$fAWSPagerListGrants$fEqListGrants$fReadListGrants$fShowListGrants$fGenericListGrantsListAliasesResponseListAliasesResponse'!$sel:aliases:ListAliasesResponse'$$sel:nextMarker:ListAliasesResponse'#$sel:truncated:ListAliasesResponse'$$sel:httpStatus:ListAliasesResponse'ListAliasesListAliases'$sel:keyId:ListAliases'$sel:limit:ListAliases'$sel:marker:ListAliases'newListAliaseslistAliases_keyIdlistAliases_limitlistAliases_markernewListAliasesResponselistAliasesResponse_aliaseslistAliasesResponse_nextMarkerlistAliasesResponse_truncatedlistAliasesResponse_httpStatus$fToQueryListAliases$fToPathListAliases$fToJSONListAliases$fToHeadersListAliases$fNFDataListAliases$fHashableListAliases$fAWSPagerListAliases$fNFDataListAliasesResponse$fAWSRequestListAliases$fEqListAliasesResponse$fReadListAliasesResponse$fShowListAliasesResponse$fGenericListAliasesResponse$fEqListAliases$fReadListAliases$fShowListAliases$fGenericListAliasesImportKeyMaterialResponseImportKeyMaterialResponse'*$sel:httpStatus:ImportKeyMaterialResponse'ImportKeyMaterialImportKeyMaterial''$sel:expirationModel:ImportKeyMaterial'$sel:validTo:ImportKeyMaterial'$sel:keyId:ImportKeyMaterial'#$sel:importToken:ImportKeyMaterial',$sel:encryptedKeyMaterial:ImportKeyMaterial'newImportKeyMaterial!importKeyMaterial_expirationModelimportKeyMaterial_validToimportKeyMaterial_keyIdimportKeyMaterial_importToken&importKeyMaterial_encryptedKeyMaterialnewImportKeyMaterialResponse$importKeyMaterialResponse_httpStatus$fToQueryImportKeyMaterial$fToPathImportKeyMaterial$fToJSONImportKeyMaterial$fToHeadersImportKeyMaterial$fNFDataImportKeyMaterial$fHashableImportKeyMaterial!$fNFDataImportKeyMaterialResponse$fAWSRequestImportKeyMaterial$fEqImportKeyMaterialResponse$fReadImportKeyMaterialResponse$fShowImportKeyMaterialResponse"$fGenericImportKeyMaterialResponse$fEqImportKeyMaterial$fReadImportKeyMaterial$fShowImportKeyMaterial$fGenericImportKeyMaterialGetPublicKeyResponseGetPublicKeyResponse'0$sel:customerMasterKeySpec:GetPublicKeyResponse'/$sel:encryptionAlgorithms:GetPublicKeyResponse' $sel:keyId:GetPublicKeyResponse'"$sel:keySpec:GetPublicKeyResponse'#$sel:keyUsage:GetPublicKeyResponse'$$sel:publicKey:GetPublicKeyResponse',$sel:signingAlgorithms:GetPublicKeyResponse'%$sel:httpStatus:GetPublicKeyResponse'GetPublicKeyGetPublicKey'$sel:grantTokens:GetPublicKey'$sel:keyId:GetPublicKey'newGetPublicKeygetPublicKey_grantTokensgetPublicKey_keyIdnewGetPublicKeyResponse*getPublicKeyResponse_customerMasterKeySpec)getPublicKeyResponse_encryptionAlgorithmsgetPublicKeyResponse_keyIdgetPublicKeyResponse_keySpecgetPublicKeyResponse_keyUsagegetPublicKeyResponse_publicKey&getPublicKeyResponse_signingAlgorithmsgetPublicKeyResponse_httpStatus$fToQueryGetPublicKey$fToPathGetPublicKey$fToJSONGetPublicKey$fToHeadersGetPublicKey$fNFDataGetPublicKey$fHashableGetPublicKey$fNFDataGetPublicKeyResponse$fAWSRequestGetPublicKey$fEqGetPublicKeyResponse$fReadGetPublicKeyResponse$fShowGetPublicKeyResponse$fGenericGetPublicKeyResponse$fEqGetPublicKey$fReadGetPublicKey$fShowGetPublicKey$fGenericGetPublicKeyGetParametersForImportResponseGetParametersForImportResponse'0$sel:importToken:GetParametersForImportResponse'*$sel:keyId:GetParametersForImportResponse'6$sel:parametersValidTo:GetParametersForImportResponse'.$sel:publicKey:GetParametersForImportResponse'/$sel:httpStatus:GetParametersForImportResponse'GetParametersForImportGetParametersForImport'"$sel:keyId:GetParametersForImport'.$sel:wrappingAlgorithm:GetParametersForImport',$sel:wrappingKeySpec:GetParametersForImport'newGetParametersForImportgetParametersForImport_keyId(getParametersForImport_wrappingAlgorithm&getParametersForImport_wrappingKeySpec!newGetParametersForImportResponse*getParametersForImportResponse_importToken$getParametersForImportResponse_keyId0getParametersForImportResponse_parametersValidTo(getParametersForImportResponse_publicKey)getParametersForImportResponse_httpStatus$fToQueryGetParametersForImport$fToPathGetParametersForImport$fToJSONGetParametersForImport!