{ "createalias": { "name": "CreateAlias", "description": "Grants permission to create a user-friendly name for a Key", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "createkey": { "name": "CreateKey", "description": "Grants permission to create a unique customer managed key in the caller's AWS account and region", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "payment-cryptography:TagResource" ] }, "decryptdata": { "name": "DecryptData", "description": "Grants permission to decrypt ciphertext data to plaintext using symmetric, asymmetric or DUKPT data encryption key", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "deletealias": { "name": "DeleteAlias", "description": "Grants permission to delete the specified alias", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] }, "deletekey": { "name": "DeleteKey", "description": "Grants permission to schedule the deletion of a Key", "accessLevel": "Write", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "encryptdata": { "name": "EncryptData", "description": "Grants permission to encrypt plaintext data to ciphertext using symmetric, asymmetric or DUKPT data encryption key", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "exportkey": { "name": "ExportKey", "description": "Grants permission to export a key from the service", "accessLevel": "Write", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "generatecardvalidationdata": { "name": "GenerateCardValidationData", "description": "Grants permission to generate card-related data using algorithms such as Card Verification Values (CVV/CVV2), Dynamic Card Verification Values (dCVV/dCVV2) or Card Security Codes (CSC) that check the validity of a magnetic stripe card", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "generatemac": { "name": "GenerateMac", "description": "Grants permission to generate a MAC (Message Authentication Code) cryptogram", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "generatemacemvpinchange": { "name": "GenerateMacEmvPinChange", "description": "Grants permission to generate a MAC (Message Authentication Code) cryptogram", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "generatepindata": { "name": "GeneratePinData", "description": "Grants permission to generate pin-related data such as PIN, PIN Verification Value (PVV), PIN Block and PIN Offset during new card issuance or card re-issuance", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "getalias": { "name": "GetAlias", "description": "Grants permission to return the keyArn associated with an aliasName", "accessLevel": "Read", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] }, "getkey": { "name": "GetKey", "description": "Grants permission to return the detailed information about the specified key", "accessLevel": "Read", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "getparametersforexport": { "name": "GetParametersForExport", "description": "Grants permission to get the export token and the signing key certificate to initiate a TR-34 key export", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [], "dependentActions": [] }, "getparametersforimport": { "name": "GetParametersForImport", "description": "Grants permission to get the import token and the wrapping key certificate to initiate a TR-34 key import", "accessLevel": "Read", "resourceTypes": [], "conditionKeys": [], "dependentActions": [] }, "getpublickeycertificate": { "name": "GetPublicKeyCertificate", "description": "Grants permission to return the public key from a key of class PUBLIC_KEY", "accessLevel": "Read", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "importkey": { "name": "ImportKey", "description": "Grants permission to imports keys and public key certificates", "accessLevel": "Write", "resourceTypes": [], "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [ "payment-cryptography:TagResource" ] }, "listaliases": { "name": "ListAliases", "description": "Grants permission to return a list of aliases created for all keys in the caller's AWS account and Region", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [], "dependentActions": [] }, "listkeys": { "name": "ListKeys", "description": "Grants permission to return a list of keys created in the caller's AWS account and Region", "accessLevel": "List", "resourceTypes": [], "conditionKeys": [], "dependentActions": [] }, "listtagsforresource": { "name": "ListTagsForResource", "description": "Grants permission to return a list of tags created in the caller's AWS account and Region", "accessLevel": "Read", "resourceTypes": [ { "name": "key", "required": false, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "reencryptdata": { "name": "ReEncryptData", "description": "Grants permission to re-encrypt ciphertext using DUKPT, Symmetric and Asymmetric Data Encryption Keys", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "restorekey": { "name": "RestoreKey", "description": "Grants permission to cancel a scheduled key deletion if at any point during the waiting period a Key needs to be revived", "accessLevel": "Write", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "startkeyusage": { "name": "StartKeyUsage", "description": "Grants permission to enable a disabled Key", "accessLevel": "Write", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "stopkeyusage": { "name": "StopKeyUsage", "description": "Grants permission to disable an enabled Key", "accessLevel": "Write", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "tagresource": { "name": "TagResource", "description": "Grants permission to add or overwrites one or more tags for the specified resource", "accessLevel": "Tagging", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "aws:TagKeys", "aws:RequestTag/${TagKey}" ], "dependentActions": [] }, "translatepindata": { "name": "TranslatePinData", "description": "Grants permission to translate encrypted PIN block from and to ISO 9564 formats 0,1,3,4", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "untagresource": { "name": "UntagResource", "description": "Grants permission to remove the specified tag or tags from the specified resource", "accessLevel": "Tagging", "resourceTypes": [ { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "aws:TagKeys" ], "dependentActions": [] }, "updatealias": { "name": "UpdateAlias", "description": "Grants permission to change the key to which an alias is assigned, or unassign it from its current key", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [ "aws:RequestTag/${TagKey}", "aws:TagKeys" ], "dependentActions": [] }, "verifyauthrequestcryptogram": { "name": "VerifyAuthRequestCryptogram", "description": "Grants permission to verify Authorization Request Cryptogram (ARQC) for a EMV chip payment card authorization", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "verifycardvalidationdata": { "name": "VerifyCardValidationData", "description": "Grants permission to verify card-related validation data using algorithms such as Card Verification Values (CVV/CVV2), Dynamic Card Verification Values (dCVV/dCVV2) and Card Security Codes (CSC)", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "verifymac": { "name": "VerifyMac", "description": "Grants permission to verify MAC (Message Authentication Code) of input data against a provided MAC", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] }, "verifypindata": { "name": "VerifyPinData", "description": "Grants permission to verify pin-related data such as PIN and PIN Offset using algorithms including VISA PVV and IBM3624", "accessLevel": "Write", "resourceTypes": [ { "name": "alias", "required": true, "conditionKeys": [], "dependentActions": [] }, { "name": "key", "required": true, "conditionKeys": [], "dependentActions": [] } ], "conditionKeys": [], "dependentActions": [] } }