feat(client-backup): AWS Backup now supports customer-managed keys (CMK) for logically air-gapped vaults, enabling customers to maintain full control over their encryption key lifecycle. This feature helps organizations meet specific internal governance requirements or external regulatory compliance standards.

Author: awstools

clients/client-backup/src/commands/CreateLogicallyAirGappedBackupVaultCommand.ts

@@ -61,6 +61,7 @@ export interface CreateLogicallyAirGappedBackupVaultCommandOutput
  *   CreatorRequestId: "STRING_VALUE",
  *   MinRetentionDays: Number("long"), // required
  *   MaxRetentionDays: Number("long"), // required
+ *   EncryptionKeyArn: "STRING_VALUE",
  * };
  * const command = new CreateLogicallyAirGappedBackupVaultCommand(input);
  * const response = await client.send(command);

clients/client-backup/src/commands/DescribeBackupVaultCommand.ts

@@ -66,6 +66,7 @@ export interface DescribeBackupVaultCommandOutput extends DescribeBackupVaultOut
  * //     InitiationDate: new Date("TIMESTAMP"),
  * //     ExpiryDate: new Date("TIMESTAMP"),
  * //   },
+ * //   EncryptionKeyType: "AWS_OWNED_KMS_KEY" || "CUSTOMER_MANAGED_KMS_KEY",
  * // };
  *
  * ```

clients/client-backup/src/commands/DescribeRecoveryPointCommand.ts

@@ -89,6 +89,7 @@ export interface DescribeRecoveryPointCommandOutput extends DescribeRecoveryPoin
  * //   VaultType: "BACKUP_VAULT" || "LOGICALLY_AIR_GAPPED_BACKUP_VAULT" || "RESTORE_ACCESS_BACKUP_VAULT",
  * //   IndexStatus: "PENDING" || "ACTIVE" || "FAILED" || "DELETING",
  * //   IndexStatusMessage: "STRING_VALUE",
+ * //   EncryptionKeyType: "AWS_OWNED_KMS_KEY" || "CUSTOMER_MANAGED_KMS_KEY",
  * // };
  *
  * ```

clients/client-backup/src/commands/ListBackupVaultsCommand.ts

@@ -61,6 +61,7 @@ export interface ListBackupVaultsCommandOutput extends ListBackupVaultsOutput, _
  * //       MinRetentionDays: Number("long"),
  * //       MaxRetentionDays: Number("long"),
  * //       LockDate: new Date("TIMESTAMP"),
+ * //       EncryptionKeyType: "AWS_OWNED_KMS_KEY" || "CUSTOMER_MANAGED_KMS_KEY",
  * //     },
  * //   ],
  * //   NextToken: "STRING_VALUE",

clients/client-backup/src/commands/ListRecoveryPointsByBackupVaultCommand.ts

@@ -102,6 +102,7 @@ export interface ListRecoveryPointsByBackupVaultCommandOutput
  * //       VaultType: "BACKUP_VAULT" || "LOGICALLY_AIR_GAPPED_BACKUP_VAULT" || "RESTORE_ACCESS_BACKUP_VAULT",
  * //       IndexStatus: "PENDING" || "ACTIVE" || "FAILED" || "DELETING",
  * //       IndexStatusMessage: "STRING_VALUE",
+ * //       EncryptionKeyType: "AWS_OWNED_KMS_KEY" || "CUSTOMER_MANAGED_KMS_KEY",
  * //     },
  * //   ],
  * // };

clients/client-backup/src/commands/ListRecoveryPointsByResourceCommand.ts

@@ -72,6 +72,7 @@ export interface ListRecoveryPointsByResourceCommandOutput
  * //       VaultType: "BACKUP_VAULT" || "LOGICALLY_AIR_GAPPED_BACKUP_VAULT" || "RESTORE_ACCESS_BACKUP_VAULT",
  * //       IndexStatus: "PENDING" || "ACTIVE" || "FAILED" || "DELETING",
  * //       IndexStatusMessage: "STRING_VALUE",
+ * //       EncryptionKeyType: "AWS_OWNED_KMS_KEY" || "CUSTOMER_MANAGED_KMS_KEY",
  * //     },
  * //   ],
  * // };

clients/client-backup/src/models/models_0.ts

@@ -1496,6 +1496,20 @@ export const BackupVaultEvent = {
  */
 export type BackupVaultEvent = (typeof BackupVaultEvent)[keyof typeof BackupVaultEvent];
 
