本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 的操作、资源和条件键 AWS 密钥管理服务
AWS 密钥管理服务(服务前缀:`kms`)提供以下特定于服务的资源、操作和条件上下文密钥,供在 IAM 权限策略中使用。
参考:
+ 了解如何[配置该服务](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html)。
+ 查看[适用于该服务的 API 操作列表](https://docs.aws.amazon.com/kms/latest/APIReference/)。
+ 了解如何[使用 IAM](https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html) 权限策略保护该服务及其资源。
**Topics**
+ [操作定义为 AWS 密钥管理服务](#awskeymanagementservice-actions-as-permissions)
+ [定义的资源类型 AWS 密钥管理服务](#awskeymanagementservice-resources-for-iam-policies)
+ [的条件密钥 AWS 密钥管理服务](#awskeymanagementservice-policy-keys)
## 操作定义为 AWS 密钥管理服务
您可以在 IAM 策略语句的 `Action` 元素中指定以下操作。可以使用策略授予在 AWS中执行操作的权限。您在策略中使用一项操作时,通常使用相同的名称允许或拒绝对 API 操作或 CLI 命令的访问。但在某些情况下,单一动作可控制对多项操作的访问。还有某些操作需要多种不同的动作。
操作表的**访问级别**列描述如何对操作进行分类(列出、读取、权限管理或标记)。此分类可以帮助您了解当您在策略中使用操作时,相应操作授予的访问级别。有关访问级别的更多信息,请参阅[策略摘要中的访问级别](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html)。
操作表的**资源类型**列指示每项操作是否支持资源级权限。如果该列没有任何值,您必须在策略语句的 `Resource` 元素中指定策略应用的所有资源(“\*”)。通过在 IAM policy 中使用条件来筛选访问权限,以控制是否可以在资源或请求中使用特定标签键。如果操作具有一个或多个必需资源,则调用方必须具有使用这些资源来使用该操作的权限。必需资源在表中以星号 (\*) 表示。如果您在 IAM policy 中使用 `Resource` 元素限制资源访问权限,则必须为每种必需的资源类型添加 ARN 或模式。某些操作支持多种资源类型。如果资源类型是可选的(未指示为必需),则可以选择使用一种可选资源类型。
操作表的**条件键**列包括可以在策略语句的 `Condition` 元素中指定的键。有关与服务资源关联的条件键的更多信息,请参阅资源类型表的**条件键**列。
操作表的**依赖操作**列显示成功调用操作可能需要的其他权限。除了操作本身的权限以外,可能还需要这些权限。若某个操作指定依赖操作,则这些依赖关系可能适用于为该操作定义的其他资源,而不仅仅是表中列出的第一个资源。
**注意**
资源条件键在[资源类型](#awskeymanagementservice-resources-for-iam-policies)表中列出。您可以在操作表的**资源类型(\* 为必需)**列中找到应用于某项操作的资源类型的链接。资源类型表中的资源类型包括**条件密钥**列,这是应用于操作表中操作的资源条件键。
有关下表中各列的详细信息,请参阅[操作表](reference_policies_actions-resources-contextkeys.html#actions_table)。
****
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html) **
- **描述:** 控制取消计划删除 AWS KMS 密钥的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_ConnectCustomKeyStore.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_ConnectCustomKeyStore.html) **
- **描述:** 控制将自定义密钥存储库连接到或重新连接到其关联的 Cloud AWS HSM 集群或外部密钥管理器的权限 AWS
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
- **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateAlias.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateAlias.html) **
- **描述:** 控制为 AWS KMS 密钥创建别名的权限。别名是可选的友好名称,您可以将其与 KMS 密钥相关联
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-alias](#awskeymanagementservice-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html) **
- **描述:** 控制创建由 AWS CloudHSM 集群或外部密钥管理器支持的自定义密钥存储库的权限 AWS
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
- **相关操作:** cloudhsm:DescribeClusters
ec2:DescribeVpcEndpointServices
iam:CreateServiceLinkedRole
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) **
- **描述:** 控制向 AWS KMS 密钥添加授权的权限。您可以使用授权添加权限,而不更改密钥策略或 IAM policy
- **访问级别:** 权限管理
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_](#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_)
[#awskeymanagementservice-kms_EncryptionContextKeys](#awskeymanagementservice-kms_EncryptionContextKeys)
[#awskeymanagementservice-kms_GrantConstraintSourceArn](#awskeymanagementservice-kms_GrantConstraintSourceArn)
[#awskeymanagementservice-kms_GrantConstraintType](#awskeymanagementservice-kms_GrantConstraintType)
[#awskeymanagementservice-kms_GranteePrincipal](#awskeymanagementservice-kms_GranteePrincipal)
[#awskeymanagementservice-kms_GranteeServicePrincipal](#awskeymanagementservice-kms_GranteeServicePrincipal)
[#awskeymanagementservice-kms_GrantIsForAWSResource](#awskeymanagementservice-kms_GrantIsForAWSResource)
[#awskeymanagementservice-kms_GrantOperations](#awskeymanagementservice-kms_GrantOperations)
[#awskeymanagementservice-kms_RetiringPrincipal](#awskeymanagementservice-kms_RetiringPrincipal)
[#awskeymanagementservice-kms_RetiringServicePrincipal](#awskeymanagementservice-kms_RetiringServicePrincipal)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html) **
- **描述:** 控制创建可用于保护数据密 AWS 钥和其他敏感信息的 KMS 密钥的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:** [#awskeymanagementservice-aws_ResourceTag___TagKey_](#awskeymanagementservice-aws_ResourceTag___TagKey_)
[#awskeymanagementservice-aws_RequestTag___TagKey_](#awskeymanagementservice-aws_RequestTag___TagKey_)
[#awskeymanagementservice-aws_TagKeys](#awskeymanagementservice-aws_TagKeys)
[#awskeymanagementservice-kms_BypassPolicyLockoutSafetyCheck](#awskeymanagementservice-kms_BypassPolicyLockoutSafetyCheck)
[#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_KeySpec](#awskeymanagementservice-kms_KeySpec)
[#awskeymanagementservice-kms_KeyUsage](#awskeymanagementservice-kms_KeyUsage)
[#awskeymanagementservice-kms_KeyOrigin](#awskeymanagementservice-kms_KeyOrigin)
[#awskeymanagementservice-kms_MultiRegion](#awskeymanagementservice-kms_MultiRegion)
[#awskeymanagementservice-kms_MultiRegionKeyType](#awskeymanagementservice-kms_MultiRegionKeyType)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService)
- **相关操作:** iam:CreateServiceLinkedRole
kms:PutKeyPolicy
kms:TagResource
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) **
- **描述:** 控制解密使用 KMS 密钥加密的密文的权限 AWS
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_EncryptionAlgorithm](#awskeymanagementservice-kms_EncryptionAlgorithm)
[#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_](#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_)
[#awskeymanagementservice-kms_EncryptionContextKeys](#awskeymanagementservice-kms_EncryptionContextKeys)
[#awskeymanagementservice-kms_RecipientAttestation_ImageSha384](#awskeymanagementservice-kms_RecipientAttestation_ImageSha384)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR0](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR0)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR1](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR1)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR2](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR2)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR3](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR3)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR4](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR4)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR5](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR5)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR6](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR6)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR7](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR7)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR8](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR8)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR9](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR9)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR10](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR10)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR11](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR11)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR12](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR12)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR13](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR13)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR14](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR14)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR15](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR15)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR16](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR16)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR17](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR17)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR18](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR18)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR19](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR19)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR20](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR20)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR21](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR21)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR22](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR22)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR23](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR23)
[#awskeymanagementservice-kms_RecipientAttestation_PCR0](#awskeymanagementservice-kms_RecipientAttestation_PCR0)
[#awskeymanagementservice-kms_RecipientAttestation_PCR1](#awskeymanagementservice-kms_RecipientAttestation_PCR1)
[#awskeymanagementservice-kms_RecipientAttestation_PCR2](#awskeymanagementservice-kms_RecipientAttestation_PCR2)
