diff --git a/clients/client-ec2/README.md b/clients/client-ec2/README.md
index 25061f374321..4c8442383a7e 100644
--- a/clients/client-ec2/README.md
+++ b/clients/client-ec2/README.md
@@ -3749,6 +3749,14 @@ GetInstanceMetadataDefaults
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/ec2/command/GetInstanceMetadataDefaultsCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-ec2/Interface/GetInstanceMetadataDefaultsCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-ec2/Interface/GetInstanceMetadataDefaultsCommandOutput/)
 
+</details>
+<details>
+<summary>
+GetInstanceTpmEkPub
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/ec2/command/GetInstanceTpmEkPubCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-ec2/Interface/GetInstanceTpmEkPubCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-ec2/Interface/GetInstanceTpmEkPubCommandOutput/)
+
 </details>
 <details>
 <summary>
diff --git a/clients/client-ec2/src/EC2.ts b/clients/client-ec2/src/EC2.ts
index 178e51fb1bb6..b402d83b0d3e 100644
--- a/clients/client-ec2/src/EC2.ts
+++ b/clients/client-ec2/src/EC2.ts
@@ -2165,6 +2165,11 @@ import {
   GetInstanceMetadataDefaultsCommandInput,
   GetInstanceMetadataDefaultsCommandOutput,
 } from "./commands/GetInstanceMetadataDefaultsCommand";
+import {
+  GetInstanceTpmEkPubCommand,
+  GetInstanceTpmEkPubCommandInput,
+  GetInstanceTpmEkPubCommandOutput,
+} from "./commands/GetInstanceTpmEkPubCommand";
 import {
   GetInstanceTypesFromInstanceRequirementsCommand,
   GetInstanceTypesFromInstanceRequirementsCommandInput,
@@ -3480,6 +3485,7 @@ const commands = {
   GetHostReservationPurchasePreviewCommand,
   GetImageBlockPublicAccessStateCommand,
   GetInstanceMetadataDefaultsCommand,
+  GetInstanceTpmEkPubCommand,
   GetInstanceTypesFromInstanceRequirementsCommand,
   GetInstanceUefiDataCommand,
   GetIpamAddressHistoryCommand,
@@ -11108,6 +11114,23 @@ export interface EC2 {
     cb: (err: any, data?: GetInstanceMetadataDefaultsCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link GetInstanceTpmEkPubCommand}
+   */
+  getInstanceTpmEkPub(
+    args: GetInstanceTpmEkPubCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<GetInstanceTpmEkPubCommandOutput>;
+  getInstanceTpmEkPub(
+    args: GetInstanceTpmEkPubCommandInput,
+    cb: (err: any, data?: GetInstanceTpmEkPubCommandOutput) => void
+  ): void;
+  getInstanceTpmEkPub(
+    args: GetInstanceTpmEkPubCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: GetInstanceTpmEkPubCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link GetInstanceTypesFromInstanceRequirementsCommand}
    */
diff --git a/clients/client-ec2/src/EC2Client.ts b/clients/client-ec2/src/EC2Client.ts
index 58ddc71b6f5a..5233864652a6 100644
--- a/clients/client-ec2/src/EC2Client.ts
+++ b/clients/client-ec2/src/EC2Client.ts
@@ -1549,6 +1549,10 @@ import {
   GetInstanceMetadataDefaultsCommandInput,
   GetInstanceMetadataDefaultsCommandOutput,
 } from "./commands/GetInstanceMetadataDefaultsCommand";
+import {
+  GetInstanceTpmEkPubCommandInput,
+  GetInstanceTpmEkPubCommandOutput,
+} from "./commands/GetInstanceTpmEkPubCommand";
 import {
   GetInstanceTypesFromInstanceRequirementsCommandInput,
   GetInstanceTypesFromInstanceRequirementsCommandOutput,
@@ -2607,6 +2611,7 @@ export type ServiceInputTypes =
   | GetHostReservationPurchasePreviewCommandInput
   | GetImageBlockPublicAccessStateCommandInput
   | GetInstanceMetadataDefaultsCommandInput
+  | GetInstanceTpmEkPubCommandInput
   | GetInstanceTypesFromInstanceRequirementsCommandInput
   | GetInstanceUefiDataCommandInput
   | GetIpamAddressHistoryCommandInput
@@ -3232,6 +3237,7 @@ export type ServiceOutputTypes =
   | GetHostReservationPurchasePreviewCommandOutput
   | GetImageBlockPublicAccessStateCommandOutput
   | GetInstanceMetadataDefaultsCommandOutput
+  | GetInstanceTpmEkPubCommandOutput
   | GetInstanceTypesFromInstanceRequirementsCommandOutput
   | GetInstanceUefiDataCommandOutput
   | GetIpamAddressHistoryCommandOutput
diff --git a/clients/client-ec2/src/commands/GetInstanceTpmEkPubCommand.ts b/clients/client-ec2/src/commands/GetInstanceTpmEkPubCommand.ts
new file mode 100644
index 000000000000..9702dfd5cd05
--- /dev/null
+++ b/clients/client-ec2/src/commands/GetInstanceTpmEkPubCommand.ts
@@ -0,0 +1,92 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import { EC2ClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../EC2Client";
+import { commonParams } from "../endpoint/EndpointParameters";
+import {
+  GetInstanceTpmEkPubRequest,
+  GetInstanceTpmEkPubResult,
+  GetInstanceTpmEkPubResultFilterSensitiveLog,
+} from "../models/models_5";
+import { de_GetInstanceTpmEkPubCommand, se_GetInstanceTpmEkPubCommand } from "../protocols/Aws_ec2";
+
+/**
+ * @public
+ */
+export { __MetadataBearer, $Command };
+/**
+ * @public
+ *
+ * The input for {@link GetInstanceTpmEkPubCommand}.
+ */
+export interface GetInstanceTpmEkPubCommandInput extends GetInstanceTpmEkPubRequest {}
+/**
+ * @public
+ *
+ * The output of {@link GetInstanceTpmEkPubCommand}.
+ */
+export interface GetInstanceTpmEkPubCommandOutput extends GetInstanceTpmEkPubResult, __MetadataBearer {}
+
+/**
+ * <p>Gets the public endorsement key associated with the Nitro Trusted
+ *             Platform Module (NitroTPM) for the specified instance.</p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { EC2Client, GetInstanceTpmEkPubCommand } from "@aws-sdk/client-ec2"; // ES Modules import
+ * // const { EC2Client, GetInstanceTpmEkPubCommand } = require("@aws-sdk/client-ec2"); // CommonJS import
+ * const client = new EC2Client(config);
+ * const input = { // GetInstanceTpmEkPubRequest
+ *   InstanceId: "STRING_VALUE", // required
+ *   KeyType: "rsa-2048" || "ecc-sec-p384", // required
+ *   KeyFormat: "der" || "tpmt", // required
+ *   DryRun: true || false,
+ * };
+ * const command = new GetInstanceTpmEkPubCommand(input);
+ * const response = await client.send(command);
+ * // { // GetInstanceTpmEkPubResult
+ * //   InstanceId: "STRING_VALUE",
+ * //   KeyType: "rsa-2048" || "ecc-sec-p384",
+ * //   KeyFormat: "der" || "tpmt",
+ * //   KeyValue: "STRING_VALUE",
+ * // };
+ *
+ * ```
+ *
+ * @param GetInstanceTpmEkPubCommandInput - {@link GetInstanceTpmEkPubCommandInput}
+ * @returns {@link GetInstanceTpmEkPubCommandOutput}
+ * @see {@link GetInstanceTpmEkPubCommandInput} for command's `input` shape.
+ * @see {@link GetInstanceTpmEkPubCommandOutput} for command's `response` shape.
+ * @see {@link EC2ClientResolvedConfig | config} for EC2Client's `config` shape.
+ *
+ * @throws {@link EC2ServiceException}
+ * <p>Base exception class for all service exceptions from EC2 service.</p>
+ *
+ * @public
+ */
+export class GetInstanceTpmEkPubCommand extends $Command
+  .classBuilder<
+    GetInstanceTpmEkPubCommandInput,
+    GetInstanceTpmEkPubCommandOutput,
+    EC2ClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep({
+    ...commonParams,
+  })
+  .m(function (this: any, Command: any, cs: any, config: EC2ClientResolvedConfig, o: any) {
+    return [
+      getSerdePlugin(config, this.serialize, this.deserialize),
+      getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+  })
+  .s("AmazonEC2", "GetInstanceTpmEkPub", {})
+  .n("EC2Client", "GetInstanceTpmEkPubCommand")
+  .f(void 0, GetInstanceTpmEkPubResultFilterSensitiveLog)
+  .ser(se_GetInstanceTpmEkPubCommand)
+  .de(de_GetInstanceTpmEkPubCommand)
+  .build() {}
diff --git a/clients/client-ec2/src/commands/GetIpamDiscoveredAccountsCommand.ts b/clients/client-ec2/src/commands/GetIpamDiscoveredAccountsCommand.ts
index f2d33439016a..9bbd58aa6a37 100644
--- a/clients/client-ec2/src/commands/GetIpamDiscoveredAccountsCommand.ts
+++ b/clients/client-ec2/src/commands/GetIpamDiscoveredAccountsCommand.ts
@@ -6,8 +6,7 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types";
 