+/**
+ * @public
+ * @enum
+ */
+export const EncryptionKeyType = {
+  AWS_OWNED_KMS_KEY: "AWS_OWNED_KMS_KEY",
+  CUSTOMER_MANAGED_KMS_KEY: "CUSTOMER_MANAGED_KMS_KEY",
+} as const;
+
+/**
+ * @public
+ */
+export type EncryptionKeyType = (typeof EncryptionKeyType)[keyof typeof EncryptionKeyType];
+
 /**
  * @public
  * @enum
@@ -1644,6 +1658,12 @@ export interface BackupVaultListMember {
    * @public
    */
   LockDate?: Date | undefined;
+
+  /**
+   * <p>The type of encryption key used for the backup vault. Valid values are CUSTOMER_MANAGED_KMS_KEY for customer-managed keys or Amazon Web Services_OWNED_KMS_KEY for Amazon Web Services-owned keys.</p>
+   * @public
+   */
+  EncryptionKeyType?: EncryptionKeyType | undefined;
 }
 
 /**
@@ -2676,6 +2696,12 @@ export interface CreateLogicallyAirGappedBackupVaultInput {
    * @public
    */
   MaxRetentionDays: number | undefined;
+
+  /**
+   * <p>The ARN of the customer-managed KMS key to use for encrypting the logically air-gapped backup vault. If not specified, the vault will be encrypted with an Amazon Web Services-owned key managed by Amazon Web Services Backup.</p>
+   * @public
+   */
+  EncryptionKeyArn?: string | undefined;
 }
 
 /**
@@ -3349,6 +3375,8 @@ export interface RestoreTestingSelectionForCreate {
   /**
    * <p>The unique name of the restore testing selection
    *          that belongs to the related restore testing plan.</p>
+   *          <p>The name consists of only alphanumeric characters and underscores.
+   *          Maximum length is 50.</p>
    * @public
    */
   RestoreTestingSelectionName: string | undefined;
@@ -3434,6 +3462,8 @@ export interface CreateRestoreTestingSelectionOutput {
 
   /**
    * <p>The name of the restore testing selection for the related restore testing plan.</p>
+   *          <p>The name cannot be changed after creation. The name consists of only
+   *          alphanumeric characters and underscores. Maximum length is 50.</p>
    * @public
    */
   RestoreTestingSelectionName: string | undefined;
@@ -4158,6 +4188,12 @@ export interface DescribeBackupVaultOutput {
    * @public
    */
   LatestMpaApprovalTeamUpdate?: LatestMpaApprovalTeamUpdate | undefined;
+
+  /**
+   * <p>The type of encryption key used for the backup vault. Valid values are CUSTOMER_MANAGED_KMS_KEY for customer-managed keys or Amazon Web Services_OWNED_KMS_KEY for Amazon Web Services-owned keys.</p>
+   * @public
+   */
+  EncryptionKeyType?: EncryptionKeyType | undefined;
 }
 
 /**
@@ -4719,6 +4755,12 @@ export interface DescribeRecoveryPointOutput {
    * @public
    */
   IndexStatusMessage?: string | undefined;
+
+  /**
+   * <p>The type of encryption key used for the recovery point. Valid values are CUSTOMER_MANAGED_KMS_KEY for customer-managed keys or Amazon Web Services_OWNED_KMS_KEY for Amazon Web Services-owned keys.</p>
+   * @public
+   */
+  EncryptionKeyType?: EncryptionKeyType | undefined;
 }
 
 /**
@@ -6136,6 +6178,8 @@ export interface RestoreTestingSelectionForGet {
   /**
    * <p>The unique name of the restore testing selection that
    *          belongs to the related restore testing plan.</p>
+   *          <p>The name consists of only alphanumeric characters and underscores.
+   *          Maximum length is 50.</p>
    * @public
    */
   RestoreTestingSelectionName: string | undefined;
@@ -8019,6 +8063,12 @@ export interface RecoveryPointByBackupVault {
    * @public
    */
   IndexStatusMessage?: string | undefined;
+
+  /**
+   * <p>The type of encryption key used for the recovery point. Valid values are CUSTOMER_MANAGED_KMS_KEY for customer-managed keys or Amazon Web Services_OWNED_KMS_KEY for Amazon Web Services-owned keys.</p>
+   * @public
+   */
+  EncryptionKeyType?: EncryptionKeyType | undefined;
 }
 
 /**
@@ -8263,6 +8313,12 @@ export interface RecoveryPointByResource {
    * @public
    */
   IndexStatusMessage?: string | undefined;
+
+  /**
+   * <p>The type of encryption key used for the recovery point. Valid values are CUSTOMER_MANAGED_KMS_KEY for customer-managed keys or Amazon Web Services_OWNED_KMS_KEY for Amazon Web Services-owned keys.</p>
+   * @public
+   */
+  EncryptionKeyType?: EncryptionKeyType | undefined;
 }
 