$fToHeadersGetParametersForImport$fNFDataGetParametersForImport $fHashableGetParametersForImport&$fNFDataGetParametersForImportResponse"$fAWSRequestGetParametersForImport"$fEqGetParametersForImportResponse$$fShowGetParametersForImportResponse'$fGenericGetParametersForImportResponse$fEqGetParametersForImport$fReadGetParametersForImport$fShowGetParametersForImport$fGenericGetParametersForImportGetKeyRotationStatusResponseGetKeyRotationStatusResponse'5$sel:keyRotationEnabled:GetKeyRotationStatusResponse'-$sel:httpStatus:GetKeyRotationStatusResponse'GetKeyRotationStatusGetKeyRotationStatus' $sel:keyId:GetKeyRotationStatus'newGetKeyRotationStatusgetKeyRotationStatus_keyIdnewGetKeyRotationStatusResponse/getKeyRotationStatusResponse_keyRotationEnabled'getKeyRotationStatusResponse_httpStatus$fToQueryGetKeyRotationStatus$fToPathGetKeyRotationStatus$fToJSONGetKeyRotationStatus$fToHeadersGetKeyRotationStatus$fNFDataGetKeyRotationStatus$fHashableGetKeyRotationStatus$$fNFDataGetKeyRotationStatusResponse $fAWSRequestGetKeyRotationStatus $fEqGetKeyRotationStatusResponse"$fReadGetKeyRotationStatusResponse"$fShowGetKeyRotationStatusResponse%$fGenericGetKeyRotationStatusResponse$fEqGetKeyRotationStatus$fReadGetKeyRotationStatus$fShowGetKeyRotationStatus$fGenericGetKeyRotationStatusGetKeyPolicyResponseGetKeyPolicyResponse'!$sel:policy:GetKeyPolicyResponse'%$sel:httpStatus:GetKeyPolicyResponse'GetKeyPolicyGetKeyPolicy'$sel:keyId:GetKeyPolicy'$sel:policyName:GetKeyPolicy'newGetKeyPolicygetKeyPolicy_keyIdgetKeyPolicy_policyNamenewGetKeyPolicyResponsegetKeyPolicyResponse_policygetKeyPolicyResponse_httpStatus$fToQueryGetKeyPolicy$fToPathGetKeyPolicy$fToJSONGetKeyPolicy$fToHeadersGetKeyPolicy$fNFDataGetKeyPolicy$fHashableGetKeyPolicy$fNFDataGetKeyPolicyResponse$fAWSRequestGetKeyPolicy$fEqGetKeyPolicyResponse$fReadGetKeyPolicyResponse$fShowGetKeyPolicyResponse$fGenericGetKeyPolicyResponse$fEqGetKeyPolicy$fReadGetKeyPolicy$fShowGetKeyPolicy$fGenericGetKeyPolicyGenerateRandomResponseGenerateRandomResponse'&$sel:plaintext:GenerateRandomResponse''$sel:httpStatus:GenerateRandomResponse'GenerateRandomGenerateRandom'%$sel:customKeyStoreId:GenerateRandom'"$sel:numberOfBytes:GenerateRandom'newGenerateRandomgenerateRandom_customKeyStoreIdgenerateRandom_numberOfBytesnewGenerateRandomResponse generateRandomResponse_plaintext!generateRandomResponse_httpStatus$fToQueryGenerateRandom$fToPathGenerateRandom$fToJSONGenerateRandom$fToHeadersGenerateRandom$fNFDataGenerateRandom$fHashableGenerateRandom$fNFDataGenerateRandomResponse$fAWSRequestGenerateRandom$fEqGenerateRandomResponse$fShowGenerateRandomResponse$fGenericGenerateRandomResponse$fEqGenerateRandom$fReadGenerateRandom$fShowGenerateRandom$fGenericGenerateRandomGenerateMacResponseGenerateMacResponse'$sel:keyId:GenerateMacResponse'$sel:mac:GenerateMacResponse'&$sel:macAlgorithm:GenerateMacResponse'$$sel:httpStatus:GenerateMacResponse'GenerateMacGenerateMac'$sel:grantTokens:GenerateMac'$sel:message:GenerateMac'$sel:keyId:GenerateMac'$sel:macAlgorithm:GenerateMac'newGenerateMacgenerateMac_grantTokensgenerateMac_messagegenerateMac_keyIdgenerateMac_macAlgorithmnewGenerateMacResponsegenerateMacResponse_keyIdgenerateMacResponse_mac generateMacResponse_macAlgorithmgenerateMacResponse_httpStatus$fToQueryGenerateMac$fToPathGenerateMac$fToJSONGenerateMac$fToHeadersGenerateMac$fNFDataGenerateMac$fHashableGenerateMac$fNFDataGenerateMacResponse$fAWSRequestGenerateMac$fEqGenerateMacResponse$fReadGenerateMacResponse$fShowGenerateMacResponse$fGenericGenerateMacResponse$fEqGenerateMac$fShowGenerateMac$fGenericGenerateMac'GenerateDataKeyWithoutPlaintextResponse(GenerateDataKeyWithoutPlaintextResponse'<$sel:ciphertextBlob:GenerateDataKeyWithoutPlaintextResponse'3$sel:keyId:GenerateDataKeyWithoutPlaintextResponse'8$sel:httpStatus:GenerateDataKeyWithoutPlaintextResponse'GenerateDataKeyWithoutPlaintext GenerateDataKeyWithoutPlaintext'7$sel:encryptionContext:GenerateDataKeyWithoutPlaintext'1$sel:grantTokens:GenerateDataKeyWithoutPlaintext'-$sel:keySpec:GenerateDataKeyWithoutPlaintext'3$sel:numberOfBytes:GenerateDataKeyWithoutPlaintext'+$sel:keyId:GenerateDataKeyWithoutPlaintext'"newGenerateDataKeyWithoutPlaintext1generateDataKeyWithoutPlaintext_encryptionContext+generateDataKeyWithoutPlaintext_grantTokens'generateDataKeyWithoutPlaintext_keySpec-generateDataKeyWithoutPlaintext_numberOfBytes%generateDataKeyWithoutPlaintext_keyId*newGenerateDataKeyWithoutPlaintextResponse6generateDataKeyWithoutPlaintextResponse_ciphertextBlob-generateDataKeyWithoutPlaintextResponse_keyId2generateDataKeyWithoutPlaintextResponse_httpStatus($fToQueryGenerateDataKeyWithoutPlaintext'$fToPathGenerateDataKeyWithoutPlaintext'$fToJSONGenerateDataKeyWithoutPlaintext*$fToHeadersGenerateDataKeyWithoutPlaintext'$fNFDataGenerateDataKeyWithoutPlaintext)$fHashableGenerateDataKeyWithoutPlaintext/$fNFDataGenerateDataKeyWithoutPlaintextResponse+$fAWSRequestGenerateDataKeyWithoutPlaintext+$fEqGenerateDataKeyWithoutPlaintextResponse-$fReadGenerateDataKeyWithoutPlaintextResponse-$fShowGenerateDataKeyWithoutPlaintextResponse0$fGenericGenerateDataKeyWithoutPlaintextResponse#$fEqGenerateDataKeyWithoutPlaintext%$fReadGenerateDataKeyWithoutPlaintext%$fShowGenerateDataKeyWithoutPlaintext($fGenericGenerateDataKeyWithoutPlaintext+GenerateDataKeyPairWithoutPlaintextResponse,GenerateDataKeyPairWithoutPlaintextResponse'7$sel:keyId:GenerateDataKeyPairWithoutPlaintextResponse'=$sel:keyPairSpec:GenerateDataKeyPairWithoutPlaintextResponse'Ê $sel:privateKeyCiphertextBlob:GenerateDataKeyPairWithoutPlaintextResponse';$sel:publicKey:GenerateDataKeyPairWithoutPlaintextResponse'<$sel:httpStatus:GenerateDataKeyPairWithoutPlaintextResponse'#GenerateDataKeyPairWithoutPlaintext$GenerateDataKeyPairWithoutPlaintext';$sel:encryptionContext:GenerateDataKeyPairWithoutPlaintext'5$sel:grantTokens:GenerateDataKeyPairWithoutPlaintext'/$sel:keyId:GenerateDataKeyPairWithoutPlaintext'5$sel:keyPairSpec:GenerateDataKeyPairWithoutPlaintext'&newGenerateDataKeyPairWithoutPlaintext5generateDataKeyPairWithoutPlaintext_encryptionContext/generateDataKeyPairWithoutPlaintext_grantTokens)generateDataKeyPairWithoutPlaintext_keyId/generateDataKeyPairWithoutPlaintext_keyPairSpec.newGenerateDataKeyPairWithoutPlaintextResponse1generateDataKeyPairWithoutPlaintextResponse_keyId7generateDataKeyPairWithoutPlaintextResponse_keyPairSpecÄ generateDataKeyPairWithoutPlaintextResponse_privateKeyCiphertextBlob5generateDataKeyPairWithoutPlaintextResponse_publicKey6generateDataKeyPairWithoutPlaintextResponse_httpStatus,$fToQueryGenerateDataKeyPairWithoutPlaintext+$fToPathGenerateDataKeyPairWithoutPlaintext+$fToJSONGenerateDataKeyPairWithoutPlaintext.$fToHeadersGenerateDataKeyPairWithoutPlaintext+$fNFDataGenerateDataKeyPairWithoutPlaintext-$fHashableGenerateDataKeyPairWithoutPlaintext3$fNFDataGenerateDataKeyPairWithoutPlaintextResponse/$fAWSRequestGenerateDataKeyPairWithoutPlaintext/$fEqGenerateDataKeyPairWithoutPlaintextResponse1$fReadGenerateDataKeyPairWithoutPlaintextResponse1$fShowGenerateDataKeyPairWithoutPlaintextResponse4$fGenericGenerateDataKeyPairWithoutPlaintextResponse'$fEqGenerateDataKeyPairWithoutPlaintext)$fReadGenerateDataKeyPairWithoutPlaintext)$fShowGenerateDataKeyPairWithoutPlaintext,$fGenericGenerateDataKeyPairWithoutPlaintextGenerateDataKeyPairResponseGenerateDataKeyPairResponse''$sel:keyId:GenerateDataKeyPairResponse'-$sel:keyPairSpec:GenerateDataKeyPairResponse':$sel:privateKeyCiphertextBlob:GenerateDataKeyPairResponse'5$sel:privateKeyPlaintext:GenerateDataKeyPairResponse'+$sel:publicKey:GenerateDataKeyPairResponse',$sel:httpStatus:GenerateDataKeyPairResponse'GenerateDataKeyPairGenerateDataKeyPair'+$sel:encryptionContext:GenerateDataKeyPair'%$sel:grantTokens:GenerateDataKeyPair'$sel:keyId:GenerateDataKeyPair'%$sel:keyPairSpec:GenerateDataKeyPair'newGenerateDataKeyPair%generateDataKeyPair_encryptionContextgenerateDataKeyPair_grantTokensgenerateDataKeyPair_keyIdgenerateDataKeyPair_keyPairSpecnewGenerateDataKeyPairResponse!generateDataKeyPairResponse_keyId'generateDataKeyPairResponse_keyPairSpec4generateDataKeyPairResponse_privateKeyCiphertextBlob/generateDataKeyPairResponse_privateKeyPlaintext%generateDataKeyPairResponse_publicKey&generateDataKeyPairResponse_httpStatus$fToQueryGenerateDataKeyPair$fToPathGenerateDataKeyPair$fToJSONGenerateDataKeyPair$fToHeadersGenerateDataKeyPair$fNFDataGenerateDataKeyPair$fHashableGenerateDataKeyPair#$fNFDataGenerateDataKeyPairResponse$fAWSRequestGenerateDataKeyPair$fEqGenerateDataKeyPairResponse!$fShowGenerateDataKeyPairResponse$$fGenericGenerateDataKeyPairResponse$fEqGenerateDataKeyPair$fReadGenerateDataKeyPair$fShowGenerateDataKeyPair$fGenericGenerateDataKeyPairGenerateDataKeyResponseGenerateDataKeyResponse'($sel:httpStatus:GenerateDataKeyResponse'#$sel:keyId:GenerateDataKeyResponse''$sel:plaintext:GenerateDataKeyResponse',$sel:ciphertextBlob:GenerateDataKeyResponse'GenerateDataKeyGenerateDataKey''$sel:encryptionContext:GenerateDataKey'!