AWS Key Management Service (kms)

2025-09-24

24 new conditions | 5 updated actions

Additions

    Conditions
  • kms:RecipientAttestation:NitroTPMPCR0
    • Description:  Filters access by the platform configuration register (PCR) 0 in the attestation document in the request. PCR0 is a contiguous measure of core system firmware executable code
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR1
    • Description:  Filters access by the platform configuration register (PCR) 1 in the attestation document in the request. PCR1 is a contiguous measure of core system firmware data/host platform configuration, typically including serial and model numbers
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR10
    • Description:  Filters access by the platform configuration register (PCR) 10 in the attestation document in the request. PCR10 is a contiguous measure of protection of the IMA measurement log
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR11
    • Description:  Filters access by the platform configuration register (PCR) 11 in the attestation document in the request. PCR11 is a contiguous measure of all components of unified kernel images (UKIs)
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR12
    • Description:  Filters access by the platform configuration register (PCR) 12 in the attestation document in the request. PCR12 is a contiguous measure of kernel command line, system credentials and system configuration images
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR13
    • Description:  Filters access by the platform configuration register (PCR) 13 in the attestation document in the request. PCR13 is a contiguous measure of all system extension images for the initrd
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR14
    • Description:  Filters access by the platform configuration register (PCR) 14 in the attestation document in the request. PCR14 is a contiguous measure of "MOK" certificates and hashes
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR15
    • Description:  Filters access by the platform configuration register (PCR) 15 in the attestation document in the request. PCR15 is a contiguous measure of root file system volume encryption key
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR16
    • Description:  Filters access by the platform configuration register (PCR) 16 in the attestation document in the request. PCR16 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR17
    • Description:  Filters access by the platform configuration register (PCR) 17 in the attestation document in the request. PCR17 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR18
    • Description:  Filters access by the platform configuration register (PCR) 18 in the attestation document in the request. PCR18 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR19
    • Description:  Filters access by the platform configuration register (PCR) 19 in the attestation document in the request. PCR19 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR2
    • Description:  Filters access by the platform configuration register (PCR) 2 in the attestation document in the request. PCR2 is a contiguous measure of extended or pluggable executable code, including option ROMs on pluggable hardware
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR20
    • Description:  Filters access by the platform configuration register (PCR) 20 in the attestation document in the request. PCR20 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR21
    • Description:  Filters access by the platform configuration register (PCR) 21 in the attestation document in the request. PCR21 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR22
    • Description:  Filters access by the platform configuration register (PCR) 22 in the attestation document in the request. PCR22 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR23
    • Description:  Filters access by the platform configuration register (PCR) 23 in the attestation document in the request. PCR23 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR3
    • Description:  Filters access by the platform configuration register (PCR) 3 in the attestation document in the request. PCR3 is a contiguous measure of extended or pluggable firmware data, including information about pluggable hardware
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR4
    • Description:  Filters access by the platform configuration register (PCR) 4 in the attestation document in the request. PCR4 is a contiguous measure of boot loader and additional drivers, including binaries and extensions loaded by the boot loader
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR5
    • Description:  Filters access by the platform configuration register (PCR) 5 in the attestation document in the request. PCR5 is a contiguous measure of GPT/Partition table
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR6
    • Description:  Filters access by the platform configuration register (PCR) 6 in the attestation document in the request. PCR6 is a custom PCR that can be defined by the user for specific use cases
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR7
    • Description:  Filters access by the platform configuration register (PCR) 7 in the attestation document in the request. PCR7 is a contiguous measure of SecureBoot state
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR8
    • Description:  Filters access by the platform configuration register (PCR) 8 in the attestation document in the request. PCR8 is a contiguous measure of commands and kernel command line
    • Type:  String
  • kms:RecipientAttestation:NitroTPMPCR9
    • Description:  Filters access by the platform configuration register (PCR) 9 in the attestation document in the request. PCR9 is a contiguous measure of all files read (including kernel image)
    • Type:  String

