{ "addkeyreplicationregions": { "name": "AddKeyReplicationRegions", "description": "Grants permission to add replication regions to an existing AWS Payment Cryptography key", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "associatempateam": { "name": "AssociateMpaTeam", "description": "Grants permission to associate an MPA approval team with a payment cryptography action", "accessLevel": "Write", "resourceTypes": [ { "name": "approval-team", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [ "mpa:CancelSession", "mpa:GetApprovalTeam", "mpa:StartSession" ] }, "createalias": { "name": "CreateAlias", "description": "Grants permission to create a user-friendly name for a Key", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "createkey": { "name": "CreateKey", "description": "Grants permission to create a unique customer managed key in the caller's AWS account and region", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "payment-cryptography:KeyClass", "payment-cryptography:KeyUsage", "payment-cryptography:KeyAlgorithm" ], "dependentActions": [ "payment-cryptography:TagResource" ] }, "decryptdata": { "name": "DecryptData", "description": "Grants permission to decrypt ciphertext data to plaintext using symmetric, asymmetric or DUKPT data encryption key", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "deletealias": { "name": "DeleteAlias", "description": "Grants permission to delete the specified alias", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] }, "deletekey": { "name": "DeleteKey", "description": "Grants permission to schedule the deletion of a Key", "accessLevel": "Write", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [ "mpa:CancelSession" ] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "deleteresourcepolicy": { "name": "DeleteResourcePolicy", "description": "Grants permission to delete the resource-based policy attached to a key", "accessLevel": "Permissions management", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "disabledefaultkeyreplicationregions": { "name": "DisableDefaultKeyReplicationRegions", "description": "Grants permission to disable default key replication regions for account-level replication", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [], "dependentActions": [] }, "disassociatempateam": { "name": "DisassociateMpaTeam", "description": "Grants permission to disassociate an MPA approval team from a payment cryptography action", "accessLevel": "Write", "resourceTypes": [ { "name": "approval-team", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [ "mpa:CancelSession", "mpa:StartSession" ] }, "enabledefaultkeyreplicationregions": { "name": "EnableDefaultKeyReplicationRegions", "description": "Grants permission to enable default key replication regions for account-level replication", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [], "dependentActions": [] }, "encryptdata": { "name": "EncryptData", "description": "Grants permission to encrypt plaintext data to ciphertext using symmetric, asymmetric or DUKPT data encryption key", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "exportkey": { "name": "ExportKey", "description": "Grants permission to export a key from the service", "accessLevel": "Write", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias", "payment-cryptography:CertificateAuthorityPublicKeyIdentifier", "payment-cryptography:WrappingKeyIdentifier" ], "dependentActions": [] }, "generateas2805kekvalidation": { "name": "GenerateAs2805KekValidation", "description": "Grants permission to generate a KekValidationRequest or a KekValidationResponse for node-to-node initialization between payment processing nodes using Australian Standard 2805 (AS2805)", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "generatecardvalidationdata": { "name": "GenerateCardValidationData", "description": "Grants permission to generate card-related data using algorithms such as Card Verification Values (CVV/CVV2), Dynamic Card Verification Values (dCVV/dCVV2) or Card Security Codes (CSC) that check the validity of a magnetic stripe card", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "generatemac": { "name": "GenerateMac", "description": "Grants permission to generate a MAC (Message Authentication Code) cryptogram", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "generatemacemvpinchange": { "name": "GenerateMacEmvPinChange", "description": "Grants permission to generate a MAC (Message Authentication Code) cryptogram", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "generatepindata": { "name": "GeneratePinData", "description": "Grants permission to generate pin-related data such as PIN, PIN Verification Value (PVV), PIN Block and PIN Offset during new card issuance or card re-issuance", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "getalias": { "name": "GetAlias", "description": "Grants permission to return the keyArn associated with an aliasName", "accessLevel": "Read", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] }, "getcertificatesigningrequest": { "name": "GetCertificateSigningRequest", "description": "Grants permission to return the Certificate Signing Request for a public key from a key of class PUBLIC_KEY", "accessLevel": "Read", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "getdefaultkeyreplicationregions": { "name": "GetDefaultKeyReplicationRegions", "description": "Grants permission to retrieve the default key replication regions configured at the account level", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [], "dependentActions": [] }, "getkey": { "name": "GetKey", "description": "Grants permission to return the detailed information about the specified key", "accessLevel": "Read", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "getmpateamassociation": { "name": "GetMpaTeamAssociation", "description": "Grants permission to retrieve information about an MPA approval