$sel:grantTokens:GenerateDataKey'$sel:keySpec:GenerateDataKey'#$sel:numberOfBytes:GenerateDataKey'$sel:keyId:GenerateDataKey'newGenerateDataKey!generateDataKey_encryptionContextgenerateDataKey_grantTokensgenerateDataKey_keySpecgenerateDataKey_numberOfBytesgenerateDataKey_keyIdnewGenerateDataKeyResponse"generateDataKeyResponse_httpStatusgenerateDataKeyResponse_keyId!generateDataKeyResponse_plaintext&generateDataKeyResponse_ciphertextBlob$fToQueryGenerateDataKey$fToPathGenerateDataKey$fToJSONGenerateDataKey$fToHeadersGenerateDataKey$fNFDataGenerateDataKey$fHashableGenerateDataKey$fNFDataGenerateDataKeyResponse$fAWSRequestGenerateDataKey$fEqGenerateDataKeyResponse$fShowGenerateDataKeyResponse $fGenericGenerateDataKeyResponse$fEqGenerateDataKey$fReadGenerateDataKey$fShowGenerateDataKey$fGenericGenerateDataKeyEncryptResponseEncryptResponse'$$sel:ciphertextBlob:EncryptResponse')$sel:encryptionAlgorithm:EncryptResponse'$sel:keyId:EncryptResponse' $sel:httpStatus:EncryptResponse'EncryptEncrypt'!$sel:encryptionAlgorithm:Encrypt'$sel:encryptionContext:Encrypt'$sel:grantTokens:Encrypt'$sel:keyId:Encrypt'$sel:plaintext:Encrypt'
newEncryptencrypt_encryptionAlgorithmencrypt_encryptionContextencrypt_grantTokensencrypt_keyIdencrypt_plaintextnewEncryptResponseencryptResponse_ciphertextBlob#encryptResponse_encryptionAlgorithmencryptResponse_keyIdencryptResponse_httpStatus$fToQueryEncrypt$fToPathEncrypt$fToJSONEncrypt$fToHeadersEncrypt$fNFDataEncrypt$fHashableEncrypt$fNFDataEncryptResponse$fAWSRequestEncrypt$fEqEncryptResponse$fReadEncryptResponse$fShowEncryptResponse$fGenericEncryptResponse$fEqEncrypt$fShowEncrypt$fGenericEncryptEnableKeyRotationResponseEnableKeyRotationResponse'EnableKeyRotationEnableKeyRotation'$sel:keyId:EnableKeyRotation'newEnableKeyRotationenableKeyRotation_keyIdnewEnableKeyRotationResponse$fToQueryEnableKeyRotation$fToPathEnableKeyRotation$fToJSONEnableKeyRotation$fToHeadersEnableKeyRotation$fNFDataEnableKeyRotation$fHashableEnableKeyRotation!$fNFDataEnableKeyRotationResponse$fAWSRequestEnableKeyRotation$fEqEnableKeyRotationResponse$fReadEnableKeyRotationResponse$fShowEnableKeyRotationResponse"$fGenericEnableKeyRotationResponse$fEqEnableKeyRotation$fReadEnableKeyRotation$fShowEnableKeyRotation$fGenericEnableKeyRotationEnableKeyResponseEnableKeyResponse'	EnableKey
EnableKey'$sel:keyId:EnableKey'newEnableKeyenableKey_keyIdnewEnableKeyResponse$fToQueryEnableKey$fToPathEnableKey$fToJSONEnableKey$fToHeadersEnableKey$fNFDataEnableKey$fHashableEnableKey$fNFDataEnableKeyResponse$fAWSRequestEnableKey$fEqEnableKeyResponse$fReadEnableKeyResponse$fShowEnableKeyResponse$fGenericEnableKeyResponse$fEqEnableKey$fReadEnableKey$fShowEnableKey$fGenericEnableKey DisconnectCustomKeyStoreResponse!DisconnectCustomKeyStoreResponse'1$sel:httpStatus:DisconnectCustomKeyStoreResponse'DisconnectCustomKeyStoreDisconnectCustomKeyStore'/$sel:customKeyStoreId:DisconnectCustomKeyStore'newDisconnectCustomKeyStore)disconnectCustomKeyStore_customKeyStoreId#newDisconnectCustomKeyStoreResponse+disconnectCustomKeyStoreResponse_httpStatus!$fToQueryDisconnectCustomKeyStore $fToPathDisconnectCustomKeyStore $fToJSONDisconnectCustomKeyStore#$fToHeadersDisconnectCustomKeyStore $fNFDataDisconnectCustomKeyStore"$fHashableDisconnectCustomKeyStore($fNFDataDisconnectCustomKeyStoreResponse$$fAWSRequestDisconnectCustomKeyStore$$fEqDisconnectCustomKeyStoreResponse&$fReadDisconnectCustomKeyStoreResponse&$fShowDisconnectCustomKeyStoreResponse)$fGenericDisconnectCustomKeyStoreResponse$fEqDisconnectCustomKeyStore$fReadDisconnectCustomKeyStore$fShowDisconnectCustomKeyStore!$fGenericDisconnectCustomKeyStoreDisableKeyRotationResponseDisableKeyRotationResponse'DisableKeyRotationDisableKeyRotation'$sel:keyId:DisableKeyRotation'newDisableKeyRotationdisableKeyRotation_keyIdnewDisableKeyRotationResponse$fToQueryDisableKeyRotation$fToPathDisableKeyRotation$fToJSONDisableKeyRotation$fToHeadersDisableKeyRotation$fNFDataDisableKeyRotation$fHashableDisableKeyRotation"$fNFDataDisableKeyRotationResponse$fAWSRequestDisableKeyRotation$fEqDisableKeyRotationResponse $fReadDisableKeyRotationResponse $fShowDisableKeyRotationResponse#$fGenericDisableKeyRotationResponse$fEqDisableKeyRotation$fReadDisableKeyRotation$fShowDisableKeyRotation$fGenericDisableKeyRotationDisableKeyResponseDisableKeyResponse'
