Actions, resources, and condition keys for AWS Payment Cryptography
AWS Payment Cryptography (service prefix: payment-cryptography) provides the following
service-specific operations, resources, actions, and condition keys for use in IAM permission
policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
-
View the programmatic service authorization reference
for this service.
Topics
API operations defined by AWS Payment Cryptography
The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.
| Operation | SDK client | IAM action | Condition key | Possible value(s) | Access level |
|---|---|---|---|---|---|
|
AddKeyReplicationRegions |
payment-cryptography |
Write |
|||
|
AssociateMpaTeam |
payment-cryptography |
Write |
|||
|
CreateAlias |
payment-cryptography |
Write |
|||
|
CreateKey |
payment-cryptography |
Write |
|||
Tagging, Write |
|||||
|
DeleteAlias |
payment-cryptography |
Write |
|||
|
DeleteKey |
payment-cryptography |
Write |
|||
|
DeleteResourcePolicy |
payment-cryptography |
Permissions management, Write |
|||
|
DisableDefaultKeyReplicationRegions |
payment-cryptography |
Write |
|||
|
EnableDefaultKeyReplicationRegions |
payment-cryptography |
Write |
|||
|
ExportKey |
payment-cryptography |
Write |
|||
|
GetAlias |
payment-cryptography |
Read |
|||
|
GetCertificateSigningRequest |
payment-cryptography |
Read |
|||
|
GetDefaultKeyReplicationRegions |
payment-cryptography |
Read |
|||
|
GetKey |
payment-cryptography |
Read |
|||
|
GetMpaTeamAssociation |
payment-cryptography |
Read |
|||
|
GetParametersForExport |
payment-cryptography |
Read |
|||
|
GetParametersForImport |
payment-cryptography |
Read |
|||
|
GetPublicKeyCertificate |
payment-cryptography |
Read |
|||
|
GetResourcePolicy |
payment-cryptography |
Read |
|||
|
ImportKey |
payment-cryptography |
Write |
|||
Tagging, Write |
|||||
|
ListAliases |
payment-cryptography |
List |
|||
|
ListKeys |
payment-cryptography |
List |
|||
|
ListTagsForResource |
payment-cryptography |
Read |
|||
|
PutResourcePolicy |
payment-cryptography |
Permissions management, Write |
|||
|
RemoveKeyReplicationRegions |
payment-cryptography |
Write |
|||
|
RestoreKey |
payment-cryptography |
Write |
|||
|
StartKeyUsage |
payment-cryptography |
Write |
|||
|
StopKeyUsage |
payment-cryptography |
Write |
|||
|
TagResource |
payment-cryptography |
Tagging, Write |
|||
|
UntagResource |
payment-cryptography |
Tagging, Write |
|||
|
UpdateAlias |
payment-cryptography |
Write |
Actions defined by AWS Payment Cryptography
You can specify the following actions in the Action element of an IAM
policy statement. Use policies to grant permissions to perform an operation in AWS. When
you use an action in a policy, you usually allow or deny access to the API operation or CLI
command with the same name. However, in some cases, a single action controls access to more
than one operation. Alternatively, some operations require several different actions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to add replication regions to an existing AWS Payment Cryptography key |
Write |
|||
Grants permission to associate an MPA approval team with a payment cryptography action |
Write |
|||
Grants permission to create a user-friendly name for a Key |
Write |
|||
Grants permission to create a unique customer managed key in the caller's AWS account and region |
Write |
|||
Grants permission to decrypt ciphertext data to plaintext using symmetric, asymmetric or DUKPT data encryption key |
Write |
|||
Grants permission to delete the specified alias |
Write |
|||
Grants permission to schedule the deletion of a Key |
Write |
|||
Grants permission to delete the resource-based policy attached to a key |
Permissions management, Write |
|||
Grants permission to disable default key replication regions for account-level replication |
Write |
|||
Grants permission to disassociate an MPA approval team from a payment cryptography action |
Write |
|||
Grants permission to enable default key replication regions for account-level replication |
Write |
|||
Grants permission to encrypt plaintext data to ciphertext using symmetric, asymmetric or DUKPT data encryption key |
Write |
|||
Grants permission to export a key from the service |
payment-cryptography:CertificateAuthorityPublicKeyIdentifier payment-cryptography:RequestAlias |
Write |
||
Grants permission to generate a KekValidationRequest or a KekValidationResponse for node-to-node initialization between payment processing nodes using Australian Standard 2805 (AS2805) |
Write |
|||
Grants permission to generate card-related data using algorithms such as Card Verification Values (CVV/CVV2), Dynamic Card Verification Values (dCVV/dCVV2) or Card Security Codes (CSC) that check the validity of a magnetic stripe card |
Write |
|||
Grants permission to generate a MAC (Message Authentication Code) cryptogram |
Write |
|||
Grants permission to generate a MAC (Message Authentication Code) cryptogram |
Write |
|||
Grants permission to generate pin-related data such as PIN, PIN Verification Value (PVV), PIN Block and PIN Offset during new card issuance or card re-issuance |
