{
  "acm:certificateauthority": {
    "key": "acm:CertificateAuthority",
    "description": "Filters access by certificateAuthority in the request. Can be used to restrict which Certificate Authorites certificates can be issued from",
    "type": "String"
  },
  "acm:certificatetransparencylogging": {
    "key": "acm:CertificateTransparencyLogging",
    "description": "Filters access by certificateTransparencyLogging option in the request. Default 'ENABLED' if no key is present in the request",
    "type": "String"
  },
  "acm:domainnames": {
    "key": "acm:DomainNames",
    "description": "Filters access by domainNames in the request. This key can be used to restrict which domains can be in certificate requests",
    "type": "ArrayOfString"
  },
  "acm:export": {
    "key": "acm:Export",
    "description": "Filters access by the export option in the request. Can be used to restrict creation of certificates that can be exported",
    "type": "String"
  },
  "acm:keyalgorithm": {
    "key": "acm:KeyAlgorithm",
    "description": "Filters access by keyAlgorithm in the request",
    "type": "String"
  },
  "acm:validationmethod": {
    "key": "acm:ValidationMethod",
    "description": "Filters access by validationMethod in the request. Default 'EMAIL' if no key is present in the request",
    "type": "String"
  },
  "aws:requesttag/${tagkey}": {
    "key": "aws:RequestTag/${TagKey}",
    "description": "Filters access by the presence of tag key-value pairs in the request",
    "type": "String"
  },
  "aws:resourcetag/${tagkey}": {
    "key": "aws:ResourceTag/${TagKey}",
    "description": "Filters access by tag key-value pairs attached to the resource",
    "type": "String"
  },
  "aws:tagkeys": {
    "key": "aws:TagKeys",
    "description": "Filters access by the presence of tag keys in the request",
    "type": "ArrayOfString"
  }
}