 import { EC2ClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../EC2Client";
 import { commonParams } from "../endpoint/EndpointParameters";
-import { GetIpamDiscoveredAccountsRequest } from "../models/models_5";
-import { GetIpamDiscoveredAccountsResult } from "../models/models_6";
+import { GetIpamDiscoveredAccountsRequest, GetIpamDiscoveredAccountsResult } from "../models/models_6";
 import { de_GetIpamDiscoveredAccountsCommand, se_GetIpamDiscoveredAccountsCommand } from "../protocols/Aws_ec2";
 
 /**
diff --git a/clients/client-ec2/src/commands/ProvisionIpamPoolCidrCommand.ts b/clients/client-ec2/src/commands/ProvisionIpamPoolCidrCommand.ts
index 07d3259e1e2d..9fa8c54dc703 100644
--- a/clients/client-ec2/src/commands/ProvisionIpamPoolCidrCommand.ts
+++ b/clients/client-ec2/src/commands/ProvisionIpamPoolCidrCommand.ts
@@ -6,7 +6,7 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types";
 
 import { EC2ClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../EC2Client";
 import { commonParams } from "../endpoint/EndpointParameters";
-import { ProvisionIpamPoolCidrRequest, ProvisionIpamPoolCidrResult } from "../models/models_6";
+import { ProvisionIpamPoolCidrRequest, ProvisionIpamPoolCidrResult } from "../models/models_7";
 import { de_ProvisionIpamPoolCidrCommand, se_ProvisionIpamPoolCidrCommand } from "../protocols/Aws_ec2";
 
 /**
diff --git a/clients/client-ec2/src/commands/ProvisionPublicIpv4PoolCidrCommand.ts b/clients/client-ec2/src/commands/ProvisionPublicIpv4PoolCidrCommand.ts
index 11d527359010..ea83c17719fe 100644
--- a/clients/client-ec2/src/commands/ProvisionPublicIpv4PoolCidrCommand.ts
+++ b/clients/client-ec2/src/commands/ProvisionPublicIpv4PoolCidrCommand.ts
@@ -6,8 +6,7 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types";
 
 import { EC2ClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../EC2Client";
 import { commonParams } from "../endpoint/EndpointParameters";
-import { ProvisionPublicIpv4PoolCidrRequest } from "../models/models_6";
-import { ProvisionPublicIpv4PoolCidrResult } from "../models/models_7";
+import { ProvisionPublicIpv4PoolCidrRequest, ProvisionPublicIpv4PoolCidrResult } from "../models/models_7";
 import { de_ProvisionPublicIpv4PoolCidrCommand, se_ProvisionPublicIpv4PoolCidrCommand } from "../protocols/Aws_ec2";
 