Write |
|||
Grants permission to return the keyArn associated with an aliasName |
Read |
|||
Grants permission to return the Certificate Signing Request for a public key from a key of class PUBLIC_KEY |
Read |
|||
Grants permission to retrieve the default key replication regions configured at the account level |
Read |
|||
Grants permission to return the detailed information about the specified key |
Read |
|||
Grants permission to retrieve information about an MPA approval team association for a payment cryptography action |
Read |
|||
Grants permission to get the export token and the signing key certificate to initiate a TR-34 key export |
Read |
|||
Grants permission to get the import token and the wrapping key certificate to initiate a TR-34 key import |
Read |
|||
Grants permission to return the public key from a key of class PUBLIC_KEY |
Read |
|||
Grants permission to retrieve the resource-based policy attached to a key |
Read |
|||
Grants permission to imports keys and public key certificates |
payment-cryptography:CertificateAuthorityPublicKeyIdentifier |
Write |
||
Grants permission to return a list of aliases created for all keys in the caller's AWS account and Region |
List |
|||
Grants permission to return a list of keys created in the caller's AWS account and Region |
List |
|||
Grants permission to return a list of tags created in the caller's AWS account and Region |
Read |
|||
Grants permission to attach or replace a resource-based policy on a key |
Permissions management, Write |
|||
Grants permission to re-encrypt ciphertext using DUKPT, Symmetric and Asymmetric Data Encryption Keys |
Write |
|||
Grants permission to remove replication regions from an existing AWS Payment Cryptography key |
Write |
|||
Grants permission to cancel a scheduled key deletion if at any point during the waiting period a Key needs to be revived |
Write |
|||
Grants permission to enable a disabled Key |
Write |
|||
Grants permission to disable an enabled Key |
Write |
|||
Grants permission to add or overwrites one or more tags for the specified resource |
Tagging, Write |
|||
Grants permission to translate wrapping key type for a wrapped key |
Write |
|||
Grants permission to translate encrypted PIN block from and to ISO 9564 formats 0,1,3,4 |
Write |
|||
Grants permission to remove the specified tag or tags from the specified resource |
Tagging, Write |
|||
Grants permission to change the key to which an alias is assigned, or unassign it from its current key |
Write |
|||
Grants permission to verify Authorization Request Cryptogram (ARQC) for a EMV chip payment card authorization |
Write |
|||
Grants permission to verify card-related validation data using algorithms such as Card Verification Values (CVV/CVV2), Dynamic Card Verification Values (dCVV/dCVV2) and Card Security Codes (CSC) |
Write |
|||
Grants permission to verify MAC (Message Authentication Code) of input data against a provided MAC |
Write |
|||
Grants permission to verify pin-related data such as PIN and PIN Offset using algorithms including VISA PVV and IBM3624 |
Write |
|||
Resource types defined by AWS Payment Cryptography
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements.
| Resource types | ARN | Condition keys |
|---|---|---|
arn:${Partition}:payment-cryptography:${Region}:${Account}:alias/${Alias} |
||
arn:${Partition}:mpa:${Region}:${Account}:approval-team/${ApprovalTeamId} |
||
arn:${Partition}:payment-cryptography:${Region}:${Account}:key/${KeyId} |
Condition keys for AWS Payment Cryptography
AWS Payment Cryptography defines the following condition keys that can be used in the
Condition element of an IAM policy.
| Condition keys | Description | Type |
|---|---|---|
Filters access by both the key and value of the tag in the request for the specified operation |
String |
|
Filters access by tags assigned to a key for the specified operation |
String |
|
Filters access by the tag keys in the request for the specified operation |
ArrayOfString |
|
payment-cryptography:CertificateAuthorityPublicKeyIdentifier |
Filters access by the CertificateAuthorityPublicKeyIdentifier specified in the request or the ImportKey, and ExportKey operations |
String |
Filters access by the type of key material being imported [RootCertificatePublicKey, TrustedCertificatePublicKey, Tr34KeyBlock, Tr31KeyBlock, DiffieHellmanTr31KeyBlock, As2805KeyCryptogram, KeyCryptogram] for the ImportKey operation |
String |
|
Filters access by KeyAlgorithm specified in the request for the CreateKey operation |
String |
|
Filters access by KeyClass specified in the request for the CreateKey operation |
String |
|
Filters access by KeyClass specified in the request or associated with a key for the CreateKey operation |
String |
|
Filters access by aliases in the request for the specified operation |
String |
|
Filters access by aliases associated with a key for the specified operation |
ArrayOfString |
|
Filters access by the WrappingKeyIdentifier specified in the request for the ImportKey, and ExportKey operations |
String |