Updates

    Actions
  • Decrypt
      Conditions
    • + kms:RecipientAttestation:NitroTPMPCR0
    • + kms:RecipientAttestation:NitroTPMPCR1
    • + kms:RecipientAttestation:NitroTPMPCR2
    • + kms:RecipientAttestation:NitroTPMPCR3
    • + kms:RecipientAttestation:NitroTPMPCR4
    • + kms:RecipientAttestation:NitroTPMPCR5
    • + kms:RecipientAttestation:NitroTPMPCR6
    • + kms:RecipientAttestation:NitroTPMPCR7
    • + kms:RecipientAttestation:NitroTPMPCR8
    • + kms:RecipientAttestation:NitroTPMPCR9
    • + kms:RecipientAttestation:NitroTPMPCR10
    • + kms:RecipientAttestation:NitroTPMPCR11
    • + kms:RecipientAttestation:NitroTPMPCR12
    • + kms:RecipientAttestation:NitroTPMPCR13
    • + kms:RecipientAttestation:NitroTPMPCR14
    • + kms:RecipientAttestation:NitroTPMPCR15
    • + kms:RecipientAttestation:NitroTPMPCR16
    • + kms:RecipientAttestation:NitroTPMPCR17
    • + kms:RecipientAttestation:NitroTPMPCR18
    • + kms:RecipientAttestation:NitroTPMPCR19
    • + kms:RecipientAttestation:NitroTPMPCR20
    • + kms:RecipientAttestation:NitroTPMPCR21
    • + kms:RecipientAttestation:NitroTPMPCR22
    • + kms:RecipientAttestation:NitroTPMPCR23
  • DeriveSharedSecret
      Conditions
    • + kms:RecipientAttestation:NitroTPMPCR0
    • + kms:RecipientAttestation:NitroTPMPCR1
    • + kms:RecipientAttestation:NitroTPMPCR2
    • + kms:RecipientAttestation:NitroTPMPCR3
    • + kms:RecipientAttestation:NitroTPMPCR4
    • + kms:RecipientAttestation:NitroTPMPCR5
    • + kms:RecipientAttestation:NitroTPMPCR6
    • + kms:RecipientAttestation:NitroTPMPCR7
    • + kms:RecipientAttestation:NitroTPMPCR8
    • + kms:RecipientAttestation:NitroTPMPCR9
    • + kms:RecipientAttestation:NitroTPMPCR10
    • + kms:RecipientAttestation:NitroTPMPCR11
    • + kms:RecipientAttestation:NitroTPMPCR12
    • + kms:RecipientAttestation:NitroTPMPCR13
    • + kms:RecipientAttestation:NitroTPMPCR14
    • + kms:RecipientAttestation:NitroTPMPCR15
    • + kms:RecipientAttestation:NitroTPMPCR16
    • + kms:RecipientAttestation:NitroTPMPCR17
    • + kms:RecipientAttestation:NitroTPMPCR18
    • + kms:RecipientAttestation:NitroTPMPCR19
    • + kms:RecipientAttestation:NitroTPMPCR20
    • + kms:RecipientAttestation:NitroTPMPCR21
    • + kms:RecipientAttestation:NitroTPMPCR22
    • + kms:RecipientAttestation:NitroTPMPCR23
  • GenerateDataKey
      Conditions
    • + kms:RecipientAttestation:NitroTPMPCR0
    • + kms:RecipientAttestation:NitroTPMPCR1
    • + kms:RecipientAttestation:NitroTPMPCR2
    • + kms:RecipientAttestation:NitroTPMPCR3
    • + kms:RecipientAttestation:NitroTPMPCR4
    • + kms:RecipientAttestation:NitroTPMPCR5
    • + kms:RecipientAttestation:NitroTPMPCR6
    • + kms:RecipientAttestation:NitroTPMPCR7
    • + kms:RecipientAttestation:NitroTPMPCR8
    • + kms:RecipientAttestation:NitroTPMPCR9
    • + kms:RecipientAttestation:NitroTPMPCR10
    • + kms:RecipientAttestation:NitroTPMPCR11