 /**
diff --git a/clients/client-ec2/src/commands/index.ts b/clients/client-ec2/src/commands/index.ts
index 4a39eb18ef99..0b6c62147a1b 100644
--- a/clients/client-ec2/src/commands/index.ts
+++ b/clients/client-ec2/src/commands/index.ts
@@ -442,6 +442,7 @@ export * from "./GetGroupsForCapacityReservationCommand";
 export * from "./GetHostReservationPurchasePreviewCommand";
 export * from "./GetImageBlockPublicAccessStateCommand";
 export * from "./GetInstanceMetadataDefaultsCommand";
+export * from "./GetInstanceTpmEkPubCommand";
 export * from "./GetInstanceTypesFromInstanceRequirementsCommand";
 export * from "./GetInstanceUefiDataCommand";
 export * from "./GetIpamAddressHistoryCommand";
diff --git a/clients/client-ec2/src/models/models_5.ts b/clients/client-ec2/src/models/models_5.ts
index 09ac206e7650..4c9d49ad8f6f 100644
--- a/clients/client-ec2/src/models/models_5.ts
+++ b/clients/client-ec2/src/models/models_5.ts
@@ -1,4 +1,6 @@
 // smithy-typescript generated code
+import { SENSITIVE_STRING } from "@smithy/smithy-client";
+
 import {
   _InstanceType,
   AddressTransfer,
@@ -8295,6 +8297,96 @@ export interface GetInstanceMetadataDefaultsResult {
   AccountLevel?: InstanceMetadataDefaultsResponse;
 }
 
+/**
+ * @public
+ * @enum
+ */
+export const EkPubKeyFormat = {
+  der: "der",
+  tpmt: "tpmt",
+} as const;
+
+/**
+ * @public
+ */
+export type EkPubKeyFormat = (typeof EkPubKeyFormat)[keyof typeof EkPubKeyFormat];
+
+/**
+ * @public
+ * @enum
+ */
+export const EkPubKeyType = {
+  ECC_SEC_P384: "ecc-sec-p384",
+  RSA_2048: "rsa-2048",
+} as const;
+
+/**
+ * @public
+ */
+export type EkPubKeyType = (typeof EkPubKeyType)[keyof typeof EkPubKeyType];
+
+/**
+ * @public
+ */
+export interface GetInstanceTpmEkPubRequest {
+  /**
+   * <p>The ID of the instance for which to get the public endorsement key.</p>
+   * @public
+   */
+  InstanceId: string | undefined;
+
+  /**
+   * <p>The required public endorsement key type.</p>
+   * @public
+   */
+  KeyType: EkPubKeyType | undefined;
+
+  /**
+   * <p>The required public endorsement key format. Specify <code>der</code> for a DER-encoded public
+   *             key that is compatible with OpenSSL. Specify <code>tpmt</code> for a TPM 2.0 format that is
+   *             compatible with tpm2-tools. The returned key is base64 encoded.</p>
+   * @public
+   */
+  KeyFormat: EkPubKeyFormat | undefined;
+
+  /**
+   * <p>Specify this parameter to verify whether the request will succeed, without actually making the
+   *             request. If the request will succeed, the response is <code>DryRunOperation</code>. Otherwise,
+   *             the response is <code>UnauthorizedOperation</code>.</p>
+   * @public
+   */
+  DryRun?: boolean;
+}
+
+/**
+ * @public
+ */
+export interface GetInstanceTpmEkPubResult {
+  /**
+   * <p>The ID of the instance.</p>
+   * @public
+   */
+  InstanceId?: string;
+
+  /**
+   * <p>The public endorsement key type.</p>
+   * @public
+   */
+  KeyType?: EkPubKeyType;
+
+  /**
+   * <p>The public endorsement key format.</p>
+   * @public
+   */
+  KeyFormat?: EkPubKeyFormat;
+
+  /**
+   * <p>The public endorsement key material.</p>
+   * @public
+   */
+  KeyValue?: string;
+}
+
 /**
  * @public
  */
@@ -8601,144 +8693,6 @@ export interface GetIpamAddressHistoryResult {
   NextToken?: string;
 }
 
