feat(client-chime-sdk-media-pipelines): Added support for Media Capture Pipeline and Media Concatenation Pipeline for customer managed server side encryption. Now Media Capture Pipeline can use IAM sink role to get access to KMS key and encrypt/decrypt recorded artifacts. KMS key ID can also be supplied with encryption context.

Author: awstools

clients/client-chime-sdk-media-pipelines/src/commands/CreateMediaCapturePipelineCommand.ts

@@ -107,6 +107,11 @@ export interface CreateMediaCapturePipelineCommandOutput extends CreateMediaCapt
  *       },
  *     },
  *   },
+ *   SseAwsKeyManagementParams: { // SseAwsKeyManagementParams
+ *     AwsKmsKeyId: "STRING_VALUE", // required
+ *     AwsKmsEncryptionContext: "STRING_VALUE",
+ *   },
+ *   SinkIamRoleArn: "STRING_VALUE",
  *   Tags: [ // TagList
  *     { // Tag
  *       Key: "STRING_VALUE", // required
@@ -184,6 +189,11 @@ export interface CreateMediaCapturePipelineCommandOutput extends CreateMediaCapt
  * //         },
  * //       },
  * //     },
+ * //     SseAwsKeyManagementParams: { // SseAwsKeyManagementParams
+ * //       AwsKmsKeyId: "STRING_VALUE", // required
+ * //       AwsKmsEncryptionContext: "STRING_VALUE",
+ * //     },
+ * //     SinkIamRoleArn: "STRING_VALUE",
  * //   },
  * // };
  *

clients/client-chime-sdk-media-pipelines/src/commands/GetMediaCapturePipelineCommand.ts

@@ -116,6 +116,11 @@ export interface GetMediaCapturePipelineCommandOutput extends GetMediaCapturePip
  * //         },
  * //       },
  * //     },
+ * //     SseAwsKeyManagementParams: { // SseAwsKeyManagementParams
+ * //       AwsKmsKeyId: "STRING_VALUE", // required
+ * //       AwsKmsEncryptionContext: "STRING_VALUE",
+ * //     },
+ * //     SinkIamRoleArn: "STRING_VALUE",
  * //   },
  * // };
  *

clients/client-chime-sdk-media-pipelines/src/commands/GetMediaPipelineCommand.ts

@@ -117,6 +117,11 @@ export interface GetMediaPipelineCommandOutput extends GetMediaPipelineResponse,
  * //           },
  * //         },
  * //       },
+ * //       SseAwsKeyManagementParams: { // SseAwsKeyManagementParams
+ * //         AwsKmsKeyId: "STRING_VALUE", // required
+ * //         AwsKmsEncryptionContext: "STRING_VALUE",
+ * //       },
+ * //       SinkIamRoleArn: "STRING_VALUE",
  * //     },
  * //     MediaLiveConnectorPipeline: { // MediaLiveConnectorPipeline
  * //       Sources: [ // LiveConnectorSourceList

clients/client-chime-sdk-media-pipelines/src/models/models_0.ts

@@ -392,6 +392,10 @@ export interface AmazonTranscribeProcessorConfiguration {
 
   /**
    * <p>Turns language identification on or off for multiple languages.</p>
+   *          <note>
+   *             <p>Calls to this API must include a <code>LanguageCode</code>, <code>IdentifyLanguage</code>, or <code>IdentifyMultipleLanguages</code> parameter.
+   *          If you include more than one of those parameters, your transcription job fails.</p>
+   *          </note>
    * @public
    */
   IdentifyMultipleLanguages?: boolean;
@@ -1214,6 +1218,68 @@ export const MediaPipelineSourceType = {
  */
 export type MediaPipelineSourceType = (typeof MediaPipelineSourceType)[keyof typeof MediaPipelineSourceType];
 
