AWS Key Management Service (kms)

2025-02-11

31 new conditions | 6 updated actions, 1 updated condition

Additions

    Conditions
  • kms:RecipientAttestation:PCR1
    • Description:  Filters access by the platform configuration register (PCR) 1 in the attestation document. PCR1 is a contiguous measurement of the Linux kernel and bootstrap data
    • Type:  String
  • kms:RecipientAttestation:PCR10
    • Description:  Filters access by the platform configuration register (PCR) 10 in the attestation document in the request. PCR10 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR11
    • Description:  Filters access by the platform configuration register (PCR) 11 in the attestation document in the request. PCR11 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR12
    • Description:  Filters access by the platform configuration register (PCR) 12 in the attestation document in the request. PCR12 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR13
    • Description:  Filters access by the platform configuration register (PCR) 13 in the attestation document in the request. PCR13 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR14
    • Description:  Filters access by the platform configuration register (PCR) 14 in the attestation document in the request. PCR14 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR15
    • Description:  Filters access by the platform configuration register (PCR) 15 in the attestation document in the request. PCR15 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR16
    • Description:  Filters access by the platform configuration register (PCR) 16 in the attestation document in the request. PCR16 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR17
    • Description:  Filters access by the platform configuration register (PCR) 17 in the attestation document in the request. PCR17 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR18
    • Description:  Filters access by the platform configuration register (PCR) 18 in the attestation document in the request. PCR18 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR19
    • Description:  Filters access by the platform configuration register (PCR) 19 in the attestation document in the request. PCR19 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR2
    • Description:  Filters access by the platform configuration register (PCR) 2 in the attestation document. PCR2 is a contiguous, in-order measurement of the user applications, without the boot ramfs
    • Type:  String
  • kms:RecipientAttestation:PCR20
    • Description:  Filters access by the platform configuration register (PCR) 20 in the attestation document in the request. PCR20 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR21
    • Description:  Filters access by the platform configuration register (PCR) 21 in the attestation document in the request. PCR21 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR22
    • Description:  Filters access by the platform configuration register (PCR) 22 in the attestation document in the request. PCR22 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR23
    • Description:  Filters access by the platform configuration register (PCR) 23 in the attestation document in the request. PCR23 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR24
    • Description:  Filters access by the platform configuration register (PCR) 24 in the attestation document in the request. PCR24 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR25
    • Description:  Filters access by the platform configuration register (PCR) 25 in the attestation document in the request. PCR25 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR26
    • Description:  Filters access by the platform configuration register (PCR) 26 in the attestation document in the request. PCR26 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR27
    • Description:  Filters access by the platform configuration register (PCR) 27 in the attestation document in the request. PCR27 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR28
    • Description:  Filters access by the platform configuration register (PCR) 28 in the attestation document in the request. PCR28 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR29
    • Description:  Filters access by the platform configuration register (PCR) 29 in the attestation document in the request. PCR29 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR3
    • Description:  Filters access by the platform configuration register (PCR) 3 in the attestation document. PCR3 is a contiguous measurement of the IAM role assigned to the parent instance
    • Type:  String
  • kms:RecipientAttestation:PCR30
    • Description:  Filters access by the platform configuration register (PCR) 30 in the attestation document in the request. PCR30 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR31
    • Description:  Filters access by the platform configuration register (PCR) 31 in the attestation document in the request. PCR31 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR4
    • Description:  Filters access by the platform configuration register (PCR) 4 in the attestation document. PCR4 is a contiguous measurement of the ID of the parent instance
    • Type:  String
  • kms:RecipientAttestation:PCR5
    • Description:  Filters access by the platform configuration register (PCR) 5 in the attestation document in the request. PCR5 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR6
    • Description:  Filters access by the platform configuration register (PCR) 6 in the attestation document in the request. PCR6 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR7
    • Description:  Filters access by platform configuration register (PCR) 7 in the attestation document in the request. PCR7 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:PCR8
    • Description:  Filters access by the platform configuration register (PCR) 8 in the attestation document. PCR8 is a measure of the signing certificate specified for the enclave image file
    • Type:  String
  • kms:RecipientAttestation:PCR9
    • Description:  Filters access by the platform configuration register (PCR) 9 in the attestation document in the request. PCR9 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String