-/**
- * @public
- */
-export interface GetIpamDiscoveredAccountsRequest {
-  /**
-   * <p>A check for whether you have the required permissions for the action without actually making the request
-   *    and provides an error response. If you have the required permissions, the error response is <code>DryRunOperation</code>.
-   *    Otherwise, it is <code>UnauthorizedOperation</code>.</p>
-   * @public
-   */
-  DryRun?: boolean;
-
-  /**
-   * <p>A resource discovery ID.</p>
-   * @public
-   */
-  IpamResourceDiscoveryId: string | undefined;
-
-  /**
-   * <p>The Amazon Web Services Region that the account information is returned from.</p>
-   * @public
-   */
-  DiscoveryRegion: string | undefined;
-
-  /**
-   * <p>Discovered account filters.</p>
-   * @public
-   */
-  Filters?: Filter[];
-
-  /**
-   * <p>Specify the pagination token from a previous request to retrieve the next page of results.</p>
-   * @public
-   */
-  NextToken?: string;
-
-  /**
-   * <p>The maximum number of discovered accounts to return in one page of results.</p>
-   * @public
-   */
-  MaxResults?: number;
-}
-
-/**
- * @public
- * @enum
- */
-export const IpamDiscoveryFailureCode = {
-  assume_role_failure: "assume-role-failure",
-  throttling_failure: "throttling-failure",
-  unauthorized_failure: "unauthorized-failure",
-} as const;
-
-/**
- * @public
- */
-export type IpamDiscoveryFailureCode = (typeof IpamDiscoveryFailureCode)[keyof typeof IpamDiscoveryFailureCode];
-
-/**
- * <p>The discovery failure reason.</p>
- * @public
- */
-export interface IpamDiscoveryFailureReason {
-  /**
-   * <p>The discovery failure code.</p>
-   *          <ul>
-   *             <li>
-   *                <p>
-   *                   <code>assume-role-failure</code> - IPAM could not assume the Amazon Web Services IAM service-linked role. This could be because of any of the following:</p>
-   *                <ul>
-   *                   <li>
-   *                      <p>SLR has not been created yet and IPAM is still creating it.</p>
-   *                   </li>
-   *                   <li>
-   *                      <p>You have opted-out of the IPAM home Region.</p>
-   *                   </li>
-   *                   <li>
-   *                      <p>Account you are using as your IPAM account has been suspended.</p>
-   *                   </li>
-   *                </ul>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>throttling-failure</code> - IPAM account is already using the allotted transactions per second and IPAM is receiving a throttling error when assuming the Amazon Web Services IAM SLR.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>unauthorized-failure</code> - Amazon Web Services account making the request is not authorized. For more information, see <a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/errors-overview.html">AuthFailure</a> in the <i>Amazon Elastic Compute Cloud API Reference</i>.</p>
-   *             </li>
-   *          </ul>
-   * @public
-   */
-  Code?: IpamDiscoveryFailureCode;
-
-  /**
-   * <p>The discovery failure message.</p>
-   * @public
-   */
-  Message?: string;
-}
-
-/**
- * <p>An IPAM discovered account. A discovered account is an Amazon Web Services account that is monitored under a resource discovery. If you have integrated IPAM with Amazon Web Services Organizations, all accounts in the organization are discovered accounts.</p>
- * @public
- */
-export interface IpamDiscoveredAccount {
-  /**
-   * <p>The account ID.</p>
-   * @public
-   */
-  AccountId?: string;
-
-  /**
-   * <p>The Amazon Web Services Region that the account information is returned from.
-   *          An account can be discovered in multiple regions and will have a separate discovered account for each Region.</p>
-   * @public
-   */
-  DiscoveryRegion?: string;
-
-  /**
-   * <p>The resource discovery failure reason.</p>
-   * @public
-   */
-  FailureReason?: IpamDiscoveryFailureReason;
-
-  /**
-   * <p>The last attempted resource discovery time.</p>
-   * @public
-   */
-  LastAttemptedDiscoveryTime?: Date;
-
-  /**
-   * <p>The last successful resource discovery time.</p>
-   * @public
-   */
-  LastSuccessfulDiscoveryTime?: Date;
-}
-
 /**
  * @internal
  */
@@ -8774,3 +8728,11 @@ export const DetachVerifiedAccessTrustProviderResultFilterSensitiveLog = (
     VerifiedAccessTrustProvider: VerifiedAccessTrustProviderFilterSensitiveLog(obj.VerifiedAccessTrustProvider),
   }),
 });
+
+/**
+ * @internal
+ */
+export const GetInstanceTpmEkPubResultFilterSensitiveLog = (obj: GetInstanceTpmEkPubResult): any => ({
+  ...obj,
+  ...(obj.KeyValue && { KeyValue: SENSITIVE_STRING }),
+});
diff --git a/clients/client-ec2/src/models/models_6.ts b/clients/client-ec2/src/models/models_6.ts
index e6a5a6b10161..ad5a44aee9f0 100644
--- a/clients/client-ec2/src/models/models_6.ts
+++ b/clients/client-ec2/src/models/models_6.ts
@@ -151,7 +151,6 @@ import {
 import {
   InstanceFamilyCreditSpecification,
   IpamComplianceStatus,
-  IpamDiscoveredAccount,
   IpamOverlapStatus,
   SnapshotBlockPublicAccessState,
   TransitGatewayPropagationState,
@@ -160,6 +159,144 @@ import {
   VolumeModification,
 } from "./models_5";
 
+/**
+ * @public
+ */
+export interface GetIpamDiscoveredAccountsRequest {
+  /**
+   * <p>A check for whether you have the required permissions for the action without actually making the request
+   *    and provides an error response. If you have the required permissions, the error response is <code>DryRunOperation</code>.
+   *    Otherwise, it is <code>UnauthorizedOperation</code>.</p>
+   * @public
+   */
+  DryRun?: boolean;
+
+  /**
+   * <p>A resource discovery ID.</p>
+   * @public
+   */
+  IpamResourceDiscoveryId: string | undefined;
+
+  /**
+   * <p>The Amazon Web Services Region that the account information is returned from.</p>
+   * @public
+   */
+  DiscoveryRegion: string | undefined;
+
+  /**
+   * <p>Discovered account filters.</p>
+   * @public
+   */
+  Filters?: Filter[];
+
+  /**
+   * <p>Specify the pagination token from a previous request to retrieve the next page of results.</p>
+   * @public
+   */
+  NextToken?: string;
+
+  /**
+   * <p>The maximum number of discovered accounts to return in one page of results.</p>
+   * @public
+   */
+  MaxResults?: number;
+}
+
+/**
+ * @public
+ * @enum
+ */
+export const IpamDiscoveryFailureCode = {
+  assume_role_failure: "assume-role-failure",
+  throttling_failure: "throttling-failure",
+  unauthorized_failure: "unauthorized-failure",
+} as const;
+
+/**
+ * @public
+ */
+export type IpamDiscoveryFailureCode = (typeof IpamDiscoveryFailureCode)[keyof typeof IpamDiscoveryFailureCode];
+
+/**
+ * <p>The discovery failure reason.</p>
+ * @public
+ */
+export interface IpamDiscoveryFailureReason {
+  /**
+   * <p>The discovery failure code.</p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>assume-role-failure</code> - IPAM could not assume the Amazon Web Services IAM service-linked role. This could be because of any of the following:</p>
+   *                <ul>
+   *                   <li>
+   *                      <p>SLR has not been created yet and IPAM is still creating it.</p>
+   *                   </li>
+   *                   <li>
+   *                      <p>You have opted-out of the IPAM home Region.</p>
+   *                   </li>
+   *                   <li>
+   *                      <p>Account you are using as your IPAM account has been suspended.</p>
+   *                   </li>
+   *                </ul>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>throttling-failure</code> - IPAM account is already using the allotted transactions per second and IPAM is receiving a throttling error when assuming the Amazon Web Services IAM SLR.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>unauthorized-failure</code> - Amazon Web Services account making the request is not authorized. For more information, see <a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/errors-overview.html">AuthFailure</a> in the <i>Amazon Elastic Compute Cloud API Reference</i>.</p>
+   *             </li>
+   *          </ul>
+   * @public
+   */
+  Code?: IpamDiscoveryFailureCode;
+
+  /**
+   * <p>The discovery failure message.</p>
+   * @public
+   */
+  Message?: string;
+}
+
+/**
+ * <p>An IPAM discovered account. A discovered account is an Amazon Web Services account that is monitored under a resource discovery. If you have integrated IPAM with Amazon Web Services Organizations, all accounts in the organization are discovered accounts.</p>
+ * @public
+ */
+export interface IpamDiscoveredAccount {
+  /**
+   * <p>The account ID.</p>
+   * @public
+   */
+  AccountId?: string;
+
+  /**
+   * <p>The Amazon Web Services Region that the account information is returned from.
+   *          An account can be discovered in multiple regions and will have a separate discovered account for each Region.</p>
+   * @public
+   */
+  DiscoveryRegion?: string;
+
+  /**
+   * <p>The resource discovery failure reason.</p>
+   * @public
+   */
+  FailureReason?: IpamDiscoveryFailureReason;
+
+  /**
+   * <p>The last attempted resource discovery time.</p>
+   * @public
+   */
+  LastAttemptedDiscoveryTime?: Date;
+
+  /**
+   * <p>The last successful resource discovery time.</p>
+   * @public
+   */
+  LastSuccessfulDiscoveryTime?: Date;
+}
+
 /**
  * @public
  */
@@ -9430,109 +9567,6 @@ export interface ProvisionIpamByoasnResult {
   Byoasn?: Byoasn;
 }
 