 /**
@@ -9294,6 +9350,8 @@ export interface RestoreTestingSelectionForList {
 
   /**
    * <p>Unique name of a restore testing selection.</p>
+   *          <p>The name consists of only alphanumeric characters and underscores.
+   *          Maximum length is 50.</p>
    * @public
    */
   RestoreTestingSelectionName: string | undefined;

clients/client-backup/src/protocols/Aws_restJson1.ts

@@ -560,6 +560,7 @@ export const se_CreateLogicallyAirGappedBackupVaultCommand = async (
     take(input, {
       BackupVaultTags: (_) => _json(_),
       CreatorRequestId: [true, (_) => _ ?? generateIdempotencyToken()],
+      EncryptionKeyArn: [],
       MaxRetentionDays: [],
       MinRetentionDays: [],
     })
@@ -2968,6 +2969,7 @@ export const de_DescribeBackupVaultCommand = async (
     CreationDate: (_) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     CreatorRequestId: __expectString,
     EncryptionKeyArn: __expectString,
+    EncryptionKeyType: __expectString,
     LatestMpaApprovalTeamUpdate: (_) => de_LatestMpaApprovalTeamUpdate(_, context),
     LockDate: (_) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     Locked: __expectBoolean,
@@ -3108,6 +3110,7 @@ export const de_DescribeRecoveryPointCommand = async (
     CreatedBy: _json,
     CreationDate: (_) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     EncryptionKeyArn: __expectString,
+    EncryptionKeyType: __expectString,
     IamRoleArn: __expectString,
     IndexStatus: __expectString,
     IndexStatusMessage: __expectString,
@@ -5233,6 +5236,7 @@ const de_BackupVaultListMember = (output: any, context: __SerdeContext): BackupV
     CreationDate: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     CreatorRequestId: __expectString,
     EncryptionKeyArn: __expectString,
+    EncryptionKeyType: __expectString,
     LockDate: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     Locked: __expectBoolean,
     MaxRetentionDays: __expectLong,
@@ -5531,6 +5535,7 @@ const de_RecoveryPointByBackupVault = (output: any, context: __SerdeContext): Re
     CreatedBy: _json,
     CreationDate: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     EncryptionKeyArn: __expectString,
+    EncryptionKeyType: __expectString,
     IamRoleArn: __expectString,
     IndexStatus: __expectString,
     IndexStatusMessage: __expectString,
@@ -5572,6 +5577,7 @@ const de_RecoveryPointByResource = (output: any, context: __SerdeContext): Recov
     BackupVaultName: __expectString,
     CreationDate: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     EncryptionKeyArn: __expectString,
+    EncryptionKeyType: __expectString,
     IndexStatus: __expectString,
     IndexStatusMessage: __expectString,
     IsParent: __expectBoolean,

