本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# AWS 支付密码学的操作、资源和条件密钥
AWS Payment Cryptography(服务前缀:`payment-cryptography`)提供以下特定于服务的资源、操作和条件上下文密钥,供在 IAM 权限策略中使用。
参考:
+ 了解如何[配置该服务](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/)。
+ 查看[适用于该服务的 API 操作列表](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/)。
+ 了解如何[使用 IAM](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/security-iam.html) 权限策略保护该服务及其资源。
**Topics**
+ [由 AWS 支付密码学定义的操作](#awspaymentcryptography-actions-as-permissions)
+ [由 AWS 支付密码学定义的资源类型](#awspaymentcryptography-resources-for-iam-policies)
+ [AWS 支付密码学的条件密钥](#awspaymentcryptography-policy-keys)
## 由 AWS 支付密码学定义的操作
您可以在 IAM 策略语句的 `Action` 元素中指定以下操作。可以使用策略授予在 AWS中执行操作的权限。您在策略中使用一项操作时,通常使用相同的名称允许或拒绝对 API 操作或 CLI 命令的访问。但在某些情况下,单一动作可控制对多项操作的访问。还有某些操作需要多种不同的动作。
操作表的**访问级别**列描述如何对操作进行分类(列出、读取、权限管理或标记)。此分类可以帮助您了解当您在策略中使用操作时,相应操作授予的访问级别。有关访问级别的更多信息,请参阅[策略摘要中的访问级别](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html)。
操作表的**资源类型**列指示每项操作是否支持资源级权限。如果该列没有任何值,您必须在策略语句的 `Resource` 元素中指定策略应用的所有资源(“\*”)。通过在 IAM policy 中使用条件来筛选访问权限,以控制是否可以在资源或请求中使用特定标签键。如果操作具有一个或多个必需资源,则调用方必须具有使用这些资源来使用该操作的权限。必需资源在表中以星号 (\*) 表示。如果您在 IAM policy 中使用 `Resource` 元素限制资源访问权限,则必须为每种必需的资源类型添加 ARN 或模式。某些操作支持多种资源类型。如果资源类型是可选的(未指示为必需),则可以选择使用一种可选资源类型。
操作表的**条件键**列包括可以在策略语句的 `Condition` 元素中指定的键。有关与服务资源关联的条件键的更多信息,请参阅资源类型表的**条件键**列。
操作表的**依赖操作**列显示成功调用操作可能需要的其他权限。除了操作本身的权限以外,可能还需要这些权限。若某个操作指定依赖操作,则这些依赖关系可能适用于为该操作定义的其他资源,而不仅仅是表中列出的第一个资源。
**注意**
资源条件键在[资源类型](#awspaymentcryptography-resources-for-iam-policies)表中列出。您可以在操作表的**资源类型(\* 为必需)**列中找到应用于某项操作的资源类型的链接。资源类型表中的资源类型包括**条件密钥**列,这是应用于操作表中操作的资源条件键。
有关下表中各列的详细信息,请参阅[操作表](reference_policies_actions-resources-contextkeys.html#actions_table)。
****
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_AddKeyReplicationRegions.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_AddKeyReplicationRegions.html) **
- **描述:** 授予向现有 AWS 支付加密密钥添加复制区域的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_AssociateMpaTeam.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_AssociateMpaTeam.html) **
- **描述:** 授予将 MPA 审批团队与付款加密操作关联的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-approval-team](#awspaymentcryptography-approval-team)
- **条件键:**
- **相关操作:** mpa:CancelSession
mpa:GetApprovalTeam
mpa:StartSession
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateAlias.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateAlias.html) **
- **描述:** 授予为密钥创建用户友好名称的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateKey.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateKey.html) **
- **描述:** 授予在呼叫者和地区创建唯一的客户托管密钥 AWS 账户 的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:** [#awspaymentcryptography-aws_RequestTag___TagKey_](#awspaymentcryptography-aws_RequestTag___TagKey_)
[#awspaymentcryptography-aws_TagKeys](#awspaymentcryptography-aws_TagKeys)
[#awspaymentcryptography-payment-cryptography_KeyClass](#awspaymentcryptography-payment-cryptography_KeyClass)
[#awspaymentcryptography-payment-cryptography_KeyUsage](#awspaymentcryptography-payment-cryptography_KeyUsage)
[#awspaymentcryptography-payment-cryptography_KeyAlgorithm](#awspaymentcryptography-payment-cryptography_KeyAlgorithm)
- **相关操作:** payment-cryptography:TagResource
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_DecryptData.html](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_DecryptData.html) **
- **描述:** 授予使用对称、非对称或 DUKPT 数据加密密钥将加密文字数据解密为明文的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_DeleteAlias.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_DeleteAlias.html) **
- **描述:** 授予删除指定的 别名的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-aws_RequestTag___TagKey_](#awspaymentcryptography-aws_RequestTag___TagKey_)
[#awspaymentcryptography-aws_TagKeys](#awspaymentcryptography-aws_TagKeys) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_DeleteKey.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_DeleteKey.html) **
- **描述:** 授予计划删除密钥的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:** mpa:CancelSession