-/**
- * <p>A signed document that proves that you are authorized to bring the specified IP address range to Amazon using BYOIP.</p>
- * @public
- */
-export interface IpamCidrAuthorizationContext {
-  /**
-   * <p>The plain-text authorization message for the prefix and account.</p>
-   * @public
-   */
-  Message?: string;
-
-  /**
-   * <p>The signed authorization message for the prefix and account.</p>
-   * @public
-   */
-  Signature?: string;
-}
-
-/**
- * @public
- */
-export interface ProvisionIpamPoolCidrRequest {
-  /**
-   * <p>A check for whether you have the required permissions for the action without actually making the request
-   *    and provides an error response. If you have the required permissions, the error response is <code>DryRunOperation</code>.
-   *    Otherwise, it is <code>UnauthorizedOperation</code>.</p>
-   * @public
-   */
-  DryRun?: boolean;
-
-  /**
-   * <p>The ID of the IPAM pool to which you want to assign a CIDR.</p>
-   * @public
-   */
-  IpamPoolId: string | undefined;
-
-  /**
-   * <p>The CIDR you want to assign to the IPAM pool. Either "NetmaskLength" or "Cidr" is required. This value will be null if you specify "NetmaskLength" and will be filled in during the provisioning process.</p>
-   * @public
-   */
-  Cidr?: string;
-
-  /**
-   * <p>A signed document that proves that you are authorized to bring a specified IP address range to Amazon using BYOIP. This option applies to public pools only.</p>
-   * @public
-   */
-  CidrAuthorizationContext?: IpamCidrAuthorizationContext;
-
-  /**
-   * <p>The netmask length of the CIDR you'd like to provision to a pool. Can be used for provisioning Amazon-provided IPv6 CIDRs to top-level pools and for provisioning CIDRs to pools with source pools. Cannot be used to provision BYOIP CIDRs to top-level pools. Either "NetmaskLength" or "Cidr" is required.</p>
-   * @public
-   */
-  NetmaskLength?: number;
-
-  /**
-   * <p>A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. For more information, see <a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html">Ensuring Idempotency</a>.</p>
-   * @public
-   */
-  ClientToken?: string;
-}
-
-/**
- * @public
- */
-export interface ProvisionIpamPoolCidrResult {
-  /**
-   * <p>Information about the provisioned CIDR.</p>
-   * @public
-   */
-  IpamPoolCidr?: IpamPoolCidr;
-}
-
-/**
- * @public
- */
-export interface ProvisionPublicIpv4PoolCidrRequest {
-  /**
-   * <p>A check for whether you have the required permissions for the action without actually making the request
-   *    and provides an error response. If you have the required permissions, the error response is <code>DryRunOperation</code>.
-   *    Otherwise, it is <code>UnauthorizedOperation</code>.</p>
-   * @public
-   */
-  DryRun?: boolean;
-
-  /**
-   * <p>The ID of the IPAM pool you would like to use to allocate this CIDR.</p>
-   * @public
-   */
-  IpamPoolId: string | undefined;
-
-  /**
-   * <p>The ID of the public IPv4 pool you would like to use for this CIDR.</p>
-   * @public
-   */
-  PoolId: string | undefined;
-
-  /**
-   * <p>The netmask length of the CIDR you would like to allocate to the public IPv4 pool.</p>
-   * @public
-   */
-  NetmaskLength: number | undefined;
-}
-
 /**
  * @internal
  */
diff --git a/clients/client-ec2/src/models/models_7.ts b/clients/client-ec2/src/models/models_7.ts
index e353595a348e..3fa55e8181b7 100644
--- a/clients/client-ec2/src/models/models_7.ts
+++ b/clients/client-ec2/src/models/models_7.ts
@@ -51,6 +51,7 @@ import {
   Filter,
   ImdsSupportValues,
   InstanceTagNotificationAttribute,
+  IpamPoolCidr,
   TpmSupportValues,
 } from "./models_3";
 
@@ -80,6 +81,109 @@ import { Purchase } from "./models_5";
 
 import { CapacityReservationSpecification, InstanceMonitoring, Status } from "./models_6";
 