[#awskeymanagementservice-kms_RecipientAttestation_PCR3](#awskeymanagementservice-kms_RecipientAttestation_PCR3)
[#awskeymanagementservice-kms_RecipientAttestation_PCR4](#awskeymanagementservice-kms_RecipientAttestation_PCR4)
[#awskeymanagementservice-kms_RecipientAttestation_PCR5](#awskeymanagementservice-kms_RecipientAttestation_PCR5)
[#awskeymanagementservice-kms_RecipientAttestation_PCR6](#awskeymanagementservice-kms_RecipientAttestation_PCR6)
[#awskeymanagementservice-kms_RecipientAttestation_PCR7](#awskeymanagementservice-kms_RecipientAttestation_PCR7)
[#awskeymanagementservice-kms_RecipientAttestation_PCR8](#awskeymanagementservice-kms_RecipientAttestation_PCR8)
[#awskeymanagementservice-kms_RecipientAttestation_PCR9](#awskeymanagementservice-kms_RecipientAttestation_PCR9)
[#awskeymanagementservice-kms_RecipientAttestation_PCR10](#awskeymanagementservice-kms_RecipientAttestation_PCR10)
[#awskeymanagementservice-kms_RecipientAttestation_PCR11](#awskeymanagementservice-kms_RecipientAttestation_PCR11)
[#awskeymanagementservice-kms_RecipientAttestation_PCR12](#awskeymanagementservice-kms_RecipientAttestation_PCR12)
[#awskeymanagementservice-kms_RecipientAttestation_PCR13](#awskeymanagementservice-kms_RecipientAttestation_PCR13)
[#awskeymanagementservice-kms_RecipientAttestation_PCR14](#awskeymanagementservice-kms_RecipientAttestation_PCR14)
[#awskeymanagementservice-kms_RecipientAttestation_PCR15](#awskeymanagementservice-kms_RecipientAttestation_PCR15)
[#awskeymanagementservice-kms_RecipientAttestation_PCR16](#awskeymanagementservice-kms_RecipientAttestation_PCR16)
[#awskeymanagementservice-kms_RecipientAttestation_PCR17](#awskeymanagementservice-kms_RecipientAttestation_PCR17)
[#awskeymanagementservice-kms_RecipientAttestation_PCR18](#awskeymanagementservice-kms_RecipientAttestation_PCR18)
[#awskeymanagementservice-kms_RecipientAttestation_PCR19](#awskeymanagementservice-kms_RecipientAttestation_PCR19)
[#awskeymanagementservice-kms_RecipientAttestation_PCR20](#awskeymanagementservice-kms_RecipientAttestation_PCR20)
[#awskeymanagementservice-kms_RecipientAttestation_PCR21](#awskeymanagementservice-kms_RecipientAttestation_PCR21)
[#awskeymanagementservice-kms_RecipientAttestation_PCR22](#awskeymanagementservice-kms_RecipientAttestation_PCR22)
[#awskeymanagementservice-kms_RecipientAttestation_PCR23](#awskeymanagementservice-kms_RecipientAttestation_PCR23)
[#awskeymanagementservice-kms_RecipientAttestation_PCR24](#awskeymanagementservice-kms_RecipientAttestation_PCR24)
[#awskeymanagementservice-kms_RecipientAttestation_PCR25](#awskeymanagementservice-kms_RecipientAttestation_PCR25)
[#awskeymanagementservice-kms_RecipientAttestation_PCR26](#awskeymanagementservice-kms_RecipientAttestation_PCR26)
[#awskeymanagementservice-kms_RecipientAttestation_PCR27](#awskeymanagementservice-kms_RecipientAttestation_PCR27)
[#awskeymanagementservice-kms_RecipientAttestation_PCR28](#awskeymanagementservice-kms_RecipientAttestation_PCR28)
[#awskeymanagementservice-kms_RecipientAttestation_PCR29](#awskeymanagementservice-kms_RecipientAttestation_PCR29)
[#awskeymanagementservice-kms_RecipientAttestation_PCR30](#awskeymanagementservice-kms_RecipientAttestation_PCR30)
[#awskeymanagementservice-kms_RecipientAttestation_PCR31](#awskeymanagementservice-kms_RecipientAttestation_PCR31)
[#awskeymanagementservice-kms_RequestAlias](#awskeymanagementservice-kms_RequestAlias)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteAlias.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteAlias.html) **
- **描述:** 控制权限以删除别名。别名是可选的友好名称,您可以将其与 AWS KMS 密钥相关联
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-alias](#awskeymanagementservice-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteCustomKeyStore.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteCustomKeyStore.html) **
- **描述:** 控制权限以删除自定义密钥存储
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
- **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteImportedKeyMaterial.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteImportedKeyMaterial.html) **
- **描述:** 控制删除您导入 AWS KMS 密钥的加密材料的权限。此操作会使此密钥变得无法使用
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_DeriveSharedSecret.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeriveSharedSecret.html) **
- **描述:** 控制使用指定的 AWS KMS 密钥派生共享密钥的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_KeyAgreementAlgorithm](#awskeymanagementservice-kms_KeyAgreementAlgorithm)
[#awskeymanagementservice-kms_RecipientAttestation_ImageSha384](#awskeymanagementservice-kms_RecipientAttestation_ImageSha384)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR0](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR0)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR1](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR1)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR2](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR2)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR3](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR3)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR4](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR4)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR5](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR5)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR6](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR6)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR7](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR7)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR8](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR8)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR9](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR9)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR10](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR10)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR11](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR11)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR12](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR12)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR13](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR13)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR14](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR14)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR15](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR15)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR16](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR16)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR17](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR17)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR18](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR18)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR19](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR19)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR20](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR20)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR21](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR21)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR22](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR22)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR23](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR23)
[#awskeymanagementservice-kms_RecipientAttestation_PCR0](#awskeymanagementservice-kms_RecipientAttestation_PCR0)
[#awskeymanagementservice-kms_RecipientAttestation_PCR1](#awskeymanagementservice-kms_RecipientAttestation_PCR1)
[#awskeymanagementservice-kms_RecipientAttestation_PCR2](#awskeymanagementservice-kms_RecipientAttestation_PCR2)
[#awskeymanagementservice-kms_RecipientAttestation_PCR3](#awskeymanagementservice-kms_RecipientAttestation_PCR3)
[#awskeymanagementservice-kms_RecipientAttestation_PCR4](#awskeymanagementservice-kms_RecipientAttestation_PCR4)
[#awskeymanagementservice-kms_RecipientAttestation_PCR5](#awskeymanagementservice-kms_RecipientAttestation_PCR5)
[#awskeymanagementservice-kms_RecipientAttestation_PCR6](#awskeymanagementservice-kms_RecipientAttestation_PCR6)
[#awskeymanagementservice-kms_RecipientAttestation_PCR7](#awskeymanagementservice-kms_RecipientAttestation_PCR7)
[#awskeymanagementservice-kms_RecipientAttestation_PCR8](#awskeymanagementservice-kms_RecipientAttestation_PCR8)
[#awskeymanagementservice-kms_RecipientAttestation_PCR9](#awskeymanagementservice-kms_RecipientAttestation_PCR9)
[#awskeymanagementservice-kms_RecipientAttestation_PCR10](#awskeymanagementservice-kms_RecipientAttestation_PCR10)