+/**
+ * <p>Contains server side encryption parameters to be used by media capture pipeline. The
+ *          parameters can also be used by media concatenation pipeline taking media capture pipeline
+ *          as a media source.</p>
+ * @public
+ */
+export interface SseAwsKeyManagementParams {
+  /**
+   * <p>The KMS key you want to use to encrypt your media pipeline output.
+   *          Decryption is required for concatenation pipeline. If using a key located in the current
+   *          Amazon Web Services account, you can specify your KMS key in one of four
+   *          ways:</p>
+   *          <ul>
+   *             <li>
+   *                <p>Use the KMS key ID itself. For example,
+   *                <code>1234abcd-12ab-34cd-56ef-1234567890ab</code>.</p>
+   *             </li>
+   *             <li>
+   *                <p>Use an alias for the KMS key ID. For example,
+   *                <code>alias/ExampleAlias</code>.</p>
+   *             </li>
+   *             <li>
+   *                <p>Use the Amazon Resource Name (ARN) for the KMS key ID. For example,
+   *                <code>arn:aws:kms:region:account-ID:key/1234abcd-12ab-34cd-56ef-1234567890ab</code>.</p>
+   *             </li>
+   *             <li>
+   *                <p>Use the ARN for the KMS key alias. For example,
+   *                <code>arn:aws:kms:region:account-ID:alias/ExampleAlias</code>.</p>
+   *             </li>
+   *          </ul>
+   *          <p>If using a key located in a different Amazon Web Services account than the current
+   *          Amazon Web Services account, you can specify your KMS key in one of two
+   *          ways:</p>
+   *          <ul>
+   *             <li>
+   *                <p>Use the ARN for the KMS key ID. For example,
+   *                <code>arn:aws:kms:region:account-ID:key/1234abcd-12ab-34cd-56ef-1234567890ab</code>.</p>
+   *             </li>
+   *             <li>
+   *                <p>Use the ARN for the KMS key alias. For example,
+   *                <code>arn:aws:kms:region:account-ID:alias/ExampleAlias</code>.</p>
+   *             </li>
+   *          </ul>
+   *          <p>If you don't specify an encryption key, your output is encrypted with the default
+   *          Amazon S3 key (SSE-S3).</p>
+   *          <p>Note that the role specified in the <code>SinkIamRoleArn</code> request parameter must
+   *          have permission to use the specified KMS key.</p>
+   * @public
+   */
+  AwsKmsKeyId: string | undefined;
+
+  /**
+   * <p>Base64-encoded string of a UTF-8 encoded JSON, which contains the encryption context as
+   *          non-secret key-value pair known as encryption context pairs, that provides an added layer
+   *          of security for your data. For more information, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html">KMS encryption
+   *             context</a> and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric keys in KMS</a> in the <i>Key Management Service Developer
+   *                      Guide</i>.</p>
+   * @public
+   */
+  AwsKmsEncryptionContext?: string;
+}
+
 /**
  * <p>A key/value pair that grants users access to meeting resources.</p>
  * @public
@@ -1274,6 +1340,28 @@ export interface CreateMediaCapturePipelineRequest {
    */
   ChimeSdkMeetingConfiguration?: ChimeSdkMeetingConfiguration;
 
+  /**
+   * <p>An object that contains server side encryption parameters to be used by media capture
+   *          pipeline. The parameters can also be used by media concatenation pipeline taking media
+   *          capture pipeline as a media source.</p>
+   * @public
+   */
+  SseAwsKeyManagementParams?: SseAwsKeyManagementParams;
+
+  /**
+   * <p>The Amazon Resource Name (ARN) of the sink role to be used with <code>AwsKmsKeyId</code>
+   *          in <code>SseAwsKeyManagementParams</code>. Can only interact with <code>S3Bucket</code>
+   *          sink type. The role must belong to the caller’s account and be able to act on behalf of the
+   *          caller during the API call. All minimum policy permissions requirements for the caller to
+   *          perform sink-related actions are the same for <code>SinkIamRoleArn</code>.</p>
+   *          <p>Additionally, the role must have permission to <code>kms:GenerateDataKey</code> using
+   *          KMS key supplied as <code>AwsKmsKeyId</code> in <code>SseAwsKeyManagementParams</code>. If
+   *          media concatenation will be required later, the role must also have permission to
+   *          <code>kms:Decrypt</code> for the same KMS key.</p>
+   * @public
+   */
+  SinkIamRoleArn?: string;
+
   /**
    * <p>The tag key-value pairs.</p>
    * @public
@@ -1368,6 +1456,21 @@ export interface MediaCapturePipeline {
    * @public
    */
   ChimeSdkMeetingConfiguration?: ChimeSdkMeetingConfiguration;
+
+  /**
+   * <p>An object that contains server side encryption parameters to be used by media capture
+   *          pipeline. The parameters can also be used by media concatenation pipeline taking media
+   *          capture pipeline as a media source.</p>
+   * @public
+   */
+  SseAwsKeyManagementParams?: SseAwsKeyManagementParams;
+
+  /**
+   * <p>The Amazon Resource Name (ARN) of the sink role to be used with <code>AwsKmsKeyId</code>
+   *          in <code>SseAwsKeyManagementParams</code>.</p>
+   * @public
+   */
+  SinkIamRoleArn?: string;
 }
 
 /**
@@ -4060,6 +4163,7 @@ export const CreateMediaCapturePipelineRequestFilterSensitiveLog = (obj: CreateM
   ...(obj.ChimeSdkMeetingConfiguration && {
     ChimeSdkMeetingConfiguration: ChimeSdkMeetingConfigurationFilterSensitiveLog(obj.ChimeSdkMeetingConfiguration),
   }),
+  ...(obj.SinkIamRoleArn && { SinkIamRoleArn: SENSITIVE_STRING }),
 });
 