+/**
+ * <p>A signed document that proves that you are authorized to bring the specified IP address range to Amazon using BYOIP.</p>
+ * @public
+ */
+export interface IpamCidrAuthorizationContext {
+  /**
+   * <p>The plain-text authorization message for the prefix and account.</p>
+   * @public
+   */
+  Message?: string;
+
+  /**
+   * <p>The signed authorization message for the prefix and account.</p>
+   * @public
+   */
+  Signature?: string;
+}
+
+/**
+ * @public
+ */
+export interface ProvisionIpamPoolCidrRequest {
+  /**
+   * <p>A check for whether you have the required permissions for the action without actually making the request
+   *    and provides an error response. If you have the required permissions, the error response is <code>DryRunOperation</code>.
+   *    Otherwise, it is <code>UnauthorizedOperation</code>.</p>
+   * @public
+   */
+  DryRun?: boolean;
+
+  /**
+   * <p>The ID of the IPAM pool to which you want to assign a CIDR.</p>
+   * @public
+   */
+  IpamPoolId: string | undefined;
+
+  /**
+   * <p>The CIDR you want to assign to the IPAM pool. Either "NetmaskLength" or "Cidr" is required. This value will be null if you specify "NetmaskLength" and will be filled in during the provisioning process.</p>
+   * @public
+   */
+  Cidr?: string;
+
+  /**
+   * <p>A signed document that proves that you are authorized to bring a specified IP address range to Amazon using BYOIP. This option applies to public pools only.</p>
+   * @public
+   */
+  CidrAuthorizationContext?: IpamCidrAuthorizationContext;
+
+  /**
+   * <p>The netmask length of the CIDR you'd like to provision to a pool. Can be used for provisioning Amazon-provided IPv6 CIDRs to top-level pools and for provisioning CIDRs to pools with source pools. Cannot be used to provision BYOIP CIDRs to top-level pools. Either "NetmaskLength" or "Cidr" is required.</p>
+   * @public
+   */
+  NetmaskLength?: number;
+
+  /**
+   * <p>A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. For more information, see <a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html">Ensuring Idempotency</a>.</p>
+   * @public
+   */
+  ClientToken?: string;
+}
+
+/**
+ * @public
+ */
+export interface ProvisionIpamPoolCidrResult {
+  /**
+   * <p>Information about the provisioned CIDR.</p>
+   * @public
+   */
+  IpamPoolCidr?: IpamPoolCidr;
+}
+
+/**
+ * @public
+ */
+export interface ProvisionPublicIpv4PoolCidrRequest {
+  /**
+   * <p>A check for whether you have the required permissions for the action without actually making the request
+   *    and provides an error response. If you have the required permissions, the error response is <code>DryRunOperation</code>.
+   *    Otherwise, it is <code>UnauthorizedOperation</code>.</p>
+   * @public
+   */
+  DryRun?: boolean;
+
+  /**
+   * <p>The ID of the IPAM pool you would like to use to allocate this CIDR.</p>
+   * @public
+   */
+  IpamPoolId: string | undefined;
+
+  /**
+   * <p>The ID of the public IPv4 pool you would like to use for this CIDR.</p>
+   * @public
+   */
+  PoolId: string | undefined;
+
+  /**
+   * <p>The netmask length of the CIDR you would like to allocate to the public IPv4 pool.</p>
+   * @public
+   */
+  NetmaskLength: number | undefined;
+}
+
 /**
  * @public
  */
diff --git a/clients/client-ec2/src/protocols/Aws_ec2.ts b/clients/client-ec2/src/protocols/Aws_ec2.ts
index 4f1f6dcfd6f8..d3bf2b1e20c6 100644
--- a/clients/client-ec2/src/protocols/Aws_ec2.ts
+++ b/clients/client-ec2/src/protocols/Aws_ec2.ts
@@ -1519,6 +1519,10 @@ import {
   GetInstanceMetadataDefaultsCommandInput,
   GetInstanceMetadataDefaultsCommandOutput,
 } from "../commands/GetInstanceMetadataDefaultsCommand";
+import {
+  GetInstanceTpmEkPubCommandInput,
+  GetInstanceTpmEkPubCommandOutput,
+} from "../commands/GetInstanceTpmEkPubCommand";
 import {
   GetInstanceTypesFromInstanceRequirementsCommandInput,
   GetInstanceTypesFromInstanceRequirementsCommandOutput,
@@ -3600,13 +3604,14 @@ import {
   GetImageBlockPublicAccessStateResult,
   GetInstanceMetadataDefaultsRequest,
   GetInstanceMetadataDefaultsResult,
+  GetInstanceTpmEkPubRequest,
+  GetInstanceTpmEkPubResult,
   GetInstanceTypesFromInstanceRequirementsRequest,
   GetInstanceTypesFromInstanceRequirementsResult,
   GetInstanceUefiDataRequest,
   GetInstanceUefiDataResult,
   GetIpamAddressHistoryRequest,
   GetIpamAddressHistoryResult,
-  GetIpamDiscoveredAccountsRequest,
   InstanceEventWindowDisassociationRequest,
   InstanceFamilyCreditSpecification,
   InstanceMetadataDefaultsResponse,
@@ -3614,8 +3619,6 @@ import {
   InstanceUsage,
   IntegrateServices,
   IpamAddressHistoryRecord,
-  IpamDiscoveredAccount,
-  IpamDiscoveryFailureReason,
   Ipv6CidrAssociation,
   MetricPoint,
   PrivateDnsDetails,
@@ -3656,6 +3659,7 @@ import {
   DiskImageDetail,
   DnsServersOptionsModifyStructure,
   EbsInstanceBlockDeviceSpecification,
+  GetIpamDiscoveredAccountsRequest,
   GetIpamDiscoveredAccountsResult,
   GetIpamDiscoveredPublicAddressesRequest,
   GetIpamDiscoveredPublicAddressesResult,
@@ -3735,9 +3739,10 @@ import {
   InstanceCreditSpecificationRequest,
   InstanceMonitoring,
   InstanceRequirementsWithMetadataRequest,
-  IpamCidrAuthorizationContext,
+  IpamDiscoveredAccount,
   IpamDiscoveredPublicAddress,
   IpamDiscoveredResourceCidr,
+  IpamDiscoveryFailureReason,
   IpamPublicAddressSecurityGroup,
   IpamPublicAddressTag,
   IpamPublicAddressTags,
@@ -3895,9 +3900,6 @@ import {
   ProvisionByoipCidrResult,
   ProvisionIpamByoasnRequest,
   ProvisionIpamByoasnResult,
-  ProvisionIpamPoolCidrRequest,
-  ProvisionIpamPoolCidrResult,
-  ProvisionPublicIpv4PoolCidrRequest,
   RemoveIpamOperatingRegion,
   RemovePrefixListEntry,
   ReservationValue,
@@ -3940,9 +3942,13 @@ import {
   InstanceMarketOptionsRequest,
   InstanceMetadataOptionsRequest,
   InstanceStateChange,
+  IpamCidrAuthorizationContext,
   LaunchTemplateSpecification,
   LicenseConfigurationRequest,
   PrivateDnsNameOptionsRequest,
+  ProvisionIpamPoolCidrRequest,
+  ProvisionIpamPoolCidrResult,
+  ProvisionPublicIpv4PoolCidrRequest,
   ProvisionPublicIpv4PoolCidrResult,
   PurchaseCapacityBlockRequest,
   PurchaseCapacityBlockResult,
@@ -11611,6 +11617,23 @@ export const se_GetInstanceMetadataDefaultsCommand = async (
   return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 
+/**
+ * serializeAws_ec2GetInstanceTpmEkPubCommand
+ */
+export const se_GetInstanceTpmEkPubCommand = async (
+  input: GetInstanceTpmEkPubCommandInput,
+  context: __SerdeContext
+): Promise<__HttpRequest> => {
+  const headers: __HeaderBag = SHARED_HEADERS;
+  let body: any;
+  body = buildFormUrlencodedString({
+    ...se_GetInstanceTpmEkPubRequest(input, context),
+    [_A]: _GITEP,
+    [_V]: _,
+  });
+  return buildHttpRpcRequest(context, headers, "/", undefined, body);
+};
+
 /**
  * serializeAws_ec2GetInstanceTypesFromInstanceRequirementsCommand
  */
@@ -23375,6 +23398,26 @@ export const de_GetInstanceMetadataDefaultsCommand = async (
   return response;
 };
 
+/**
+ * deserializeAws_ec2GetInstanceTpmEkPubCommand
+ */
+export const de_GetInstanceTpmEkPubCommand = async (
+  output: __HttpResponse,
+  context: __SerdeContext
+): Promise<GetInstanceTpmEkPubCommandOutput> => {
+  if (output.statusCode >= 300) {
+    return de_CommandError(output, context);
+  }
+  const data: any = await parseBody(output.body, context);
+  let contents: any = {};
+  contents = de_GetInstanceTpmEkPubResult(data, context);
+  const response: GetInstanceTpmEkPubCommandOutput = {
+    $metadata: deserializeMetadata(output),
+    ...contents,
+  };
+  return response;
+};
+
 /**
  * deserializeAws_ec2GetInstanceTypesFromInstanceRequirementsCommand
  */
@@ -42230,6 +42273,26 @@ const se_GetInstanceMetadataDefaultsRequest = (
   return entries;
 };
 
+/**
+ * serializeAws_ec2GetInstanceTpmEkPubRequest
+ */
+const se_GetInstanceTpmEkPubRequest = (input: GetInstanceTpmEkPubRequest, context: __SerdeContext): any => {
+  const entries: any = {};
+  if (input[_IIn] != null) {
+    entries[_IIn] = input[_IIn];
+  }
+  if (input[_KT] != null) {
+    entries[_KT] = input[_KT];
+  }
+  if (input[_KF] != null) {
+    entries[_KF] = input[_KF];
+  }
+  if (input[_DRr] != null) {
+    entries[_DRr] = input[_DRr];
+  }
+  return entries;
+};
+
 /**
  * serializeAws_ec2GetInstanceTypesFromInstanceRequirementsRequest
  */
@@ -66922,6 +66985,26 @@ const de_GetInstanceMetadataDefaultsResult = (
   return contents;
 };
 