[#awskeymanagementservice-kms_RecipientAttestation_PCR11](#awskeymanagementservice-kms_RecipientAttestation_PCR11)
[#awskeymanagementservice-kms_RecipientAttestation_PCR12](#awskeymanagementservice-kms_RecipientAttestation_PCR12)
[#awskeymanagementservice-kms_RecipientAttestation_PCR13](#awskeymanagementservice-kms_RecipientAttestation_PCR13)
[#awskeymanagementservice-kms_RecipientAttestation_PCR14](#awskeymanagementservice-kms_RecipientAttestation_PCR14)
[#awskeymanagementservice-kms_RecipientAttestation_PCR15](#awskeymanagementservice-kms_RecipientAttestation_PCR15)
[#awskeymanagementservice-kms_RecipientAttestation_PCR16](#awskeymanagementservice-kms_RecipientAttestation_PCR16)
[#awskeymanagementservice-kms_RecipientAttestation_PCR17](#awskeymanagementservice-kms_RecipientAttestation_PCR17)
[#awskeymanagementservice-kms_RecipientAttestation_PCR18](#awskeymanagementservice-kms_RecipientAttestation_PCR18)
[#awskeymanagementservice-kms_RecipientAttestation_PCR19](#awskeymanagementservice-kms_RecipientAttestation_PCR19)
[#awskeymanagementservice-kms_RecipientAttestation_PCR20](#awskeymanagementservice-kms_RecipientAttestation_PCR20)
[#awskeymanagementservice-kms_RecipientAttestation_PCR21](#awskeymanagementservice-kms_RecipientAttestation_PCR21)
[#awskeymanagementservice-kms_RecipientAttestation_PCR22](#awskeymanagementservice-kms_RecipientAttestation_PCR22)
[#awskeymanagementservice-kms_RecipientAttestation_PCR23](#awskeymanagementservice-kms_RecipientAttestation_PCR23)
[#awskeymanagementservice-kms_RecipientAttestation_PCR24](#awskeymanagementservice-kms_RecipientAttestation_PCR24)
[#awskeymanagementservice-kms_RecipientAttestation_PCR25](#awskeymanagementservice-kms_RecipientAttestation_PCR25)
[#awskeymanagementservice-kms_RecipientAttestation_PCR26](#awskeymanagementservice-kms_RecipientAttestation_PCR26)
[#awskeymanagementservice-kms_RecipientAttestation_PCR27](#awskeymanagementservice-kms_RecipientAttestation_PCR27)
[#awskeymanagementservice-kms_RecipientAttestation_PCR28](#awskeymanagementservice-kms_RecipientAttestation_PCR28)
[#awskeymanagementservice-kms_RecipientAttestation_PCR29](#awskeymanagementservice-kms_RecipientAttestation_PCR29)
[#awskeymanagementservice-kms_RecipientAttestation_PCR30](#awskeymanagementservice-kms_RecipientAttestation_PCR30)
[#awskeymanagementservice-kms_RecipientAttestation_PCR31](#awskeymanagementservice-kms_RecipientAttestation_PCR31)
[#awskeymanagementservice-kms_RequestAlias](#awskeymanagementservice-kms_RequestAlias)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeCustomKeyStores.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeCustomKeyStores.html) **
- **描述:** 控制权限以查看有关账户和区域中的自定义密钥存储的详细信息
- **访问级别:** 读取
- **资源类型(\* 为必需):**
- **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
- **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) **
- **描述:** 控制查看 AWS KMS 密钥详细信息的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_RequestAlias](#awskeymanagementservice-kms_RequestAlias)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html) **
- **描述:** 控制禁用 AWS KMS 密钥的权限,从而防止将其用于加密操作
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_TrailingDaysWithoutKeyUsage](#awskeymanagementservice-kms_TrailingDaysWithoutKeyUsage)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKeyRotation.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKeyRotation.html) **
- **描述:** 控制禁用客户管理的 AWS KMS 密钥自动轮换的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_DisconnectCustomKeyStore.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisconnectCustomKeyStore.html) **
- **描述:** 控制将自定义密钥存储与其关联的 AWS CloudHSM 集群或外部密钥管理器断开连接的权限 AWS
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
- **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKey.html) **
- **描述:** 控制将 AWS KMS 密钥的状态更改为已启用的权限。这允许将 KMS 密钥用于加密操作中
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKeyRotation.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKeyRotation.html) **
- **描述:** 控制允许自动轮换 AWS KMS 密钥中的加密材料的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_RotationPeriodInDays](#awskeymanagementservice-kms_RotationPeriodInDays)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) **
- **描述:** 控制使用指定的 AWS KMS 密钥加密数据和数据密钥的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_EncryptionAlgorithm](#awskeymanagementservice-kms_EncryptionAlgorithm)
[#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_](#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_)
[#awskeymanagementservice-kms_EncryptionContextKeys](#awskeymanagementservice-kms_EncryptionContextKeys)
[#awskeymanagementservice-kms_RequestAlias](#awskeymanagementservice-kms_RequestAlias)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) **
- **描述:** 控制使用 AWS KMS 密钥生成数据密钥的权限。您可以使用数据密钥对 AWS KMS 之外的数据进行加密
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_EncryptionAlgorithm](#awskeymanagementservice-kms_EncryptionAlgorithm)
[#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_](#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_)
[#awskeymanagementservice-kms_EncryptionContextKeys](#awskeymanagementservice-kms_EncryptionContextKeys)
[#awskeymanagementservice-kms_RecipientAttestation_ImageSha384](#awskeymanagementservice-kms_RecipientAttestation_ImageSha384)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR0](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR0)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR1](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR1)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR2](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR2)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR3](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR3)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR4](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR4)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR5](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR5)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR6](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR6)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR7](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR7)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR8](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR8)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR9](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR9)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR10](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR10)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR11](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR11)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR12](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR12)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR13](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR13)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR14](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR14)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR15](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR15)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR16](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR16)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR17](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR17)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR18](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR18)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR19](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR19)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR20](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR20)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR21](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR21)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR22](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR22)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR23](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR23)
[#awskeymanagementservice-kms_RecipientAttestation_PCR0](#awskeymanagementservice-kms_RecipientAttestation_PCR0)
[#awskeymanagementservice-kms_RecipientAttestation_PCR1](#awskeymanagementservice-kms_RecipientAttestation_PCR1)
[#awskeymanagementservice-kms_RecipientAttestation_PCR2](#awskeymanagementservice-kms_RecipientAttestation_PCR2)
[#awskeymanagementservice-kms_RecipientAttestation_PCR3](#awskeymanagementservice-kms_RecipientAttestation_PCR3)
[#awskeymanagementservice-kms_RecipientAttestation_PCR4](#awskeymanagementservice-kms_RecipientAttestation_PCR4)
[#awskeymanagementservice-kms_RecipientAttestation_PCR5](#awskeymanagementservice-kms_RecipientAttestation_PCR5)
