AWS Payment Cryptography (payment-cryptography)

2023-06-20

31 new actions, 2 new resources, 11 new conditions

Additions

    Actions
  • CreateAlias
    • Description:  Grants permission to create a user-friendly name for a Key
    • Access:  Write
    • Resources: 

      Name: alias

      Required: Yes

      Name: key

      Required: Yes

  • CreateKey
    • Description:  Grants permission to create a unique customer managed key in the caller's AWS account and region
    • Access:  Write
    • Conditions: 

      aws:RequestTag/${TagKey}

      aws:TagKeys
    • Dependents: 

      payment-cryptography:TagResource
  • DecryptData
    • Description:  Grants permission to decrypt ciphertext data to plaintext using symmetric, asymmetric or DUKPT data encryption key
    • Access:  Write
  • DeleteAlias
    • Description:  Grants permission to delete the specified alias
    • Access:  Write
    • Resources: 

      Name: alias

      Required: Yes

    • Conditions: 

      aws:RequestTag/${TagKey}

      aws:TagKeys
  • DeleteKey
    • Description:  Grants permission to schedule the deletion of a Key
    • Access:  Write
    • Resources: 

      Name: key

      Required: Yes

  • EncryptData
    • Description:  Grants permission to encrypt plaintext data to ciphertext using symmetric, asymmetric or DUKPT data encryption key
    • Access:  Write
  • ExportKey
    • Description:  Grants permission to export a key from the service
    • Access:  Write
    • Resources: 

      Name: key

      Required: Yes

  • GenerateCardValidationData
    • Description:  Grants permission to generate card-related data using algorithms such as Card Verification Values (CVV/CVV2), Dynamic Card Verification Values (dCVV/dCVV2) or Card Security Codes (CSC) that check the validity of a magnetic stripe card
    • Access:  Write
  • GenerateMac
    • Description:  Grants permission to generate a MAC (Message Authentication Code) cryptogram
    • Access:  Write
  • GeneratePinData
    • Description:  Grants permission to generate pin-related data such as PIN, PIN Verification Value (PVV), PIN Block and PIN Offset during new card issuance or card re-issuance
    • Access:  Write
  • GetAlias
    • Description:  Grants permission to return the keyArn associated with an aliasName
    • Access:  Read
    • Resources: 

      Name: alias

      Required: Yes

      Name: key

      Required: Yes

    • Conditions: 

      aws:RequestTag/${TagKey}

      aws:TagKeys
  • GetKey
    • Description:  Grants permission to return the detailed information about the specified key
    • Access:  Read
    • Resources: 

      Name: key

      Required: Yes

  • GetParametersForExport
    • Description:  Grants permission to get the export token and the signing key certificate to initiate a TR-34 key export
    • Access:  Read
  • GetParametersForImport
    • Description:  Grants permission to get the import token and the wrapping key certificate to initiate a TR-34 key import
    • Access:  Read
  • GetPublicKeyCertificate
    • Description:  Grants permission to return the public key from a key of class PUBLIC_KEY
    • Access:  Read
    • Resources: 

      Name: key

      Required: Yes

  • ImportKey
    • Description:  Grants permission to imports keys and public key certificates
    • Access:  Write
    • Conditions: 

      aws:RequestTag/${TagKey}

      aws:TagKeys
    • Dependents: 

      payment-cryptography:TagResource
  • ListAliases
    • Description:  Grants permission to return a list of aliases created for all keys in the caller's AWS account and Region
    • Access:  List
    • Resources: 

      Name: alias

      Required: Yes

      Name: key

      Required: Yes

  • ListKeys
    • Description:  Grants permission to return a list of keys created in the caller's AWS account and Region
    • Access:  List
    • Resources: 

      Name: key

      Required: Yes

  • ListTagsForResource
    • Description:  Grants permission to return a list of tags created in the caller's AWS account and Region
    • Access:  Read
    • Resources: 

      Name: key

      Required: No

  • ReEncryptData
    • Description:  Grants permission to re-encrypt ciphertext using DUKPT, Symmetric and Asymmetric Data Encryption Keys
    • Access:  Write
  • RestoreKey
    • Description:  Grants permission to cancel a scheduled key deletion if at any point during the waiting period a Key needs to be revived
    • Access:  Write
    • Resources: 

      Name: key

      Required: Yes

  • StartKeyUsage
    • Description:  Grants permission to enable a disabled Key
    • Access:  Write
    • Resources: 

      Name: key

      Required: Yes

  • StopKeyUsage
    • Description:  Grants permission to disable an enabled Key
    • Access:  Write
    • Resources: 

      Name: key

      Required: Yes

  • TagResource
    • Description:  Grants permission to add or overwrites one or more tags for the specified resource
    • Access:  Tagging
    • Resources: 

      Name: key

      Required: Yes

    • Conditions: 

      aws:TagKeys

      aws:RequestTag/${TagKey}
  • TranslatePinData
    • Description:  Grants permission to translate encrypted PIN block from and to ISO 9564 formats 0,1,3,4
    • Access:  Write
  • UntagResource
    • Description:  Grants permission to remove the specified tag or tags from the specified resource
    • Access:  Tagging
    • Resources: 

      Name: key

      Required: Yes

    • Conditions: 

      aws:TagKeys

      aws:RequestTag/${TagKey}
  • UpdateAlias
    • Description:  Grants permission to change the key to which an alias is assigned, or unassign it from its current key
    • Access:  Write
    • Resources: 

      Name: alias

      Required: Yes

      Name: key

      Required: Yes

    • Conditions: 

      aws:RequestTag/${TagKey}

      aws:TagKeys
  • VerifyAuthRequestCryptogram
    • Description:  Grants permission to verify Authorization Request Cryptogram (ARQC) for a EMV chip payment card authorization
    • Access:  Write
  • VerifyCardValidationData
    • Description:  Grants permission to verify card-related validation data using algorithms such as Card Verification Values (CVV/CVV2), Dynamic Card Verification Values (dCVV/dCVV2) and Card Security Codes (CSC)
    • Access:  Write
  • VerifyMac
    • Description:  Grants permission to verify MAC (Message Authentication Code) of input data against a provided MAC
    • Access:  Write
  • VerifyPinData
    • Description:  Grants permission to verify pin-related data such as PIN and PIN Offset using algorithms including VISA PVV and IBM3624
    • Access:  Write
    Resources
  • key
    • Arn:  arn:${Partition}:payment-cryptography:${Region}:${Account}:key/${KeyId}
    • Conditions: 

      aws:ResourceTag/${TagKey}

      payment-cryptography:ResourceAliases
  • alias
    • Arn:  arn:${Partition}:payment-cryptography:${Region}:${Account}:alias/${Alias}
    • Conditions: 

      payment-cryptography:ResourceAliases