Updates

    Actions
  • Decrypt
      Conditions
    • + kms:RecipientAttestation:PCR0
    • + kms:RecipientAttestation:PCR1
    • + kms:RecipientAttestation:PCR2
    • + kms:RecipientAttestation:PCR3
    • + kms:RecipientAttestation:PCR4
    • + kms:RecipientAttestation:PCR5
    • + kms:RecipientAttestation:PCR6
    • + kms:RecipientAttestation:PCR7
    • + kms:RecipientAttestation:PCR8
    • + kms:RecipientAttestation:PCR9
    • + kms:RecipientAttestation:PCR10
    • + kms:RecipientAttestation:PCR11
    • + kms:RecipientAttestation:PCR12
    • + kms:RecipientAttestation:PCR13
    • + kms:RecipientAttestation:PCR14
    • + kms:RecipientAttestation:PCR15
    • + kms:RecipientAttestation:PCR16
    • + kms:RecipientAttestation:PCR17
    • + kms:RecipientAttestation:PCR18
    • + kms:RecipientAttestation:PCR19
    • + kms:RecipientAttestation:PCR20
    • + kms:RecipientAttestation:PCR21
    • + kms:RecipientAttestation:PCR22
    • + kms:RecipientAttestation:PCR23
    • + kms:RecipientAttestation:PCR24
    • + kms:RecipientAttestation:PCR25
    • + kms:RecipientAttestation:PCR26
    • + kms:RecipientAttestation:PCR27
    • + kms:RecipientAttestation:PCR28
    • + kms:RecipientAttestation:PCR29
    • + kms:RecipientAttestation:PCR30
    • + kms:RecipientAttestation:PCR31
  • DeriveSharedSecret
      Conditions
    • + kms:RecipientAttestation:PCR0
    • + kms:RecipientAttestation:PCR1
    • + kms:RecipientAttestation:PCR2
    • + kms:RecipientAttestation:PCR3
    • + kms:RecipientAttestation:PCR4
    • + kms:RecipientAttestation:PCR5
    • + kms:RecipientAttestation:PCR6
    • + kms:RecipientAttestation:PCR7
    • + kms:RecipientAttestation:PCR8
    • + kms:RecipientAttestation:PCR9
    • + kms:RecipientAttestation:PCR10
    • + kms:RecipientAttestation:PCR11
    • + kms:RecipientAttestation:PCR12
    • + kms:RecipientAttestation:PCR13
    • + kms:RecipientAttestation:PCR14
    • + kms:RecipientAttestation:PCR15
    • + kms:RecipientAttestation:PCR16
    • + kms:RecipientAttestation:PCR17
    • + kms:RecipientAttestation:PCR18
    • + kms:RecipientAttestation:PCR19
    • + kms:RecipientAttestation:PCR20
    • + kms:RecipientAttestation:PCR21
    • + kms:RecipientAttestation:PCR22
    • + kms:RecipientAttestation:PCR23
    • + kms:RecipientAttestation:PCR24
    • + kms:RecipientAttestation:PCR25
    • + kms:RecipientAttestation:PCR26
    • + kms:RecipientAttestation:PCR27
    • + kms:RecipientAttestation:PCR28
    • + kms:RecipientAttestation:PCR29
    • + kms:RecipientAttestation:PCR30
    • + kms:RecipientAttestation:PCR31
  • GenerateDataKey
      Conditions
    • + kms:RecipientAttestation:PCR0
    • + kms:RecipientAttestation:PCR1
    • + kms:RecipientAttestation:PCR2
    • + kms:RecipientAttestation:PCR3
    • + kms:RecipientAttestation:PCR4
    • + kms:RecipientAttestation:PCR5
    • + kms:RecipientAttestation:PCR6
    • + kms:RecipientAttestation:PCR7
    • + kms:RecipientAttestation:PCR8
    • + kms:RecipientAttestation:PCR9
    • + kms:RecipientAttestation:PCR10
    • + kms:RecipientAttestation:PCR11
    • + kms:RecipientAttestation:PCR12
    • + kms:RecipientAttestation:PCR13
    • + kms:RecipientAttestation:PCR14
    • + kms:RecipientAttestation:PCR15
    • + kms:RecipientAttestation:PCR16
    • + kms:RecipientAttestation:PCR17
    • + kms:RecipientAttestation:PCR18
    • + kms:RecipientAttestation:PCR19
    • + kms:RecipientAttestation:PCR20
    • + kms:RecipientAttestation:PCR21
    • + kms:RecipientAttestation:PCR22
    • + kms:RecipientAttestation:PCR23