DisableKeyDisableKey'$sel:keyId:DisableKey'newDisableKeydisableKey_keyIdnewDisableKeyResponse$fToQueryDisableKey$fToPathDisableKey$fToJSONDisableKey$fToHeadersDisableKey$fNFDataDisableKey$fHashableDisableKey$fNFDataDisableKeyResponse$fAWSRequestDisableKey$fEqDisableKeyResponse$fReadDisableKeyResponse$fShowDisableKeyResponse$fGenericDisableKeyResponse$fEqDisableKey$fReadDisableKey$fShowDisableKey$fGenericDisableKeyDescribeKeyResponseDescribeKeyResponse'%$sel:keyMetadata:DescribeKeyResponse'$$sel:httpStatus:DescribeKeyResponse'DescribeKeyDescribeKey'$sel:grantTokens:DescribeKey'$sel:keyId:DescribeKey'newDescribeKeydescribeKey_grantTokensdescribeKey_keyIdnewDescribeKeyResponsedescribeKeyResponse_keyMetadatadescribeKeyResponse_httpStatus$fToQueryDescribeKey$fToPathDescribeKey$fToJSONDescribeKey$fToHeadersDescribeKey$fNFDataDescribeKey$fHashableDescribeKey$fNFDataDescribeKeyResponse$fAWSRequestDescribeKey$fEqDescribeKeyResponse$fReadDescribeKeyResponse$fShowDescribeKeyResponse$fGenericDescribeKeyResponse$fEqDescribeKey$fReadDescribeKey$fShowDescribeKey$fGenericDescribeKeyDescribeCustomKeyStoresResponse DescribeCustomKeyStoresResponse'5$sel:customKeyStores:DescribeCustomKeyStoresResponse'0$sel:nextMarker:DescribeCustomKeyStoresResponse'/$sel:truncated:DescribeCustomKeyStoresResponse'0$sel:httpStatus:DescribeCustomKeyStoresResponse'DescribeCustomKeyStoresDescribeCustomKeyStores'.$sel:customKeyStoreId:DescribeCustomKeyStores'0$sel:customKeyStoreName:DescribeCustomKeyStores'#$sel:limit:DescribeCustomKeyStores'$$sel:marker:DescribeCustomKeyStores'newDescribeCustomKeyStores(describeCustomKeyStores_customKeyStoreId*describeCustomKeyStores_customKeyStoreNamedescribeCustomKeyStores_limitdescribeCustomKeyStores_marker"newDescribeCustomKeyStoresResponse/describeCustomKeyStoresResponse_customKeyStores*describeCustomKeyStoresResponse_nextMarker)describeCustomKeyStoresResponse_truncated*describeCustomKeyStoresResponse_httpStatus $fToQueryDescribeCustomKeyStores$fToPathDescribeCustomKeyStores$fToJSONDescribeCustomKeyStores"$fToHeadersDescribeCustomKeyStores$fNFDataDescribeCustomKeyStores!$fHashableDescribeCustomKeyStores!$fAWSPagerDescribeCustomKeyStores'$fNFDataDescribeCustomKeyStoresResponse#$fAWSRequestDescribeCustomKeyStores#$fEqDescribeCustomKeyStoresResponse%$fShowDescribeCustomKeyStoresResponse($fGenericDescribeCustomKeyStoresResponse$fEqDescribeCustomKeyStores$fReadDescribeCustomKeyStores$fShowDescribeCustomKeyStores $fGenericDescribeCustomKeyStores!DeleteImportedKeyMaterialResponse"DeleteImportedKeyMaterialResponse'DeleteImportedKeyMaterialDeleteImportedKeyMaterial'%$sel:keyId:DeleteImportedKeyMaterial'newDeleteImportedKeyMaterialdeleteImportedKeyMaterial_keyId$newDeleteImportedKeyMaterialResponse"$fToQueryDeleteImportedKeyMaterial!$fToPathDeleteImportedKeyMaterial!$fToJSONDeleteImportedKeyMaterial$$fToHeadersDeleteImportedKeyMaterial!$fNFDataDeleteImportedKeyMaterial#$fHashableDeleteImportedKeyMaterial)$fNFDataDeleteImportedKeyMaterialResponse%$fAWSRequestDeleteImportedKeyMaterial%$fEqDeleteImportedKeyMaterialResponse'$fReadDeleteImportedKeyMaterialResponse'$fShowDeleteImportedKeyMaterialResponse*$fGenericDeleteImportedKeyMaterialResponse$fEqDeleteImportedKeyMaterial$fReadDeleteImportedKeyMaterial$fShowDeleteImportedKeyMaterial"$fGenericDeleteImportedKeyMaterialDeleteCustomKeyStoreResponseDeleteCustomKeyStoreResponse'-$sel:httpStatus:DeleteCustomKeyStoreResponse'DeleteCustomKeyStoreDeleteCustomKeyStore'+$sel:customKeyStoreId:DeleteCustomKeyStore'newDeleteCustomKeyStore%deleteCustomKeyStore_customKeyStoreIdnewDeleteCustomKeyStoreResponse'deleteCustomKeyStoreResponse_httpStatus$fToQueryDeleteCustomKeyStore$fToPathDeleteCustomKeyStore$fToJSONDeleteCustomKeyStore$fToHeadersDeleteCustomKeyStore$fNFDataDeleteCustomKeyStore$fHashableDeleteCustomKeyStore$$fNFDataDeleteCustomKeyStoreResponse $fAWSRequestDeleteCustomKeyStore $fEqDeleteCustomKeyStoreResponse"$fReadDeleteCustomKeyStoreResponse"$fShowDeleteCustomKeyStoreResponse%$fGenericDeleteCustomKeyStoreResponse$fEqDeleteCustomKeyStore$fReadDeleteCustomKeyStore$fShowDeleteCustomKeyStore$fGenericDeleteCustomKeyStoreDeleteAliasResponseDeleteAliasResponse'DeleteAliasDeleteAlias'$sel:aliasName:DeleteAlias'newDeleteAliasdeleteAlias_aliasNamenewDeleteAliasResponse$fToQueryDeleteAlias$fToPathDeleteAlias$fToJSONDeleteAlias$fToHeadersDeleteAlias$fNFDataDeleteAlias$fHashableDeleteAlias$fNFDataDeleteAliasResponse$fAWSRequestDeleteAlias$fEqDeleteAliasResponse$fReadDeleteAliasResponse$fShowDeleteAliasResponse$fGenericDeleteAliasResponse$fEqDeleteAlias$fReadDeleteAlias$fShowDeleteAlias$fGenericDeleteAliasDecryptResponseDecryptResponse')$sel:encryptionAlgorithm:DecryptResponse'$sel:keyId:DecryptResponse'$sel:plaintext:DecryptResponse' $sel:httpStatus:DecryptResponse'DecryptDecrypt'!