[#awskeymanagementservice-kms_RecipientAttestation_PCR6](#awskeymanagementservice-kms_RecipientAttestation_PCR6)
[#awskeymanagementservice-kms_RecipientAttestation_PCR7](#awskeymanagementservice-kms_RecipientAttestation_PCR7)
[#awskeymanagementservice-kms_RecipientAttestation_PCR8](#awskeymanagementservice-kms_RecipientAttestation_PCR8)
[#awskeymanagementservice-kms_RecipientAttestation_PCR9](#awskeymanagementservice-kms_RecipientAttestation_PCR9)
[#awskeymanagementservice-kms_RecipientAttestation_PCR10](#awskeymanagementservice-kms_RecipientAttestation_PCR10)
[#awskeymanagementservice-kms_RecipientAttestation_PCR11](#awskeymanagementservice-kms_RecipientAttestation_PCR11)
[#awskeymanagementservice-kms_RecipientAttestation_PCR12](#awskeymanagementservice-kms_RecipientAttestation_PCR12)
[#awskeymanagementservice-kms_RecipientAttestation_PCR13](#awskeymanagementservice-kms_RecipientAttestation_PCR13)
[#awskeymanagementservice-kms_RecipientAttestation_PCR14](#awskeymanagementservice-kms_RecipientAttestation_PCR14)
[#awskeymanagementservice-kms_RecipientAttestation_PCR15](#awskeymanagementservice-kms_RecipientAttestation_PCR15)
[#awskeymanagementservice-kms_RecipientAttestation_PCR16](#awskeymanagementservice-kms_RecipientAttestation_PCR16)
[#awskeymanagementservice-kms_RecipientAttestation_PCR17](#awskeymanagementservice-kms_RecipientAttestation_PCR17)
[#awskeymanagementservice-kms_RecipientAttestation_PCR18](#awskeymanagementservice-kms_RecipientAttestation_PCR18)
[#awskeymanagementservice-kms_RecipientAttestation_PCR19](#awskeymanagementservice-kms_RecipientAttestation_PCR19)
[#awskeymanagementservice-kms_RecipientAttestation_PCR20](#awskeymanagementservice-kms_RecipientAttestation_PCR20)
[#awskeymanagementservice-kms_RecipientAttestation_PCR21](#awskeymanagementservice-kms_RecipientAttestation_PCR21)
[#awskeymanagementservice-kms_RecipientAttestation_PCR22](#awskeymanagementservice-kms_RecipientAttestation_PCR22)
[#awskeymanagementservice-kms_RecipientAttestation_PCR23](#awskeymanagementservice-kms_RecipientAttestation_PCR23)
[#awskeymanagementservice-kms_RecipientAttestation_PCR24](#awskeymanagementservice-kms_RecipientAttestation_PCR24)
[#awskeymanagementservice-kms_RecipientAttestation_PCR25](#awskeymanagementservice-kms_RecipientAttestation_PCR25)
[#awskeymanagementservice-kms_RecipientAttestation_PCR26](#awskeymanagementservice-kms_RecipientAttestation_PCR26)
[#awskeymanagementservice-kms_RecipientAttestation_PCR27](#awskeymanagementservice-kms_RecipientAttestation_PCR27)
[#awskeymanagementservice-kms_RecipientAttestation_PCR28](#awskeymanagementservice-kms_RecipientAttestation_PCR28)
[#awskeymanagementservice-kms_RecipientAttestation_PCR29](#awskeymanagementservice-kms_RecipientAttestation_PCR29)
[#awskeymanagementservice-kms_RecipientAttestation_PCR30](#awskeymanagementservice-kms_RecipientAttestation_PCR30)
[#awskeymanagementservice-kms_RecipientAttestation_PCR31](#awskeymanagementservice-kms_RecipientAttestation_PCR31)
[#awskeymanagementservice-kms_RequestAlias](#awskeymanagementservice-kms_RequestAlias)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair.html) **
- **描述:** 控制使用 AWS KMS 密钥生成数据密钥对的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_DataKeyPairSpec](#awskeymanagementservice-kms_DataKeyPairSpec)
[#awskeymanagementservice-kms_EncryptionAlgorithm](#awskeymanagementservice-kms_EncryptionAlgorithm)
[#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_](#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_)
[#awskeymanagementservice-kms_EncryptionContextKeys](#awskeymanagementservice-kms_EncryptionContextKeys)
[#awskeymanagementservice-kms_RecipientAttestation_ImageSha384](#awskeymanagementservice-kms_RecipientAttestation_ImageSha384)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR0](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR0)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR1](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR1)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR2](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR2)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR3](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR3)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR4](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR4)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR5](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR5)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR6](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR6)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR7](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR7)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR8](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR8)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR9](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR9)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR10](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR10)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR11](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR11)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR12](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR12)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR13](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR13)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR14](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR14)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR15](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR15)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR16](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR16)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR17](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR17)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR18](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR18)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR19](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR19)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR20](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR20)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR21](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR21)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR22](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR22)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR23](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR23)
[#awskeymanagementservice-kms_RecipientAttestation_PCR0](#awskeymanagementservice-kms_RecipientAttestation_PCR0)
[#awskeymanagementservice-kms_RecipientAttestation_PCR1](#awskeymanagementservice-kms_RecipientAttestation_PCR1)
[#awskeymanagementservice-kms_RecipientAttestation_PCR2](#awskeymanagementservice-kms_RecipientAttestation_PCR2)
[#awskeymanagementservice-kms_RecipientAttestation_PCR3](#awskeymanagementservice-kms_RecipientAttestation_PCR3)
[#awskeymanagementservice-kms_RecipientAttestation_PCR4](#awskeymanagementservice-kms_RecipientAttestation_PCR4)
[#awskeymanagementservice-kms_RecipientAttestation_PCR5](#awskeymanagementservice-kms_RecipientAttestation_PCR5)
[#awskeymanagementservice-kms_RecipientAttestation_PCR6](#awskeymanagementservice-kms_RecipientAttestation_PCR6)
[#awskeymanagementservice-kms_RecipientAttestation_PCR7](#awskeymanagementservice-kms_RecipientAttestation_PCR7)
[#awskeymanagementservice-kms_RecipientAttestation_PCR8](#awskeymanagementservice-kms_RecipientAttestation_PCR8)
[#awskeymanagementservice-kms_RecipientAttestation_PCR9](#awskeymanagementservice-kms_RecipientAttestation_PCR9)
[#awskeymanagementservice-kms_RecipientAttestation_PCR10](#awskeymanagementservice-kms_RecipientAttestation_PCR10)
[#awskeymanagementservice-kms_RecipientAttestation_PCR11](#awskeymanagementservice-kms_RecipientAttestation_PCR11)
[#awskeymanagementservice-kms_RecipientAttestation_PCR12](#awskeymanagementservice-kms_RecipientAttestation_PCR12)
[#awskeymanagementservice-kms_RecipientAttestation_PCR13](#awskeymanagementservice-kms_RecipientAttestation_PCR13)
[#awskeymanagementservice-kms_RecipientAttestation_PCR14](#awskeymanagementservice-kms_RecipientAttestation_PCR14)
[#awskeymanagementservice-kms_RecipientAttestation_PCR15](#awskeymanagementservice-kms_RecipientAttestation_PCR15)
[#awskeymanagementservice-kms_RecipientAttestation_PCR16](#awskeymanagementservice-kms_RecipientAttestation_PCR16)
[#awskeymanagementservice-kms_RecipientAttestation_PCR17](#awskeymanagementservice-kms_RecipientAttestation_PCR17)