team association for a payment cryptography action", "accessLevel": "Read", "resourceTypes": [ { "name": "approval-team", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "getparametersforexport": { "name": "GetParametersForExport", "description": "Grants permission to get the export token and the signing key certificate to initiate a TR-34 key export", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [], "dependentActions": [] }, "getparametersforimport": { "name": "GetParametersForImport", "description": "Grants permission to get the import token and the wrapping key certificate to initiate a TR-34 key import", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [], "dependentActions": [] }, "getpublickeycertificate": { "name": "GetPublicKeyCertificate", "description": "Grants permission to return the public key from a key of class PUBLIC_KEY", "accessLevel": "Read", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "getresourcepolicy": { "name": "GetResourcePolicy", "description": "Grants permission to retrieve the resource-based policy attached to a key", "accessLevel": "Read", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "importkey": { "name": "ImportKey", "description": "Grants permission to imports keys and public key certificates", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys", "payment-cryptography:ImportKeyMaterial", "payment-cryptography:CertificateAuthorityPublicKeyIdentifier", "payment-cryptography:WrappingKeyIdentifier" ], "dependentActions": [ "mpa:StartSession", "payment-cryptography:TagResource" ] }, "listaliases": { "name": "ListAliases", "description": "Grants permission to return a list of aliases created for all keys in the caller's AWS account and Region", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [], "dependentActions": [] }, "listkeys": { "name": "ListKeys", "description": "Grants permission to return a list of keys created in the caller's AWS account and Region", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [], "dependentActions": [] }, "listtagsforresource": { "name": "ListTagsForResource", "description": "Grants permission to return a list of tags created in the caller's AWS account and Region", "accessLevel": "Read", "resourceTypes": [ { "name": "key", "required": false, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "putresourcepolicy": { "name": "PutResourcePolicy", "description": "Grants permission to attach or replace a resource-based policy on a key", "accessLevel": "Permissions management", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "reencryptdata": { "name": "ReEncryptData", "description": "Grants permission to re-encrypt ciphertext using DUKPT, Symmetric and Asymmetric Data Encryption Keys", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "removekeyreplicationregions": { "name": "RemoveKeyReplicationRegions", "description": "Grants permission to remove replication regions from an existing AWS Payment Cryptography key", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "restorekey": { "name": "RestoreKey", "description": "Grants permission to cancel a scheduled key deletion if at any point during the waiting period a Key needs to be revived", "accessLevel": "Write", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "startkeyusage": { "name": "StartKeyUsage", "description": "Grants permission to enable a disabled Key", "accessLevel": "Write", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "stopkeyusage": { "name": "StopKeyUsage", "description": "Grants permission to disable an enabled Key", "accessLevel": "Write", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "tagresource": { "name": "TagResource", "description": "Grants permission to add or overwrites one or more tags for the specified resource", "accessLevel": "Tagging", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "aws:TagKeys", "aws:RequestTag/${TagKey}" ], "dependentActions": [] }, "translatekeymaterial": { "name": "TranslateKeyMaterial", "description": "Grants permission to translate wrapping key type for a wrapped key", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "translatepindata": { "name": "TranslatePinData", "description": "Grants permission to translate encrypted PIN block from and to ISO 9564 formats 0,1,3,4", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "untagresource": { "name": "UntagResource", "description": "Grants permission to remove the specified tag or tags from the specified resource", "accessLevel": "Tagging", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "aws:TagKeys" ], "dependentActions": [] }, "updatealias": { "name": "UpdateAlias", "description": "Grants permission to change the key to which an alias is assigned, or unassign it from its current key", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] }, "verifyauthrequestcryptogram": { "name": "VerifyAuthRequestCryptogram", "description": "Grants permission to verify Authorization Request Cryptogram (ARQC) for a EMV chip payment card authorization", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "verifycardvalidationdata": { "name": "VerifyCardValidationData", "description": "Grants permission to verify card-related validation data using algorithms such as Card Verification Values (CVV/CVV2), Dynamic Card Verification Values (dCVV/dCVV2) and Card Security Codes (CSC)", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "verifymac": { "name": "VerifyMac", "description": "Grants permission to verify MAC (Message Authentication Code) of input data against a provided MAC", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] }, "verifypindata": { "name": "VerifyPinData", "description": "Grants permission to verify pin-related data such as PIN and PIN Offset using algorithms including VISA PVV and IBM3624", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "payment-cryptography:RequestAlias" ], "dependentActions": [] } }