+/**
+ * deserializeAws_ec2GetInstanceTpmEkPubResult
+ */
+const de_GetInstanceTpmEkPubResult = (output: any, context: __SerdeContext): GetInstanceTpmEkPubResult => {
+  const contents: any = {};
+  if (output[_iI] != null) {
+    contents[_IIn] = __expectString(output[_iI]);
+  }
+  if (output[_kT] != null) {
+    contents[_KT] = __expectString(output[_kT]);
+  }
+  if (output[_kF] != null) {
+    contents[_KF] = __expectString(output[_kF]);
+  }
+  if (output[_kV] != null) {
+    contents[_KV] = __expectString(output[_kV]);
+  }
+  return contents;
+};
+
 /**
  * deserializeAws_ec2GetInstanceTypesFromInstanceRequirementsResult
  */
@@ -68542,8 +68625,8 @@ const de_ImportInstanceVolumeDetailSet = (output: any, context: __SerdeContext):
  */
 const de_ImportKeyPairResult = (output: any, context: __SerdeContext): ImportKeyPairResult => {
   const contents: any = {};
-  if (output[_kF] != null) {
-    contents[_KFe] = __expectString(output[_kF]);
+  if (output[_kFe] != null) {
+    contents[_KFe] = __expectString(output[_kFe]);
   }
   if (output[_kN] != null) {
     contents[_KN] = __expectString(output[_kN]);
@@ -71570,8 +71653,8 @@ const de_Ipv6RangeList = (output: any, context: __SerdeContext): Ipv6Range[] =>
  */
 const de_KeyPair = (output: any, context: __SerdeContext): KeyPair => {
   const contents: any = {};
-  if (output[_kF] != null) {
-    contents[_KFe] = __expectString(output[_kF]);
+  if (output[_kFe] != null) {
+    contents[_KFe] = __expectString(output[_kFe]);
   }
   if (output[_kM] != null) {
     contents[_KM] = __expectString(output[_kM]);
@@ -71598,8 +71681,8 @@ const de_KeyPairInfo = (output: any, context: __SerdeContext): KeyPairInfo => {
   if (output[_kPI] != null) {
     contents[_KPI] = __expectString(output[_kPI]);
   }
-  if (output[_kF] != null) {
-    contents[_KFe] = __expectString(output[_kF]);
+  if (output[_kFe] != null) {
+    contents[_KFe] = __expectString(output[_kFe]);
   }
   if (output[_kN] != null) {
     contents[_KN] = __expectString(output[_kN]);
@@ -84763,6 +84846,7 @@ const _GIMD = "GetInstanceMetadataDefaults";
 const _GIPA = "GetIpamPoolAllocations";
 const _GIPC = "GetIpamPoolCidrs";
 const _GIRC = "GetIpamResourceCidrs";
+const _GITEP = "GetInstanceTpmEkPub";
 const _GITFIR = "GetInstanceTypesFromInstanceRequirements";
 const _GIUD = "GetInstanceUefiData";
 const _GIp = "GpuInfo";
@@ -85041,6 +85125,7 @@ const _KP = "KeyPairs";
 const _KPI = "KeyPairId";
 const _KPIe = "KeyPairIds";
 const _KT = "KeyType";
+const _KV = "KeyValue";
 const _Ke = "Key";
 const _Key = "Keyword";
 const _L = "Locale";
@@ -86957,7 +87042,8 @@ const _ip = "ipam";
 const _is = "issuer";
 const _k = "key";
 const _kDF = "kinesisDataFirehose";
-const _kF = "keyFingerprint";
+const _kF = "keyFormat";
+const _kFe = "keyFingerprint";
 const _kI = "kernelId";
 const _kKA = "kmsKeyArn";
 const _kKI = "kmsKeyId";
@@ -86966,6 +87052,7 @@ const _kN = "keyName";
 const _kPI = "keyPairId";
 const _kS = "keySet";
 const _kT = "keyType";
+const _kV = "keyValue";
 const _ke = "kernel";
 const _key = "keyword";
 const _l = "lifecycle";
diff --git a/codegen/sdk-codegen/aws-models/ec2.json b/codegen/sdk-codegen/aws-models/ec2.json
index 15b22d9119ad..1a9b61da4c24 100644
--- a/codegen/sdk-codegen/aws-models/ec2.json
+++ b/codegen/sdk-codegen/aws-models/ec2.json
@@ -3464,6 +3464,9 @@
         {
           "target": "com.amazonaws.ec2#GetInstanceMetadataDefaults"
         },
+        {
+          "target": "com.amazonaws.ec2#GetInstanceTpmEkPub"
+        },
         {
           "target": "com.amazonaws.ec2#GetInstanceTypesFromInstanceRequirements"
         },
@@ -45635,6 +45638,46 @@
         }
       }
     },
+    "com.amazonaws.ec2#EkPubKeyFormat": {
+      "type": "enum",
+      "members": {
+        "der": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "der"
+          }
+        },
+        "tpmt": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "tpmt"
+          }
+        }
+      }
+    },
+    "com.amazonaws.ec2#EkPubKeyType": {
+      "type": "enum",
+      "members": {
+        "RSA_2048": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "rsa-2048"
+          }
+        },
+        "ECC_SEC_P384": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "ecc-sec-p384"
+          }
+        }
+      }
+    },
+    "com.amazonaws.ec2#EkPubKeyValue": {
+      "type": "string",
+      "traits": {
+        "smithy.api#sensitive": {}
+      }
+    },
     "com.amazonaws.ec2#ElasticGpuAssociation": {
       "type": "structure",
       "members": {
@@ -51713,6 +51756,97 @@
         "smithy.api#output": {}
       }
     },
+    "com.amazonaws.ec2#GetInstanceTpmEkPub": {
+      "type": "operation",
+      "input": {
+        "target": "com.amazonaws.ec2#GetInstanceTpmEkPubRequest"
+      },
+      "output": {
+        "target": "com.amazonaws.ec2#GetInstanceTpmEkPubResult"
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>Gets the public endorsement key associated with the Nitro Trusted \n            Platform Module (NitroTPM) for the specified instance.</p>"
+      }
+    },
+    "com.amazonaws.ec2#GetInstanceTpmEkPubRequest": {
+      "type": "structure",
+      "members": {
+        "InstanceId": {
+          "target": "com.amazonaws.ec2#InstanceId",
+          "traits": {
+            "smithy.api#clientOptional": {},
+            "smithy.api#documentation": "<p>The ID of the instance for which to get the public endorsement key.</p>",
+            "smithy.api#required": {},
+            "smithy.api#xmlName": "InstanceId"
+          }
+        },
+        "KeyType": {
+          "target": "com.amazonaws.ec2#EkPubKeyType",
+          "traits": {
+            "smithy.api#clientOptional": {},
+            "smithy.api#documentation": "<p>The required public endorsement key type.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "KeyFormat": {
+          "target": "com.amazonaws.ec2#EkPubKeyFormat",
+          "traits": {
+            "smithy.api#clientOptional": {},
+            "smithy.api#documentation": "<p>The required public endorsement key format. Specify <code>der</code> for a DER-encoded public \n            key that is compatible with OpenSSL. Specify <code>tpmt</code> for a TPM 2.0 format that is \n            compatible with tpm2-tools. The returned key is base64 encoded.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "DryRun": {
+          "target": "com.amazonaws.ec2#Boolean",
+          "traits": {
+            "smithy.api#documentation": "<p>Specify this parameter to verify whether the request will succeed, without actually making the \n            request. If the request will succeed, the response is <code>DryRunOperation</code>. Otherwise, \n            the response is <code>UnauthorizedOperation</code>.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#input": {}
+      }
+    },
+    "com.amazonaws.ec2#GetInstanceTpmEkPubResult": {
+      "type": "structure",
+      "members": {
+        "InstanceId": {
+          "target": "com.amazonaws.ec2#InstanceId",
+          "traits": {
+            "aws.protocols#ec2QueryName": "InstanceId",
+            "smithy.api#documentation": "<p>The ID of the instance.</p>",
+            "smithy.api#xmlName": "instanceId"
+          }
+        },
+        "KeyType": {
+          "target": "com.amazonaws.ec2#EkPubKeyType",
+          "traits": {
+            "aws.protocols#ec2QueryName": "KeyType",
+            "smithy.api#documentation": "<p>The public endorsement key type.</p>",
+            "smithy.api#xmlName": "keyType"
+          }
+        },
+        "KeyFormat": {
+          "target": "com.amazonaws.ec2#EkPubKeyFormat",
+          "traits": {
+            "aws.protocols#ec2QueryName": "KeyFormat",
+            "smithy.api#documentation": "<p>The public endorsement key format.</p>",
+            "smithy.api#xmlName": "keyFormat"
+          }
+        },
+        "KeyValue": {
+          "target": "com.amazonaws.ec2#EkPubKeyValue",
+          "traits": {
+            "aws.protocols#ec2QueryName": "KeyValue",
+            "smithy.api#documentation": "<p>The public endorsement key material.</p>",
+            "smithy.api#xmlName": "keyValue"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#output": {}
+      }
+    },
     "com.amazonaws.ec2#GetInstanceTypesFromInstanceRequirements": {
       "type": "operation",
       "input": {