[#awskeymanagementservice-kms_RecipientAttestation_PCR18](#awskeymanagementservice-kms_RecipientAttestation_PCR18)
[#awskeymanagementservice-kms_RecipientAttestation_PCR19](#awskeymanagementservice-kms_RecipientAttestation_PCR19)
[#awskeymanagementservice-kms_RecipientAttestation_PCR20](#awskeymanagementservice-kms_RecipientAttestation_PCR20)
[#awskeymanagementservice-kms_RecipientAttestation_PCR21](#awskeymanagementservice-kms_RecipientAttestation_PCR21)
[#awskeymanagementservice-kms_RecipientAttestation_PCR22](#awskeymanagementservice-kms_RecipientAttestation_PCR22)
[#awskeymanagementservice-kms_RecipientAttestation_PCR23](#awskeymanagementservice-kms_RecipientAttestation_PCR23)
[#awskeymanagementservice-kms_RecipientAttestation_PCR24](#awskeymanagementservice-kms_RecipientAttestation_PCR24)
[#awskeymanagementservice-kms_RecipientAttestation_PCR25](#awskeymanagementservice-kms_RecipientAttestation_PCR25)
[#awskeymanagementservice-kms_RecipientAttestation_PCR26](#awskeymanagementservice-kms_RecipientAttestation_PCR26)
[#awskeymanagementservice-kms_RecipientAttestation_PCR27](#awskeymanagementservice-kms_RecipientAttestation_PCR27)
[#awskeymanagementservice-kms_RecipientAttestation_PCR28](#awskeymanagementservice-kms_RecipientAttestation_PCR28)
[#awskeymanagementservice-kms_RecipientAttestation_PCR29](#awskeymanagementservice-kms_RecipientAttestation_PCR29)
[#awskeymanagementservice-kms_RecipientAttestation_PCR30](#awskeymanagementservice-kms_RecipientAttestation_PCR30)
[#awskeymanagementservice-kms_RecipientAttestation_PCR31](#awskeymanagementservice-kms_RecipientAttestation_PCR31)
[#awskeymanagementservice-kms_RequestAlias](#awskeymanagementservice-kms_RequestAlias)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPairWithoutPlaintext.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPairWithoutPlaintext.html) **
- **描述:** 控制使用 AWS KMS 密钥生成数据密钥对的权限。与 GenerateDataKeyPair 操作不同,此操作返回的不是纯文本副本的加密私钥
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_DataKeyPairSpec](#awskeymanagementservice-kms_DataKeyPairSpec)
[#awskeymanagementservice-kms_EncryptionAlgorithm](#awskeymanagementservice-kms_EncryptionAlgorithm)
[#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_](#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_)
[#awskeymanagementservice-kms_EncryptionContextKeys](#awskeymanagementservice-kms_EncryptionContextKeys)
[#awskeymanagementservice-kms_RequestAlias](#awskeymanagementservice-kms_RequestAlias)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) **
- **描述:** 控制使用 AWS KMS 密钥生成数据密钥的权限。与 GenerateDataKey 操作不同,此操作返回的加密数据密钥没有纯文本版本的数据密钥
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_EncryptionAlgorithm](#awskeymanagementservice-kms_EncryptionAlgorithm)
[#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_](#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_)
[#awskeymanagementservice-kms_EncryptionContextKeys](#awskeymanagementservice-kms_EncryptionContextKeys)
[#awskeymanagementservice-kms_RequestAlias](#awskeymanagementservice-kms_RequestAlias)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateMac.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateMac.html) **
- **描述:** 控制使用 AWS KMS 密钥生成消息身份验证码的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_MacAlgorithm](#awskeymanagementservice-kms_MacAlgorithm)
[#awskeymanagementservice-kms_RequestAlias](#awskeymanagementservice-kms_RequestAlias)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateRandom.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateRandom.html) **
- **描述:** 控制从 KMS 获取加密安全的随机字节字符串的 AWS 权限
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:** [#awskeymanagementservice-kms_RecipientAttestation_ImageSha384](#awskeymanagementservice-kms_RecipientAttestation_ImageSha384)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR0](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR0)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR1](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR1)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR2](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR2)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR3](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR3)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR4](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR4)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR5](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR5)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR6](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR6)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR7](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR7)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR8](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR8)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR9](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR9)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR10](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR10)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR11](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR11)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR12](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR12)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR13](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR13)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR14](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR14)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR15](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR15)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR16](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR16)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR17](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR17)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR18](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR18)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR19](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR19)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR20](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR20)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR21](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR21)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR22](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR22)
[#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR23](#awskeymanagementservice-kms_RecipientAttestation_NitroTPMPCR23)
[#awskeymanagementservice-kms_RecipientAttestation_PCR0](#awskeymanagementservice-kms_RecipientAttestation_PCR0)
[#awskeymanagementservice-kms_RecipientAttestation_PCR1](#awskeymanagementservice-kms_RecipientAttestation_PCR1)
[#awskeymanagementservice-kms_RecipientAttestation_PCR2](#awskeymanagementservice-kms_RecipientAttestation_PCR2)
[#awskeymanagementservice-kms_RecipientAttestation_PCR3](#awskeymanagementservice-kms_RecipientAttestation_PCR3)
[#awskeymanagementservice-kms_RecipientAttestation_PCR4](#awskeymanagementservice-kms_RecipientAttestation_PCR4)
[#awskeymanagementservice-kms_RecipientAttestation_PCR5](#awskeymanagementservice-kms_RecipientAttestation_PCR5)
[#awskeymanagementservice-kms_RecipientAttestation_PCR6](#awskeymanagementservice-kms_RecipientAttestation_PCR6)
[#awskeymanagementservice-kms_RecipientAttestation_PCR7](#awskeymanagementservice-kms_RecipientAttestation_PCR7)
[#awskeymanagementservice-kms_RecipientAttestation_PCR8](#awskeymanagementservice-kms_RecipientAttestation_PCR8)
[#awskeymanagementservice-kms_RecipientAttestation_PCR9](#awskeymanagementservice-kms_RecipientAttestation_PCR9)
[#awskeymanagementservice-kms_RecipientAttestation_PCR10](#awskeymanagementservice-kms_RecipientAttestation_PCR10)
[#awskeymanagementservice-kms_RecipientAttestation_PCR11](#awskeymanagementservice-kms_RecipientAttestation_PCR11)
[#awskeymanagementservice-kms_RecipientAttestation_PCR12](#awskeymanagementservice-kms_RecipientAttestation_PCR12)
[#awskeymanagementservice-kms_RecipientAttestation_PCR13](#awskeymanagementservice-kms_RecipientAttestation_PCR13)
[#awskeymanagementservice-kms_RecipientAttestation_PCR14](#awskeymanagementservice-kms_RecipientAttestation_PCR14)
[#awskeymanagementservice-kms_RecipientAttestation_PCR15](#awskeymanagementservice-kms_RecipientAttestation_PCR15)
[#awskeymanagementservice-kms_RecipientAttestation_PCR16](#awskeymanagementservice-kms_RecipientAttestation_PCR16)
[#awskeymanagementservice-kms_RecipientAttestation_PCR17](#awskeymanagementservice-kms_RecipientAttestation_PCR17)
[#awskeymanagementservice-kms_RecipientAttestation_PCR18](#awskeymanagementservice-kms_RecipientAttestation_PCR18)