$sel:encryptionAlgorithm:Decrypt'$sel:encryptionContext:Decrypt'$sel:grantTokens:Decrypt'$sel:keyId:Decrypt'$sel:ciphertextBlob:Decrypt'
newDecryptdecrypt_encryptionAlgorithmdecrypt_encryptionContextdecrypt_grantTokensdecrypt_keyIddecrypt_ciphertextBlobnewDecryptResponse#decryptResponse_encryptionAlgorithmdecryptResponse_keyIddecryptResponse_plaintextdecryptResponse_httpStatus$fToQueryDecrypt$fToPathDecrypt$fToJSONDecrypt$fToHeadersDecrypt$fNFDataDecrypt$fHashableDecrypt$fNFDataDecryptResponse$fAWSRequestDecrypt$fEqDecryptResponse$fShowDecryptResponse$fGenericDecryptResponse$fEqDecrypt$fReadDecrypt$fShowDecrypt$fGenericDecryptCreateKeyResponseCreateKeyResponse'#$sel:keyMetadata:CreateKeyResponse'"$sel:httpStatus:CreateKeyResponse'	CreateKey
CreateKey'.$sel:bypassPolicyLockoutSafetyCheck:CreateKey' $sel:customKeyStoreId:CreateKey'%$sel:customerMasterKeySpec:CreateKey'$sel:description:CreateKey'$sel:keySpec:CreateKey'$sel:keyUsage:CreateKey'$sel:multiRegion:CreateKey'$sel:origin:CreateKey'$sel:policy:CreateKey'$sel:tags:CreateKey'$sel:xksKeyId:CreateKey'newCreateKey(createKey_bypassPolicyLockoutSafetyCheckcreateKey_customKeyStoreIdcreateKey_customerMasterKeySpeccreateKey_descriptioncreateKey_keySpeccreateKey_keyUsagecreateKey_multiRegioncreateKey_origincreateKey_policycreateKey_tagscreateKey_xksKeyIdnewCreateKeyResponsecreateKeyResponse_keyMetadatacreateKeyResponse_httpStatus$fToQueryCreateKey$fToPathCreateKey$fToJSONCreateKey$fToHeadersCreateKey$fNFDataCreateKey$fHashableCreateKey$fNFDataCreateKeyResponse$fAWSRequestCreateKey$fEqCreateKeyResponse$fReadCreateKeyResponse$fShowCreateKeyResponse$fGenericCreateKeyResponse$fEqCreateKey$fReadCreateKey$fShowCreateKey$fGenericCreateKeyCreateGrantResponseCreateGrantResponse'!$sel:grantId:CreateGrantResponse'$$sel:grantToken:CreateGrantResponse'$$sel:httpStatus:CreateGrantResponse'CreateGrantCreateGrant'$sel:constraints:CreateGrant'$sel:grantTokens:CreateGrant'$sel:name:CreateGrant'#$sel:retiringPrincipal:CreateGrant'$sel:keyId:CreateGrant'"$sel:granteePrincipal:CreateGrant'$sel:operations:CreateGrant'newCreateGrantcreateGrant_constraintscreateGrant_grantTokenscreateGrant_namecreateGrant_retiringPrincipalcreateGrant_keyIdcreateGrant_granteePrincipalcreateGrant_operationsnewCreateGrantResponsecreateGrantResponse_grantIdcreateGrantResponse_grantTokencreateGrantResponse_httpStatus$fToQueryCreateGrant$fToPathCreateGrant$fToJSONCreateGrant$fToHeadersCreateGrant$fNFDataCreateGrant$fHashableCreateGrant$fNFDataCreateGrantResponse$fAWSRequestCreateGrant$fEqCreateGrantResponse$fReadCreateGrantResponse$fShowCreateGrantResponse$fGenericCreateGrantResponse$fEqCreateGrant$fReadCreateGrant$fShowCreateGrant$fGenericCreateGrantCreateCustomKeyStoreResponseCreateCustomKeyStoreResponse'3$sel:customKeyStoreId:CreateCustomKeyStoreResponse'-$sel:httpStatus:CreateCustomKeyStoreResponse'CreateCustomKeyStoreCreateCustomKeyStore',$sel:cloudHsmClusterId:CreateCustomKeyStore'-$sel:customKeyStoreType:CreateCustomKeyStore'+$sel:keyStorePassword:CreateCustomKeyStore'1$sel:trustAnchorCertificate:CreateCustomKeyStore';$sel:xksProxyAuthenticationCredential:CreateCustomKeyStore'/$sel:xksProxyConnectivity:CreateCustomKeyStore'.