 /**
@@ -4072,6 +4176,7 @@ export const MediaCapturePipelineFilterSensitiveLog = (obj: MediaCapturePipeline
   ...(obj.ChimeSdkMeetingConfiguration && {
     ChimeSdkMeetingConfiguration: ChimeSdkMeetingConfigurationFilterSensitiveLog(obj.ChimeSdkMeetingConfiguration),
   }),
+  ...(obj.SinkIamRoleArn && { SinkIamRoleArn: SENSITIVE_STRING }),
 });
 
 /**

clients/client-chime-sdk-media-pipelines/src/protocols/Aws_restJson1.ts

@@ -207,6 +207,7 @@ import {
   SourceConfiguration,
   SpeakerSearchTask,
   SqsQueueSinkConfiguration,
+  SseAwsKeyManagementParams,
   StreamChannelDefinition,
   StreamConfiguration,
   Tag,
@@ -241,9 +242,11 @@ export const se_CreateMediaCapturePipelineCommand = async (
       ChimeSdkMeetingConfiguration: (_) => _json(_),
       ClientRequestToken: [true, (_) => _ ?? generateIdempotencyToken()],
       SinkArn: [],
+      SinkIamRoleArn: [],
       SinkType: [],
       SourceArn: [],
       SourceType: [],
+      SseAwsKeyManagementParams: (_) => _json(_),
       Tags: (_) => _json(_),
     })
   );
@@ -1886,6 +1889,8 @@ const se_KinesisVideoStreamRecordingSourceRuntimeConfiguration = (
 
 // se_SqsQueueSinkConfiguration omitted.
 
+// se_SseAwsKeyManagementParams omitted.
+
 // se_StreamChannelDefinition omitted.
 
 // se_StreamConfiguration omitted.
@@ -2054,9 +2059,11 @@ const de_MediaCapturePipeline = (output: any, context: __SerdeContext): MediaCap
     MediaPipelineArn: __expectString,
     MediaPipelineId: __expectString,
     SinkArn: __expectString,
+    SinkIamRoleArn: __expectString,
     SinkType: __expectString,
     SourceArn: __expectString,
     SourceType: __expectString,
+    SseAwsKeyManagementParams: _json,
     Status: __expectString,
     UpdatedTimestamp: (_: any) => __expectNonNull(__parseRfc3339DateTimeWithOffset(_)),
   }) as any;
@@ -2234,6 +2241,8 @@ const de_SpeakerSearchTask = (output: any, context: __SerdeContext): SpeakerSear
 
 // de_SqsQueueSinkConfiguration omitted.
 
+// de_SseAwsKeyManagementParams omitted.
+
 // de_StreamChannelDefinition omitted.
 
 // de_StreamConfiguration omitted.