[#awskeymanagementservice-kms_RecipientAttestation_PCR19](#awskeymanagementservice-kms_RecipientAttestation_PCR19)
[#awskeymanagementservice-kms_RecipientAttestation_PCR20](#awskeymanagementservice-kms_RecipientAttestation_PCR20)
[#awskeymanagementservice-kms_RecipientAttestation_PCR21](#awskeymanagementservice-kms_RecipientAttestation_PCR21)
[#awskeymanagementservice-kms_RecipientAttestation_PCR22](#awskeymanagementservice-kms_RecipientAttestation_PCR22)
[#awskeymanagementservice-kms_RecipientAttestation_PCR23](#awskeymanagementservice-kms_RecipientAttestation_PCR23)
[#awskeymanagementservice-kms_RecipientAttestation_PCR24](#awskeymanagementservice-kms_RecipientAttestation_PCR24)
[#awskeymanagementservice-kms_RecipientAttestation_PCR25](#awskeymanagementservice-kms_RecipientAttestation_PCR25)
[#awskeymanagementservice-kms_RecipientAttestation_PCR26](#awskeymanagementservice-kms_RecipientAttestation_PCR26)
[#awskeymanagementservice-kms_RecipientAttestation_PCR27](#awskeymanagementservice-kms_RecipientAttestation_PCR27)
[#awskeymanagementservice-kms_RecipientAttestation_PCR28](#awskeymanagementservice-kms_RecipientAttestation_PCR28)
[#awskeymanagementservice-kms_RecipientAttestation_PCR29](#awskeymanagementservice-kms_RecipientAttestation_PCR29)
[#awskeymanagementservice-kms_RecipientAttestation_PCR30](#awskeymanagementservice-kms_RecipientAttestation_PCR30)
[#awskeymanagementservice-kms_RecipientAttestation_PCR31](#awskeymanagementservice-kms_RecipientAttestation_PCR31)
- **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyLastUsage.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyLastUsage.html) **
- **描述:** 控制查看 AWS KMS 密钥上次使用情况的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyPolicy.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyPolicy.html) **
- **描述:** 控制查看指定 AWS KMS 密钥的密钥策略的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyRotationStatus.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyRotationStatus.html) **
- **描述:** 控制查看 AWS KMS 密钥的密钥轮换状态的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_GetParametersForImport.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetParametersForImport.html) **
- **描述:** 控制权限以获取将加密材料导入到客户托管密钥所需的数据,包括公有密钥和导入令牌
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService)
[#awskeymanagementservice-kms_WrappingAlgorithm](#awskeymanagementservice-kms_WrappingAlgorithm)
[#awskeymanagementservice-kms_WrappingKeySpec](#awskeymanagementservice-kms_WrappingKeySpec) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html) **
- **描述:** 控制下载非对称 KMS 密钥的公 AWS 钥的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_RequestAlias](#awskeymanagementservice-kms_RequestAlias)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_ImportKeyMaterial.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_ImportKeyMaterial.html) **
- **描述:** 控制将加密材料导入 AWS KMS 密钥的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ExpirationModel](#awskeymanagementservice-kms_ExpirationModel)
[#awskeymanagementservice-kms_ValidTo](#awskeymanagementservice-kms_ValidTo)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_ListAliases.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListAliases.html) **
- **描述:** 控制权限以查看在账户中定义的别名。别名是可选的友好名称,您可以将其与 AWS KMS 密钥相关联
- **访问级别:** 列表
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_ListGrants.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListGrants.html) **
- **描述:** 控制查看 AWS KMS 密钥所有授权的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_GrantIsForAWSResource](#awskeymanagementservice-kms_GrantIsForAWSResource)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeyPolicies.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeyPolicies.html) **
- **描述:** 控制查看 AWS KMS 密钥的密钥策略名称的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeyRotations.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeyRotations.html) **
- **描述:** 控制查看 AWS KMS 密钥密钥材料列表的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html) **
- **描述:** 控制查看账户中所有 AWS KMS 密钥的密钥 ID 和亚马逊资源名称 (ARN) 的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_ListResourceTags.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListResourceTags.html) **
- **描述:** 控制查看附加到 AWS KMS 密钥的所有标签的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_ListRetirableGrants.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListRetirableGrants.html) **
- **描述:** 控制权限以查看其中指定的委托人为停用委托人的授权。其他委托人可能能够停用此授权,而且此委托人可能能够停用其他授权
- **访问级别:** 列表
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) **
- **描述:** 控制替换指定 AWS KMS 密钥的密钥策略的权限
- **访问级别:** 权限管理
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_BypassPolicyLockoutSafetyCheck](#awskeymanagementservice-kms_BypassPolicyLockoutSafetyCheck)
[#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html) **
- **描述:** 控制在 KMS 中解密和重新加密数据的过程中的数据解密权限 AWS
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_EncryptionAlgorithm](#awskeymanagementservice-kms_EncryptionAlgorithm)
[#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_](#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_)
[#awskeymanagementservice-kms_EncryptionContextKeys](#awskeymanagementservice-kms_EncryptionContextKeys)
[#awskeymanagementservice-kms_ReEncryptOnSameKey](#awskeymanagementservice-kms_ReEncryptOnSameKey)
[#awskeymanagementservice-kms_RequestAlias](#awskeymanagementservice-kms_RequestAlias)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html) **
- **描述:** 在 KMS 中对数据进行解密和重新加密,控制对数据进行加密的权限 AWS
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_EncryptionAlgorithm](#awskeymanagementservice-kms_EncryptionAlgorithm)
[#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_](#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_)
[#awskeymanagementservice-kms_EncryptionContextKeys](#awskeymanagementservice-kms_EncryptionContextKeys)
[#awskeymanagementservice-kms_ReEncryptOnSameKey](#awskeymanagementservice-kms_ReEncryptOnSameKey)
[#awskeymanagementservice-kms_RequestAlias](#awskeymanagementservice-kms_RequestAlias)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_ReplicateKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReplicateKey.html) **
- **描述:** 控制复制多区域主键的权限
- **访问级别:** Write
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:** iam:CreateServiceLinkedRole
kms:CreateKey
kms:PutKeyPolicy
kms:TagResource
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ReplicaRegion](#awskeymanagementservice-kms_ReplicaRegion)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html) **
- **描述:** 控制权限以停用授权。该 RetireGrant 操作通常由授权用户在完成授权允许他们执行的任务后调用
- **访问级别:** 权限管理
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_](#awskeymanagementservice-kms_EncryptionContext___EncryptionContextKey_)
[#awskeymanagementservice-kms_EncryptionContextKeys](#awskeymanagementservice-kms_EncryptionContextKeys)
[#awskeymanagementservice-kms_GrantConstraintType](#awskeymanagementservice-kms_GrantConstraintType)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_RevokeGrant.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_RevokeGrant.html) **
- **描述:** 控制权限以撤销授权,这会对所有依赖于此授权的操作拒绝权限
- **访问级别:** 权限管理
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_GrantIsForAWSResource](#awskeymanagementservice-kms_GrantIsForAWSResource)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_RotateKeyOnDemand.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_RotateKeyOnDemand.html) **
- **描述:** 控制调用 AWS KMS 密钥中加密材料的按需轮换的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) **
- **描述:** 控制计划删除 AWS KMS 密钥的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ScheduleKeyDeletionPendingWindowInDays](#awskeymanagementservice-kms_ScheduleKeyDeletionPendingWindowInDays)
[#awskeymanagementservice-kms_TrailingDaysWithoutKeyUsage](#awskeymanagementservice-kms_TrailingDaysWithoutKeyUsage)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html) **
- **描述:** 控制权限以便为消息生成数字签名
- **访问级别:** Write
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_MessageType](#awskeymanagementservice-kms_MessageType)
[#awskeymanagementservice-kms_RequestAlias](#awskeymanagementservice-kms_RequestAlias)
[#awskeymanagementservice-kms_SigningAlgorithm](#awskeymanagementservice-kms_SigningAlgorithm)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-auth.html#multi-region-auth-slr](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-auth.html#multi-region-auth-slr) [仅权限]**
- **描述:** 控制对可同步多区域密钥的内部 API 的访问
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key)
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_TagResource.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_TagResource.html) **