    • + kms:RecipientAttestation:PCR24
    • + kms:RecipientAttestation:PCR25
    • + kms:RecipientAttestation:PCR26
    • + kms:RecipientAttestation:PCR27
    • + kms:RecipientAttestation:PCR28
    • + kms:RecipientAttestation:PCR29
    • + kms:RecipientAttestation:PCR30
    • + kms:RecipientAttestation:PCR31
  • GenerateDataKeyPair
      Conditions
    • + kms:RecipientAttestation:ImageSha384
    • + kms:RecipientAttestation:PCR0
    • + kms:RecipientAttestation:PCR1
    • + kms:RecipientAttestation:PCR2
    • + kms:RecipientAttestation:PCR3
    • + kms:RecipientAttestation:PCR4
    • + kms:RecipientAttestation:PCR5
    • + kms:RecipientAttestation:PCR6
    • + kms:RecipientAttestation:PCR7
    • + kms:RecipientAttestation:PCR8
    • + kms:RecipientAttestation:PCR9
    • + kms:RecipientAttestation:PCR10
    • + kms:RecipientAttestation:PCR11
    • + kms:RecipientAttestation:PCR12
    • + kms:RecipientAttestation:PCR13
    • + kms:RecipientAttestation:PCR14
    • + kms:RecipientAttestation:PCR15
    • + kms:RecipientAttestation:PCR16
    • + kms:RecipientAttestation:PCR17
    • + kms:RecipientAttestation:PCR18
    • + kms:RecipientAttestation:PCR19
    • + kms:RecipientAttestation:PCR20
    • + kms:RecipientAttestation:PCR21
    • + kms:RecipientAttestation:PCR22
    • + kms:RecipientAttestation:PCR23
    • + kms:RecipientAttestation:PCR24
    • + kms:RecipientAttestation:PCR25
    • + kms:RecipientAttestation:PCR26
    • + kms:RecipientAttestation:PCR27
    • + kms:RecipientAttestation:PCR28
    • + kms:RecipientAttestation:PCR29
    • + kms:RecipientAttestation:PCR30
    • + kms:RecipientAttestation:PCR31
  • GenerateRandom
      Conditions
    • + kms:RecipientAttestation:PCR0
    • + kms:RecipientAttestation:PCR1
    • + kms:RecipientAttestation:PCR2
    • + kms:RecipientAttestation:PCR3
    • + kms:RecipientAttestation:PCR4
    • + kms:RecipientAttestation:PCR5
    • + kms:RecipientAttestation:PCR6
    • + kms:RecipientAttestation:PCR7
    • + kms:RecipientAttestation:PCR8
    • + kms:RecipientAttestation:PCR9
    • + kms:RecipientAttestation:PCR10
    • + kms:RecipientAttestation:PCR11
    • + kms:RecipientAttestation:PCR12
    • + kms:RecipientAttestation:PCR13
    • + kms:RecipientAttestation:PCR14
    • + kms:RecipientAttestation:PCR15
    • + kms:RecipientAttestation:PCR16
    • + kms:RecipientAttestation:PCR17
    • + kms:RecipientAttestation:PCR18
    • + kms:RecipientAttestation:PCR19
    • + kms:RecipientAttestation:PCR20
    • + kms:RecipientAttestation:PCR21
    • + kms:RecipientAttestation:PCR22
    • + kms:RecipientAttestation:PCR23
    • + kms:RecipientAttestation:PCR24
    • + kms:RecipientAttestation:PCR25
    • + kms:RecipientAttestation:PCR26
    • + kms:RecipientAttestation:PCR27
    • + kms:RecipientAttestation:PCR28
    • + kms:RecipientAttestation:PCR29
    • + kms:RecipientAttestation:PCR30
    • + kms:RecipientAttestation:PCR31
  • RetireGrant
      Conditions
    • + kms:CallerAccount
    • + kms:EncryptionContext:${EncryptionContextKey}
    • + kms:EncryptionContextKeys
    • + kms:GrantConstraintType
    • + kms:ViaService
    Conditions
  • kms:RecipientAttestation:PCR0
      Description
    • Old: Filters access to the Decrypt, GenerateDataKey, and GenerateRandom operations based on the platform configuration registers (PCRs) in the attestation document in the request
      New: Filters access by the platform configuration register (PCR) 0 in the attestation document. PCR0 is a contiguous measure of the contents of the enclave image file, without the section data