$sel:xksProxyUriEndpoint:CreateCustomKeyStore'*$sel:xksProxyUriPath:CreateCustomKeyStore'9$sel:xksProxyVpcEndpointServiceName:CreateCustomKeyStore'-$sel:customKeyStoreName:CreateCustomKeyStore'newCreateCustomKeyStore&createCustomKeyStore_cloudHsmClusterId'createCustomKeyStore_customKeyStoreType%createCustomKeyStore_keyStorePassword+createCustomKeyStore_trustAnchorCertificate5createCustomKeyStore_xksProxyAuthenticationCredential)createCustomKeyStore_xksProxyConnectivity(createCustomKeyStore_xksProxyUriEndpoint$createCustomKeyStore_xksProxyUriPath3createCustomKeyStore_xksProxyVpcEndpointServiceName'createCustomKeyStore_customKeyStoreNamenewCreateCustomKeyStoreResponse-createCustomKeyStoreResponse_customKeyStoreId'createCustomKeyStoreResponse_httpStatus$fToQueryCreateCustomKeyStore$fToPathCreateCustomKeyStore$fToJSONCreateCustomKeyStore$fToHeadersCreateCustomKeyStore$fNFDataCreateCustomKeyStore$fHashableCreateCustomKeyStore$$fNFDataCreateCustomKeyStoreResponse $fAWSRequestCreateCustomKeyStore $fEqCreateCustomKeyStoreResponse"$fReadCreateCustomKeyStoreResponse"$fShowCreateCustomKeyStoreResponse%$fGenericCreateCustomKeyStoreResponse$fEqCreateCustomKeyStore$fShowCreateCustomKeyStore$fGenericCreateCustomKeyStoreCreateAliasResponseCreateAliasResponse'CreateAliasCreateAlias'$sel:aliasName:CreateAlias'$sel:targetKeyId:CreateAlias'newCreateAliascreateAlias_aliasNamecreateAlias_targetKeyIdnewCreateAliasResponse$fToQueryCreateAlias$fToPathCreateAlias$fToJSONCreateAlias$fToHeadersCreateAlias$fNFDataCreateAlias$fHashableCreateAlias$fNFDataCreateAliasResponse$fAWSRequestCreateAlias$fEqCreateAliasResponse$fReadCreateAliasResponse$fShowCreateAliasResponse$fGenericCreateAliasResponse$fEqCreateAlias$fReadCreateAlias$fShowCreateAlias$fGenericCreateAliasConnectCustomKeyStoreResponseConnectCustomKeyStoreResponse'.$sel:httpStatus:ConnectCustomKeyStoreResponse'ConnectCustomKeyStoreConnectCustomKeyStore',$sel:customKeyStoreId:ConnectCustomKeyStore'newConnectCustomKeyStore&connectCustomKeyStore_customKeyStoreId newConnectCustomKeyStoreResponse(connectCustomKeyStoreResponse_httpStatus$fToQueryConnectCustomKeyStore$fToPathConnectCustomKeyStore$fToJSONConnectCustomKeyStore $fToHeadersConnectCustomKeyStore$fNFDataConnectCustomKeyStore$fHashableConnectCustomKeyStore%$fNFDataConnectCustomKeyStoreResponse!$fAWSRequestConnectCustomKeyStore!$fEqConnectCustomKeyStoreResponse#$fReadConnectCustomKeyStoreResponse#$fShowConnectCustomKeyStoreResponse&$fGenericConnectCustomKeyStoreResponse$fEqConnectCustomKeyStore$fReadConnectCustomKeyStore$fShowConnectCustomKeyStore$fGenericConnectCustomKeyStoreCancelKeyDeletionResponseCancelKeyDeletionResponse'%$sel:keyId:CancelKeyDeletionResponse'*$sel:httpStatus:CancelKeyDeletionResponse'CancelKeyDeletionCancelKeyDeletion'$sel:keyId:CancelKeyDeletion'newCancelKeyDeletioncancelKeyDeletion_keyIdnewCancelKeyDeletionResponsecancelKeyDeletionResponse_keyId$cancelKeyDeletionResponse_httpStatus$fToQueryCancelKeyDeletion$fToPathCancelKeyDeletion$fToJSONCancelKeyDeletion$fToHeadersCancelKeyDeletion$fNFDataCancelKeyDeletion$fHashableCancelKeyDeletion!$fNFDataCancelKeyDeletionResponse$fAWSRequestCancelKeyDeletion$fEqCancelKeyDeletionResponse$fReadCancelKeyDeletionResponse$fShowCancelKeyDeletionResponse"$fGenericCancelKeyDeletionResponse$fEqCancelKeyDeletion$fReadCancelKeyDeletion$fShowCancelKeyDeletion$fGenericCancelKeyDeletionUntagResourceResponseUntagResourceResponse'UntagResourceUntagResource'$sel:keyId:UntagResource'$sel:tagKeys:UntagResource'newUntagResourceuntagResource_keyIduntagResource_tagKeysnewUntagResourceResponse$fToQueryUntagResource$fToPathUntagResource$fToJSONUntagResource$fToHeadersUntagResource$fNFDataUntagResource$fHashableUntagResource$fNFDataUntagResourceResponse$fAWSRequestUntagResource$fEqUntagResourceResponse$fReadUntagResourceResponse$fShowUntagResourceResponse$fGenericUntagResourceResponse$fEqUntagResource$fReadUntagResource$fShowUntagResource$fGenericUntagResourceUpdateAliasResponseUpdateAliasResponse'UpdateAliasUpdateAlias'$sel:aliasName:UpdateAlias'$sel:targetKeyId:UpdateAlias'newUpdateAliasupdateAlias_aliasNameupdateAlias_targetKeyIdnewUpdateAliasResponse$fToQueryUpdateAlias$fToPathUpdateAlias$fToJSONUpdateAlias$fToHeadersUpdateAlias$fNFDataUpdateAlias$fHashableUpdateAlias$fNFDataUpdateAliasResponse$fAWSRequestUpdateAlias$fEqUpdateAliasResponse$fReadUpdateAliasResponse$fShowUpdateAliasResponse$fGenericUpdateAliasResponse$fEqUpdateAlias$fReadUpdateAlias$fShowUpdateAlias$fGenericUpdateAliasUpdateCustomKeyStoreResponseUpdateCustomKeyStoreResponse'-$sel:httpStatus:UpdateCustomKeyStoreResponse'UpdateCustomKeyStoreUpdateCustomKeyStore',$sel:cloudHsmClusterId:UpdateCustomKeyStore'+$sel:keyStorePassword:UpdateCustomKeyStore'1$sel:newCustomKeyStoreName':UpdateCustomKeyStore';$sel:xksProxyAuthenticationCredential:UpdateCustomKeyStore'/$sel:xksProxyConnectivity:UpdateCustomKeyStore'.