- **描述:** 控制创建或更新附加到 AWS KMS 密钥的标签的权限
- **访问级别:** 标签
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-aws_RequestTag___TagKey_](#awskeymanagementservice-aws_RequestTag___TagKey_)
[#awskeymanagementservice-aws_TagKeys](#awskeymanagementservice-aws_TagKeys)
[#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_UntagResource.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_UntagResource.html) **
- **描述:** 控制删除附加到 AWS KMS 密钥的标签的权限
- **访问级别:** 标签
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-aws_TagKeys](#awskeymanagementservice-aws_TagKeys)
[#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateAlias.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateAlias.html) **
- **描述:** 控制将别名与其他 AWS KMS 密钥关联的权限。别名是可选的友好名称,您可以将其与 KMS 密钥相关联
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-alias](#awskeymanagementservice-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateCustomKeyStore.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateCustomKeyStore.html) **
- **描述:** 控制权限以更改自定义密钥存储的属性
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
- **相关操作:** ec2:DescribeVpcEndpointServices
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateKeyDescription.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateKeyDescription.html) **
- **描述:** 控制删除 KMS 密钥或更改 AWS KMS 密钥描述的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdatePrimaryRegion.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdatePrimaryRegion.html) **
- **描述:** 控制更新多区域主键的主区域的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_PrimaryRegion](#awskeymanagementservice-kms_PrimaryRegion)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html) **
- **描述:** 控制使用指定 AWS KMS 密钥验证数字签名的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_MessageType](#awskeymanagementservice-kms_MessageType)
[#awskeymanagementservice-kms_RequestAlias](#awskeymanagementservice-kms_RequestAlias)
[#awskeymanagementservice-kms_SigningAlgorithm](#awskeymanagementservice-kms_SigningAlgorithm)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
- ** [https://docs.aws.amazon.com/kms/latest/APIReference/API_VerifyMac.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_VerifyMac.html) **
- **描述:** 控制使用 AWS KMS 密钥验证消息身份验证码的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awskeymanagementservice-key](#awskeymanagementservice-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awskeymanagementservice-kms_CallerAccount](#awskeymanagementservice-kms_CallerAccount)
[#awskeymanagementservice-kms_MacAlgorithm](#awskeymanagementservice-kms_MacAlgorithm)
[#awskeymanagementservice-kms_RequestAlias](#awskeymanagementservice-kms_RequestAlias)
[#awskeymanagementservice-kms_ViaService](#awskeymanagementservice-kms_ViaService) / **相关操作:**
## 定义的资源类型 AWS 密钥管理服务
以下资源类型是由该服务定义的,可以在 IAM 权限策略语句的 `Resource` 元素中使用这些资源类型。[操作表](#awskeymanagementservice-actions-as-permissions)中的每个操作指定了可以使用该操作指定的资源类型。您也可以在策略中包含条件键,从而定义资源类型。这些键显示在资源类型表的最后一列。有关下表中各列的详细信息,请参阅[资源类型表](reference_policies_actions-resources-contextkeys.html#resources_table)。
****
| 资源类型 | ARN | 条件键 |
| --- | --- | --- |
| [https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept) | arn:${Partition}:kms:${Region}:${Account}:alias/${Alias} | |
| [https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) | arn:${Partition}:kms:${Region}:${Account}:key/${KeyId} | [#awskeymanagementservice-aws_ResourceTag___TagKey_](#awskeymanagementservice-aws_ResourceTag___TagKey_)
[#awskeymanagementservice-kms_KeyOrigin](#awskeymanagementservice-kms_KeyOrigin)
[#awskeymanagementservice-kms_KeySpec](#awskeymanagementservice-kms_KeySpec)
[#awskeymanagementservice-kms_KeyUsage](#awskeymanagementservice-kms_KeyUsage)
[#awskeymanagementservice-kms_MultiRegion](#awskeymanagementservice-kms_MultiRegion)
[#awskeymanagementservice-kms_MultiRegionKeyType](#awskeymanagementservice-kms_MultiRegionKeyType)
[#awskeymanagementservice-kms_ResourceAliases](#awskeymanagementservice-kms_ResourceAliases) |
## 的条件密钥 AWS 密钥管理服务
AWS 密钥管理服务定义了以下条件密钥,这些条件密钥可用于 IAM 策略的`Condition`元素。您可以使用这些键进一步细化应用策略语句的条件。有关下表中各列的详细信息,请参阅[条件键表](reference_policies_actions-resources-contextkeys.html#context_keys_table)。
要查看适用于所有服务的全局条件键,请参阅 [AWS 全局条件上下文键](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)。
****
| 条件键 | 描述 | Type |
| --- | --- | --- |
| [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag) | 根据请求中标签的密钥和值筛选对指定 AWS KMS 操作的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/tag-authorization.html](https://docs.aws.amazon.com/kms/latest/developerguide/tag-authorization.html) | 根据分配给 AWS KMS 密钥的标签筛选对指定 AWS KMS 操作的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys) | 根据请求中的标签密钥筛选对指定 AWS KMS 操作的访问权限 | ArrayOfString |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-bypass-policy-lockout-safety-check](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-bypass-policy-lockout-safety-check) | 根据请求中 BypassPolicyLockoutSafetyCheck 参数的值筛选对 CreateKey 和 PutKeyPolicy 操作的访问权限 | 布尔型 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-caller-account](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-caller-account) | 根据调用者的 AWS 账户 ID 筛选对指定 AWS KMS 操作的访问权限。您可以使用此条件密钥在一份政策声明中允许或拒绝所有 IAM 用户和角色 AWS 账户 的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-spec-replaced](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-spec-replaced) | kms: CustomerMasterKeySpec 条件密钥已弃用。而是使用 kms: KeySpec 条件密钥 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-usage-replaced](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-usage-replaced) | kms: CustomerMasterKeyUsage 条件密钥已弃用。而是使用 kms: KeyUsage 条件密钥 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-data-key-pair-spec](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-data-key-pair-spec) | 根据请求中 KeyPairSpec 参数的值筛选访问权限 GenerateDataKeyPair 和 GenerateDataKeyPairWithoutPlaintext 操作 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-algorithm](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-algorithm) | 根据请求中的加密算法的值筛选对加密操作的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context) | 根据加密操作中的加密上下文筛选对称 AWS KMS 密钥的访问权限。此条件可评估每个键值加密上下文对中的键和值 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context-keys](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context-keys) | 根据加密操作中的加密上下文筛选对称 AWS KMS 密钥的访问权限。此条件键仅评估每个键值加密上下文对中的键 | ArrayOfString |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-expiration-model](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-expiration-model) | 根据请求中 ExpirationModel 参数的值筛选对 ImportKeyMaterial 操作的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grant-constraint-source-arn](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grant-constraint-source-arn) | 根据请求中的 SourceArn 约束值筛选对 CreateGrant 操作的访问权限 | 进行筛选 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grant-constraint-type](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grant-constraint-type) | 根据请求中的授权限制筛选对 CreateGrant 操作的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grant-is-for-aws-resource](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grant-is-for-aws-resource) | 当请求来自指定 AWS 服务时,筛选对 CreateGrant 操作的访问权限 | 布尔型 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grant-operations) | 根据授权中的 CreateGrant 操作筛选对操作的访问权限 | ArrayOfString |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grantee-principal](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grantee-principal) | 根据授权中的被授权人委托人筛选对 CreateGrant 操作的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grantee-service-principal](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grantee-service-principal) | 根据请求中的值筛选对 CreateGrant 操作 GranteeServicePrincipal 的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-agreement-algorithm](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-agreement-algorithm) | 根据请求中 KeyAgreementAlgorithm 参数的值筛选对 DeriveSharedSecret 操作的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-origin](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-origin) | 根据操作创建或使用的 AWS KMS 密钥的 Origin 属性筛选对 API 操作的访问权限。使用它来限定对 KMS 密钥授权的 CreateKey 操作或任何操作的授权 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-spec](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-spec) | 根据操作创建或使用的 AWS KMS 密钥的 KeySpec 属性筛选对 API 操作的访问权限。使用它来限定对 KMS 密钥资源授权的 CreateKey 操作或任何操作的授权 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-usage](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-usage) | 根据操作创建或使用的 AWS KMS 密钥的 KeyUsage 属性筛选对 API 操作的访问权限。