    • + kms:RecipientAttestation:NitroTPMPCR12
    • + kms:RecipientAttestation:NitroTPMPCR13
    • + kms:RecipientAttestation:NitroTPMPCR14
    • + kms:RecipientAttestation:NitroTPMPCR15
    • + kms:RecipientAttestation:NitroTPMPCR16
    • + kms:RecipientAttestation:NitroTPMPCR17
    • + kms:RecipientAttestation:NitroTPMPCR18
    • + kms:RecipientAttestation:NitroTPMPCR19
    • + kms:RecipientAttestation:NitroTPMPCR20
    • + kms:RecipientAttestation:NitroTPMPCR21
    • + kms:RecipientAttestation:NitroTPMPCR22
    • + kms:RecipientAttestation:NitroTPMPCR23
  • GenerateDataKeyPair
      Conditions
    • + kms:RecipientAttestation:NitroTPMPCR0
    • + kms:RecipientAttestation:NitroTPMPCR1
    • + kms:RecipientAttestation:NitroTPMPCR2
    • + kms:RecipientAttestation:NitroTPMPCR3
    • + kms:RecipientAttestation:NitroTPMPCR4
    • + kms:RecipientAttestation:NitroTPMPCR5
    • + kms:RecipientAttestation:NitroTPMPCR6
    • + kms:RecipientAttestation:NitroTPMPCR7
    • + kms:RecipientAttestation:NitroTPMPCR8
    • + kms:RecipientAttestation:NitroTPMPCR9
    • + kms:RecipientAttestation:NitroTPMPCR10
    • + kms:RecipientAttestation:NitroTPMPCR11
    • + kms:RecipientAttestation:NitroTPMPCR12
    • + kms:RecipientAttestation:NitroTPMPCR13
    • + kms:RecipientAttestation:NitroTPMPCR14
    • + kms:RecipientAttestation:NitroTPMPCR15
    • + kms:RecipientAttestation:NitroTPMPCR16
    • + kms:RecipientAttestation:NitroTPMPCR17
    • + kms:RecipientAttestation:NitroTPMPCR18
    • + kms:RecipientAttestation:NitroTPMPCR19
    • + kms:RecipientAttestation:NitroTPMPCR20
    • + kms:RecipientAttestation:NitroTPMPCR21
    • + kms:RecipientAttestation:NitroTPMPCR22
    • + kms:RecipientAttestation:NitroTPMPCR23
  • GenerateRandom
      Conditions
    • + kms:RecipientAttestation:NitroTPMPCR0
    • + kms:RecipientAttestation:NitroTPMPCR1
    • + kms:RecipientAttestation:NitroTPMPCR2
    • + kms:RecipientAttestation:NitroTPMPCR3
    • + kms:RecipientAttestation:NitroTPMPCR4
    • + kms:RecipientAttestation:NitroTPMPCR5
    • + kms:RecipientAttestation:NitroTPMPCR6
    • + kms:RecipientAttestation:NitroTPMPCR7
    • + kms:RecipientAttestation:NitroTPMPCR8
    • + kms:RecipientAttestation:NitroTPMPCR9
    • + kms:RecipientAttestation:NitroTPMPCR10
    • + kms:RecipientAttestation:NitroTPMPCR11
    • + kms:RecipientAttestation:NitroTPMPCR12
    • + kms:RecipientAttestation:NitroTPMPCR13
    • + kms:RecipientAttestation:NitroTPMPCR14
    • + kms:RecipientAttestation:NitroTPMPCR15
    • + kms:RecipientAttestation:NitroTPMPCR16
    • + kms:RecipientAttestation:NitroTPMPCR17
    • + kms:RecipientAttestation:NitroTPMPCR18
    • + kms:RecipientAttestation:NitroTPMPCR19
    • + kms:RecipientAttestation:NitroTPMPCR20
    • + kms:RecipientAttestation:NitroTPMPCR21
    • + kms:RecipientAttestation:NitroTPMPCR22
    • + kms:RecipientAttestation:NitroTPMPCR23