$sel:xksProxyUriEndpoint:UpdateCustomKeyStore'*$sel:xksProxyUriPath:UpdateCustomKeyStore'9$sel:xksProxyVpcEndpointServiceName:UpdateCustomKeyStore'+$sel:customKeyStoreId:UpdateCustomKeyStore'newUpdateCustomKeyStore&updateCustomKeyStore_cloudHsmClusterId%updateCustomKeyStore_keyStorePassword*updateCustomKeyStore_newCustomKeyStoreName5updateCustomKeyStore_xksProxyAuthenticationCredential)updateCustomKeyStore_xksProxyConnectivity(updateCustomKeyStore_xksProxyUriEndpoint$updateCustomKeyStore_xksProxyUriPath3updateCustomKeyStore_xksProxyVpcEndpointServiceName%updateCustomKeyStore_customKeyStoreIdnewUpdateCustomKeyStoreResponse'updateCustomKeyStoreResponse_httpStatus$fToQueryUpdateCustomKeyStore$fToPathUpdateCustomKeyStore$fToJSONUpdateCustomKeyStore$fToHeadersUpdateCustomKeyStore$fNFDataUpdateCustomKeyStore$fHashableUpdateCustomKeyStore$$fNFDataUpdateCustomKeyStoreResponse $fAWSRequestUpdateCustomKeyStore $fEqUpdateCustomKeyStoreResponse"$fReadUpdateCustomKeyStoreResponse"$fShowUpdateCustomKeyStoreResponse%$fGenericUpdateCustomKeyStoreResponse$fEqUpdateCustomKeyStore$fShowUpdateCustomKeyStore$fGenericUpdateCustomKeyStoreUpdateKeyDescriptionResponseUpdateKeyDescriptionResponse'UpdateKeyDescriptionUpdateKeyDescription' $sel:keyId:UpdateKeyDescription'&$sel:description:UpdateKeyDescription'newUpdateKeyDescriptionupdateKeyDescription_keyId updateKeyDescription_descriptionnewUpdateKeyDescriptionResponse$fToQueryUpdateKeyDescription$fToPathUpdateKeyDescription$fToJSONUpdateKeyDescription$fToHeadersUpdateKeyDescription$fNFDataUpdateKeyDescription$fHashableUpdateKeyDescription$$fNFDataUpdateKeyDescriptionResponse $fAWSRequestUpdateKeyDescription $fEqUpdateKeyDescriptionResponse"$fReadUpdateKeyDescriptionResponse"$fShowUpdateKeyDescriptionResponse%$fGenericUpdateKeyDescriptionResponse$fEqUpdateKeyDescription$fReadUpdateKeyDescription$fShowUpdateKeyDescription$fGenericUpdateKeyDescriptionUpdatePrimaryRegionResponseUpdatePrimaryRegionResponse'UpdatePrimaryRegionUpdatePrimaryRegion'$sel:keyId:UpdatePrimaryRegion''$sel:primaryRegion:UpdatePrimaryRegion'newUpdatePrimaryRegionupdatePrimaryRegion_keyId!updatePrimaryRegion_primaryRegionnewUpdatePrimaryRegionResponse$fToQueryUpdatePrimaryRegion$fToPathUpdatePrimaryRegion$fToJSONUpdatePrimaryRegion$fToHeadersUpdatePrimaryRegion$fNFDataUpdatePrimaryRegion$fHashableUpdatePrimaryRegion#$fNFDataUpdatePrimaryRegionResponse$fAWSRequestUpdatePrimaryRegion$fEqUpdatePrimaryRegionResponse!$fReadUpdatePrimaryRegionResponse!$fShowUpdatePrimaryRegionResponse$$fGenericUpdatePrimaryRegionResponse$fEqUpdatePrimaryRegion$fReadUpdatePrimaryRegion$fShowUpdatePrimaryRegion$fGenericUpdatePrimaryRegionVerifyResponseVerifyResponse'$sel:keyId:VerifyResponse'#$sel:signatureValid:VerifyResponse'%$sel:signingAlgorithm:VerifyResponse'$sel:httpStatus:VerifyResponse'VerifyVerify'$sel:grantTokens:Verify'$sel:messageType:Verify'$sel:keyId:Verify'$sel:message:Verify'$sel:signature:Verify'$sel:signingAlgorithm:Verify'	newVerifyverify_grantTokensverify_messageTypeverify_keyIdverify_messageverify_signatureverify_signingAlgorithmnewVerifyResponseverifyResponse_keyIdverifyResponse_signatureValidverifyResponse_signingAlgorithmverifyResponse_httpStatus$fToQueryVerify$fToPathVerify$fToJSONVerify$fToHeadersVerify$fNFDataVerify$fHashableVerify$fNFDataVerifyResponse$fAWSRequestVerify$fEqVerifyResponse$fReadVerifyResponse$fShowVerifyResponse$fGenericVerifyResponse
$fEqVerify$fShowVerify$fGenericVerifyVerifyMacResponseVerifyMacResponse'$sel:keyId:VerifyMacResponse'$$sel:macAlgorithm:VerifyMacResponse' $sel:macValid:VerifyMacResponse'"$sel:httpStatus:VerifyMacResponse'	VerifyMac
VerifyMac'$sel:grantTokens:VerifyMac'$sel:message:VerifyMac'$sel:keyId:VerifyMac'$sel:macAlgorithm:VerifyMac'$sel:mac:VerifyMac'newVerifyMacverifyMac_grantTokensverifyMac_messageverifyMac_keyIdverifyMac_macAlgorithmverifyMac_macnewVerifyMacResponseverifyMacResponse_keyIdverifyMacResponse_macAlgorithmverifyMacResponse_macValidverifyMacResponse_httpStatus$fToQueryVerifyMac$fToPathVerifyMac$fToJSONVerifyMac$fToHeadersVerifyMac$fNFDataVerifyMac$fHashableVerifyMac$fNFDataVerifyMacResponse$fAWSRequestVerifyMac$fEqVerifyMacResponse$fReadVerifyMacResponse$fShowVerifyMacResponse$fGenericVerifyMacResponse$fEqVerifyMac$fShowVerifyMac$fGenericVerifyMac