codegen/sdk-codegen/aws-models/backup.json

@@ -1260,6 +1260,12 @@
           "traits": {
             "smithy.api#documentation": "<p>The date and time when Backup Vault Lock configuration becomes immutable,\n         meaning it cannot be changed or deleted.</p>\n         <p>If you applied Vault Lock to your vault without specifying a lock date, you can change\n         your Vault Lock settings, or delete Vault Lock from the vault entirely, at any time.</p>\n         <p>This value is in Unix format, Coordinated Universal Time (UTC), and accurate to\n         milliseconds. For example, the value 1516925490.087 represents Friday, January 26, 2018\n         12:11:30.087 AM.</p>"
           }
+        },
+        "EncryptionKeyType": {
+          "target": "com.amazonaws.backup#EncryptionKeyType",
+          "traits": {
+            "smithy.api#documentation": "<p>The type of encryption key used for the backup vault. Valid values are CUSTOMER_MANAGED_KMS_KEY for customer-managed keys or Amazon Web Services_OWNED_KMS_KEY for Amazon Web Services-owned keys.</p>"
+          }
         }
       },
       "traits": {
@@ -2526,6 +2532,12 @@
             "smithy.api#documentation": "<p>The maximum retention period that the vault retains its recovery points.</p>",
             "smithy.api#required": {}
           }
+        },
+        "EncryptionKeyArn": {
+          "target": "com.amazonaws.backup#ARN",
+          "traits": {
+            "smithy.api#documentation": "<p>The ARN of the customer-managed KMS key to use for encrypting the logically air-gapped backup vault. If not specified, the vault will be encrypted with an Amazon Web Services-owned key managed by Amazon Web Services Backup.</p>"
+          }
         }
       },
       "traits": {
@@ -2974,7 +2986,7 @@
         "RestoreTestingSelectionName": {
           "target": "smithy.api#String",
           "traits": {
-            "smithy.api#documentation": "<p>The name of the restore testing selection for the related restore testing plan.</p>",
+            "smithy.api#documentation": "<p>The name of the restore testing selection for the related restore testing plan.</p>\n         <p>The name cannot be changed after creation. The name consists of only \n         alphanumeric characters and underscores. Maximum length is 50.</p>",
             "smithy.api#required": {}
           }
         }
@@ -5230,6 +5242,12 @@
           "traits": {
             "smithy.api#documentation": "<p>Information about the latest update to the MPA approval team association for this backup vault.</p>"
           }
+        },
+        "EncryptionKeyType": {
+          "target": "com.amazonaws.backup#EncryptionKeyType",
+          "traits": {
+            "smithy.api#documentation": "<p>The type of encryption key used for the backup vault. Valid values are CUSTOMER_MANAGED_KMS_KEY for customer-managed keys or Amazon Web Services_OWNED_KMS_KEY for Amazon Web Services-owned keys.</p>"
+          }
         }
       },
       "traits": {
@@ -5792,6 +5810,12 @@
           "traits": {
             "smithy.api#documentation": "<p>A string in the form of a detailed message explaining the status of a backup index\n         associated with the recovery point.</p>"
           }
+        },
+        "EncryptionKeyType": {
+          "target": "com.amazonaws.backup#EncryptionKeyType",
+          "traits": {
+            "smithy.api#documentation": "<p>The type of encryption key used for the recovery point. Valid values are CUSTOMER_MANAGED_KMS_KEY for customer-managed keys or Amazon Web Services_OWNED_KMS_KEY for Amazon Web Services-owned keys.</p>"
+          }
         }
       },
       "traits": {
@@ -6326,6 +6350,23 @@
         "smithy.api#input": {}
       }
     },
+    "com.amazonaws.backup#EncryptionKeyType": {
+      "type": "enum",
+      "members": {
+        "AWS_OWNED_KMS_KEY": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "AWS_OWNED_KMS_KEY"
+          }
+        },
+        "CUSTOMER_MANAGED_KMS_KEY": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "CUSTOMER_MANAGED_KMS_KEY"
+          }
+        }
+      }
+    },
     "com.amazonaws.backup#ExportBackupPlanTemplate": {
       "type": "operation",
       "input": {
@@ -11310,6 +11351,12 @@
           "traits": {
             "smithy.api#documentation": "<p>A string in the form of a detailed message explaining the status of a backup index associated \n         with the recovery point.</p>"
           }
+        },
+        "EncryptionKeyType": {
+          "target": "com.amazonaws.backup#EncryptionKeyType",
+          "traits": {
+            "smithy.api#documentation": "<p>The type of encryption key used for the recovery point. Valid values are CUSTOMER_MANAGED_KMS_KEY for customer-managed keys or Amazon Web Services_OWNED_KMS_KEY for Amazon Web Services-owned keys.</p>"
+          }
         }
       },
       "traits": {
@@ -11403,6 +11450,12 @@
           "traits": {
             "smithy.api#documentation": "<p>A string in the form of a detailed message explaining the status of a backup index\n         associated with the recovery point.</p>"
           }
+        },
+        "EncryptionKeyType": {
+          "target": "com.amazonaws.backup#EncryptionKeyType",
+          "traits": {
+            "smithy.api#documentation": "<p>The type of encryption key used for the recovery point. Valid values are CUSTOMER_MANAGED_KMS_KEY for customer-managed keys or Amazon Web Services_OWNED_KMS_KEY for Amazon Web Services-owned keys.</p>"
+          }
         }
       },
       "traits": {
@@ -12611,7 +12664,7 @@
         "RestoreTestingSelectionName": {
           "target": "smithy.api#String",
           "traits": {
-            "smithy.api#documentation": "<p>The unique name of the restore testing selection \n         that belongs to the related restore testing plan.</p>",
+            "smithy.api#documentation": "<p>The unique name of the restore testing selection \n         that belongs to the related restore testing plan.</p>\n         <p>The name consists of only alphanumeric characters and underscores. \n         Maximum length is 50.</p>",
             "smithy.api#required": {}
           }
         },
@@ -12685,7 +12738,7 @@
         "RestoreTestingSelectionName": {
           "target": "smithy.api#String",
           "traits": {
-            "smithy.api#documentation": "<p>The unique name of the restore testing selection that \n         belongs to the related restore testing plan.</p>",
+            "smithy.api#documentation": "<p>The unique name of the restore testing selection that \n         belongs to the related restore testing plan.</p>\n         <p>The name consists of only alphanumeric characters and underscores. \n         Maximum length is 50.</p>",
             "smithy.api#required": {}
           }
         },
@@ -12735,7 +12788,7 @@
         "RestoreTestingSelectionName": {
           "target": "smithy.api#String",
           "traits": {
-            "smithy.api#documentation": "<p>Unique name of a restore testing selection.</p>",
+            "smithy.api#documentation": "<p>Unique name of a restore testing selection.</p>\n         <p>The name consists of only alphanumeric characters and underscores. \n         Maximum length is 50.</p>",
             "smithy.api#required": {}
           }
         },