codegen/sdk-codegen/aws-models/chime-sdk-media-pipelines.json

@@ -260,7 +260,7 @@
           "target": "com.amazonaws.chimesdkmediapipelines#Boolean",
           "traits": {
             "smithy.api#default": false,
-            "smithy.api#documentation": "<p>Turns language identification on or off for multiple languages.</p>"
+            "smithy.api#documentation": "<p>Turns language identification on or off for multiple languages.</p>\n         <note>\n            <p>Calls to this API must include a <code>LanguageCode</code>, <code>IdentifyLanguage</code>, or <code>IdentifyMultipleLanguages</code> parameter. \n         If you include more than one of those parameters, your transcription job fails.</p>\n         </note>"
           }
         },
         "LanguageOptions": {
@@ -1982,6 +1982,18 @@
             "smithy.api#documentation": "<p>The configuration for a specified media pipeline. <code>SourceType</code> must\n         be <code>ChimeSdkMeeting</code>.</p>"
           }
         },
+        "SseAwsKeyManagementParams": {
+          "target": "com.amazonaws.chimesdkmediapipelines#SseAwsKeyManagementParams",
+          "traits": {
+            "smithy.api#documentation": "<p>An object that contains server side encryption parameters to be used by media capture\n         pipeline. The parameters can also be used by media concatenation pipeline taking media\n         capture pipeline as a media source.</p>"
+          }
+        },
+        "SinkIamRoleArn": {
+          "target": "com.amazonaws.chimesdkmediapipelines#Arn",
+          "traits": {
+            "smithy.api#documentation": "<p>The Amazon Resource Name (ARN) of the sink role to be used with <code>AwsKmsKeyId</code>\n         in <code>SseAwsKeyManagementParams</code>. Can only interact with <code>S3Bucket</code>\n         sink type. The role must belong to the caller’s account and be able to act on behalf of the\n         caller during the API call. All minimum policy permissions requirements for the caller to\n         perform sink-related actions are the same for <code>SinkIamRoleArn</code>.</p>\n         <p>Additionally, the role must have permission to <code>kms:GenerateDataKey</code> using\n         KMS key supplied as <code>AwsKmsKeyId</code> in <code>SseAwsKeyManagementParams</code>. If\n         media concatenation will be required later, the role must also have permission to\n         <code>kms:Decrypt</code> for the same KMS key.</p>"
+          }
+        },
         "Tags": {
           "target": "com.amazonaws.chimesdkmediapipelines#TagList",
           "traits": {
@@ -4585,6 +4597,18 @@
           "traits": {
             "smithy.api#documentation": "<p>The configuration for a specified media pipeline. <code>SourceType</code> must\n         be <code>ChimeSdkMeeting</code>.</p>"
           }
+        },
+        "SseAwsKeyManagementParams": {
+          "target": "com.amazonaws.chimesdkmediapipelines#SseAwsKeyManagementParams",
+          "traits": {
+            "smithy.api#documentation": "<p>An object that contains server side encryption parameters to be used by media capture\n         pipeline. The parameters can also be used by media concatenation pipeline taking media\n         capture pipeline as a media source.</p>"
+          }
+        },
+        "SinkIamRoleArn": {
+          "target": "com.amazonaws.chimesdkmediapipelines#Arn",
+          "traits": {
+            "smithy.api#documentation": "<p>The Amazon Resource Name (ARN) of the sink role to be used with <code>AwsKmsKeyId</code>\n         in <code>SseAwsKeyManagementParams</code>.</p>"
+          }
         }
       },
       "traits": {
@@ -6146,6 +6170,27 @@
         "smithy.api#documentation": "<p>The configuration settings for the SQS sink.</p>"
       }
     },
+    "com.amazonaws.chimesdkmediapipelines#SseAwsKeyManagementParams": {
+      "type": "structure",
+      "members": {
+        "AwsKmsKeyId": {
+          "target": "com.amazonaws.chimesdkmediapipelines#String",
+          "traits": {
+            "smithy.api#documentation": "<p>The KMS key you want to use to encrypt your media pipeline output.\n         Decryption is required for concatenation pipeline. If using a key located in the current\n         Amazon Web Services account, you can specify your KMS key in one of four\n         ways:</p>\n         <ul>\n            <li>\n               <p>Use the KMS key ID itself. For example,\n               <code>1234abcd-12ab-34cd-56ef-1234567890ab</code>.</p>\n            </li>\n            <li>\n               <p>Use an alias for the KMS key ID. For example,\n               <code>alias/ExampleAlias</code>.</p>\n            </li>\n            <li>\n               <p>Use the Amazon Resource Name (ARN) for the KMS key ID. For example,\n               <code>arn:aws:kms:region:account-ID:key/1234abcd-12ab-34cd-56ef-1234567890ab</code>.</p>\n            </li>\n            <li>\n               <p>Use the ARN for the KMS key alias. For example,\n               <code>arn:aws:kms:region:account-ID:alias/ExampleAlias</code>.</p>\n            </li>\n         </ul>\n         <p>If using a key located in a different Amazon Web Services account than the current\n         Amazon Web Services account, you can specify your KMS key in one of two\n         ways:</p>\n         <ul>\n            <li>\n               <p>Use the ARN for the KMS key ID. For example,\n               <code>arn:aws:kms:region:account-ID:key/1234abcd-12ab-34cd-56ef-1234567890ab</code>.</p>\n            </li>\n            <li>\n               <p>Use the ARN for the KMS key alias. For example,\n               <code>arn:aws:kms:region:account-ID:alias/ExampleAlias</code>.</p>\n            </li>\n         </ul>\n         <p>If you don't specify an encryption key, your output is encrypted with the default\n         Amazon S3 key (SSE-S3).</p>\n         <p>Note that the role specified in the <code>SinkIamRoleArn</code> request parameter must\n         have permission to use the specified KMS key.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "AwsKmsEncryptionContext": {
+          "target": "com.amazonaws.chimesdkmediapipelines#String",
+          "traits": {
+            "smithy.api#documentation": "<p>Base64-encoded string of a UTF-8 encoded JSON, which contains the encryption context as\n         non-secret key-value pair known as encryption context pairs, that provides an added layer\n         of security for your data. For more information, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html\">KMS encryption\n            context</a> and <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html\">Asymmetric keys in KMS</a> in the <i>Key Management Service Developer\n                     Guide</i>.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>Contains server side encryption parameters to be used by media capture pipeline. The\n         parameters can also be used by media concatenation pipeline taking media capture pipeline\n         as a media source.</p>"
+      }
+    },
     "com.amazonaws.chimesdkmediapipelines#StartSpeakerSearchTask": {
       "type": "operation",
       "input": {