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_DeleteResourcePolicy.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_DeleteResourcePolicy.html) **
- **描述:** 授予删除附加到密钥的基于资源的策略的权限
- **访问级别:** 权限管理
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key)
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_DisableDefaultKeyReplicationRegions.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_DisableDefaultKeyReplicationRegions.html) **
- **描述:** 授予禁用账户级复制的默认密钥复制区域的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_DisassociateMpaTeam.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_DisassociateMpaTeam.html) **
- **描述:** 授予解除 MPA 审批团队与付款加密操作的关联的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-approval-team](#awspaymentcryptography-approval-team)
- **条件键:**
- **相关操作:** mpa:CancelSession
mpa:StartSession
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_EnableDefaultKeyReplicationRegions.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_EnableDefaultKeyReplicationRegions.html) **
- **描述:** 授予为账户级复制启用默认密钥复制区域的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_EncryptData.html](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_EncryptData.html) **
- **描述:** 授予使用对称、非对称或 DUKPT 数据加密密钥将明文数据加密为加密文字的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ExportKey.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ExportKey.html) **
- **描述:** 授予从服务导出密钥的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias)
[#awspaymentcryptography-payment-cryptography_CertificateAuthorityPublicKeyIdentifier](#awspaymentcryptography-payment-cryptography_CertificateAuthorityPublicKeyIdentifier)
[#awspaymentcryptography-payment-cryptography_WrappingKeyIdentifier](#awspaymentcryptography-payment-cryptography_WrappingKeyIdentifier) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_GenerateAs2805KekValidation.html](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_GenerateAs2805KekValidation.html) **
- **描述:** 允许使用澳大利亚标准 2805 (AS2805) KekValidationResponse 为支付处理节点之间的节点到节点初始化生成 KekValidationRequest 或
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_GenerateCardValidationData.html](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_GenerateCardValidationData.html) **
- **描述:** 授予使用诸如卡验证值 (CVV/CVV2)、动态卡验证值 () 或卡安全码 (CSC) 之类的算法生成与信用卡相关的数据的权限,这些算法可以检查磁条卡的有效性 dCVV/dCVV2
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_GenerateMac.html](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_GenerateMac.html) **
- **描述:** 授予生成 MAC(消息验证代码)密码的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_GenerateMacEmvPinChange.html](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_GenerateMacEmvPinChange.html) **
- **描述:** 授予生成 MAC(消息验证代码)密码的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_GeneratePinData.html](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_GeneratePinData.html) **
- **描述:** 授予在新卡发行或卡补发期间生成 PIN、PIN 验证值(PVV)、PIN 块和 PIN 偏移量等 PIN 相关数据的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetAlias.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetAlias.html) **
- **描述:** 授予返回与 aliasName 关联的 keyArn 的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-aws_RequestTag___TagKey_](#awspaymentcryptography-aws_RequestTag___TagKey_)
[#awspaymentcryptography-aws_TagKeys](#awspaymentcryptography-aws_TagKeys) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetCertificateSigningRequest.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetCertificateSigningRequest.html) **
- **描述:** 授予从类为 PUBLIC\_KEY 的密钥返回公钥的证书签名请求的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetDefaultKeyReplicationRegions.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetDefaultKeyReplicationRegions.html) **
- **描述:** 授予权限以检索在账户级别配置的默认密钥复制区域
- **访问级别:** 读取
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetKey.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetKey.html) **
- **描述:** 授予返回指定键相关详细信息的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetMpaTeamAssociation.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetMpaTeamAssociation.html) **
- **描述:** 授予检索 MPA 批准团队关联信息的权限,以进行付款加密操作