使用它来限定对 KMS 密钥资源授权的 CreateKey 操作或任何操作的授权 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-mac-algorithm](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-mac-algorithm) | 根据请求中的 MacAlgorithm 参数筛选对 GenerateMac 和 VerifyMac 操作的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-message-type](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-message-type) | 根据请求中 MessageType 参数的值筛选对 “签名和验证” 操作的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-multi-region](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-multi-region) | 根据操作创建或使用的 AWS KMS 密钥的 MultiRegion 属性筛选对 API 操作的访问权限。使用它来限定对 KMS 密钥资源授权的 CreateKey 操作或任何操作的授权 | 布尔型 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-multi-region-key-type](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-multi-region-key-type) | 根据操作创建或使用的 AWS KMS 密钥的 MultiRegionKeyType 属性筛选对 API 操作的访问权限。使用它来限定对 KMS 密钥资源授权的 CreateKey 操作或任何操作的授权 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-primary-region](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-primary-region) | 根据请求中 PrimaryRegion 参数的值筛选对 UpdatePrimaryRegion 操作的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-reencrypt-on-same-key](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-reencrypt-on-same-key) | 当 ReEncrypt 操作使用的密钥与用于加密操作的相同 AWS KMS 密钥时,会筛选对该操作的访问权限 | 布尔型 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-image-sha](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-image-sha) | 根据请求中证明文档中的图像哈希筛选对 API 操作的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)0 筛选访问权限。PCR0 是核心系统固件可执行代码的连续度量 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)1 筛选访问权限。PCR1 是对核心系统固件 data/host 平台配置的连续测量,通常包括序列号和型号 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)10 筛选访问权限。PCR10 是保护 IMA 度量日志的连续度量 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)11 筛选访问权限。PCR11 是统一内核映像(UKI)所有组件的连续度量 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)12 筛选访问权限。PCR12 是内核命令行、系统凭证和系统配置映像的连续度量 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)13 筛选访问权限。PCR13 是 initrd 所有系统扩展映像的连续度量 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)14 筛选访问权限。PCR14 是“MOK”证书和哈希值的连续度量 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)15 筛选访问权限。PCR15 是根文件系统卷加密密钥的连续度量 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)16 筛选访问权限。PCR16 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)17 筛选访问权限。PCR17 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)18 筛选访问权限。PCR18 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)19 筛选访问权限。PCR19 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)2 筛选访问权限。PCR2 是扩展或可插拔的可执行代码的连续度量,包括可插拔硬件上的选项 ROM | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)20 筛选访问权限。PCR20 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)21 筛选访问权限。PCR21 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)22 筛选访问权限。PCR22 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)23 筛选访问权限。PCR23 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)3 筛选访问权限。PCR3 是扩展或可插拔的固件数据的连续度量,包括有关可插拔硬件的信息 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)4 筛选访问权限。PCR4 是引导加载程序和其他驱动程序的连续度量,包括由引导加载程序加载的二进制文件和扩展程序 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)5 筛选访问权限。PCR5 是表格的连续衡量标准 GPT/Partition | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)6 筛选访问权限。PCR6 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)7 筛选访问权限。PCR7 是一种连续的状态衡量标准 SecureBoot | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)8 筛选访问权限。PCR8 是命令和内核命令行的连续度量 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html#conditions-kms-recipient-nitro-tpm-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)9 筛选访问权限。PCR9 是读取的所有文件(包括内核映像)的连续度量 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)0 筛选访问权限。PCR0 是 Enclave 映像文件内容的连续度量,不包括截面数据 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)1 筛选访问权限。PCR1 是 Linux 内核和引导数据的连续度量 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)10 筛选访问权限。PCR10 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)11 筛选访问权限。PCR11 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)12 筛选访问权限。PCR12 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)13 筛选访问权限。PCR13 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)14 筛选访问权限。PCR14 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)15 筛选访问权限。PCR15 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)16 筛选访问权限。PCR16 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)17 筛选访问权限。PCR17 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)18 筛选访问权限。PCR18 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)19 筛选访问权限。PCR19 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)2 筛选访问权限。PCR2 是用户应用程序的按顺序连续度量,无需启动 ramfs | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)20 筛选访问权限。PCR20 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)21 筛选访问权限。PCR21 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)22 筛选访问权限。PCR22 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)23 筛选访问权限。PCR23 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)24 筛选访问权限。PCR24 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)25 筛选访问权限。PCR25 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)26 筛选访问权限。PCR26 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)27 筛选访问权限。PCR27 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)28 筛选访问权限。PCR28 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)29 筛选访问权限。PCR29 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)3 筛选访问权限。PCR3 是分配给父实例的 IAM 角色的连续度量 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)30 筛选访问权限。PCR30 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)31 筛选访问权限。PCR31 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)4 筛选访问权限。PCR4 是父实例 ID 的连续度量 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)5 筛选访问权限。PCR5 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)6 筛选访问权限。PCR6 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)7 筛选访问权限。PCR7 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)8 筛选访问权限。PCR8 是为 Enclave 映像文件指定的签名证书的度量 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs) | 按请求中证明文档中的平台配置寄存器(PCR)9 筛选访问权限。PCR9 是一种自定义 PCR,可以由用户针对特定使用案例进行定义 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-replica-region](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-replica-region) | 根据请求中 ReplicaRegion 参数的值筛选对 ReplicateKey 操作的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-request-alias](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-request-alias) | GetPublicKey 根据请求中的别名筛选对加密操作 DescribeKey、和的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-resource-aliases](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-resource-aliases) | 根据与 AWS KMS 密钥关联的别名筛选对指定 AWS KMS 操作的访问权限 | ArrayOfString |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-retiring-principal](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-retiring-principal) | 根据补助金中即将退休的本金筛选对 CreateGrant 操作的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-retiring-service-principal](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-retiring-service-principal) | 根据请求中的值筛选对 CreateGrant 操作 RetiringServicePrincipal 的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-rotation-period-in-days](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-rotation-period-in-days) | 根据请求中 RotationPeriodInDays 参数的值筛选对 EnableKeyRotation 操作的访问权限 | 数值 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-schedule-key-deletion-pending-window-in-days](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-schedule-key-deletion-pending-window-in-days) | 根据请求中 PendingWindowInDays 参数的值筛选对 ScheduleKeyDeletion 操作的访问权限 | 数值 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-signing-algorithm](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-signing-algorithm) | 根据请求中的签名算法筛选对 Sign 和 Verify 操作的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-trailing-days-without-key-usage](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-trailing-days-without-key-usage) | 根据自上次使用 AWS KMS 密钥以来的天数筛选对 ScheduleKeyDeletion 和 DisableKey 操作的访问权限 | 数值 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-valid-to](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-valid-to) | 根据请求中 ValidTo 参数的值筛选对 ImportKeyMaterial 操作的访问权限。您可以使用此条件键以允许用户仅当在指定的日期到期时才能导入密钥材料 | 日期 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-via-service](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-via-service) | 当委托人代表委托人提出的请求来自指定 AWS 服务时,筛选访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-wrapping-algorithm](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-wrapping-algorithm) | 根据请求中 WrappingAlgorithm 参数的值筛选对 GetParametersForImport 操作的访问权限 | 字符串 |
| [https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-wrapping-key-spec](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-wrapping-key-spec) | 根据请求中 WrappingKeySpec 参数的值筛选对 GetParametersForImport 操作的访问权限 | 字符串 |