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awspaymentcryptography-approval-team](#awspaymentcryptography-approval-team)
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForExport.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForExport.html) **
- **描述:** 授予获取导出令牌和签名密钥证书以启动 TR-34 密钥导出的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForImport.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForImport.html) **
- **描述:** 授予获取导入令牌和包装密钥证书以启动密 TR-34 钥导入的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html) **
- **描述:** 授予从 PUBLIC\_KEY 类密钥返回公有秘钥的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetResourcePolicy.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetResourcePolicy.html) **
- **描述:** 授予检索附加到密钥的基于资源的策略的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key)
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html) **
- **描述:** 授予导入密钥和公有秘钥证书的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):**
- **条件键:** [#awspaymentcryptography-aws_RequestTag___TagKey_](#awspaymentcryptography-aws_RequestTag___TagKey_)
[#awspaymentcryptography-aws_TagKeys](#awspaymentcryptography-aws_TagKeys)
[#awspaymentcryptography-payment-cryptography_ImportKeyMaterial](#awspaymentcryptography-payment-cryptography_ImportKeyMaterial)
[#awspaymentcryptography-payment-cryptography_CertificateAuthorityPublicKeyIdentifier](#awspaymentcryptography-payment-cryptography_CertificateAuthorityPublicKeyIdentifier)
[#awspaymentcryptography-payment-cryptography_WrappingKeyIdentifier](#awspaymentcryptography-payment-cryptography_WrappingKeyIdentifier)
- **相关操作:** mpa:StartSession
payment-cryptography:TagResource
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ListAliases.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ListAliases.html) **
- **描述:** 授予返回为调用方和区域中所有密钥创建的别名列表 AWS 账户 的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ListKeys.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ListKeys.html) **
- **描述:** 授予返回在调用方 AWS 账户 和地区创建的密钥列表的权限
- **访问级别:** 列表
- **资源类型(\* 为必需):**
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ListTagsForResource.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ListTagsForResource.html) **
- **描述:** 授予返回在调用方 AWS 账户 和地区创建的标签列表的权限
- **访问级别:** 读取
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key)
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_PutResourcePolicy.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_PutResourcePolicy.html) **
- **描述:** 授予在密钥上附加或替换基于资源的策略的权限
- **访问级别:** 权限管理
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key)
- **条件键:**
- **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_ReEncryptData.html](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_ReEncryptData.html) **
- **描述:** 授予使用 DUKPT、对称和非对称数据加密秘钥重新加密加密文字的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_RemoveKeyReplicationRegions.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_RemoveKeyReplicationRegions.html) **
- **描述:** 授予从现有 AWS 支付加密密钥中删除复制区域的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_RestoreKey.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_RestoreKey.html) **
- **描述:** 授予如果在等待期间的任何时候需要恢复密钥则取消计划密钥删除的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_StartKeyUsage.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_StartKeyUsage.html) **
- **描述:** 授予启用已禁用密钥的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_StopKeyUsage.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_StopKeyUsage.html) **
- **描述:** 授予禁用已启用密钥的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_TagResource.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_TagResource.html) **
- **描述:** 授予为指定的资源添加或覆盖一个或多个标签的权限
- **访问级别:** 标签
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-aws_TagKeys](#awspaymentcryptography-aws_TagKeys)
[#awspaymentcryptography-aws_RequestTag___TagKey_](#awspaymentcryptography-aws_RequestTag___TagKey_) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_TranslateKeyMaterial.html](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_TranslateKeyMaterial.html) **
- **描述:** 授予翻译封装密钥的封装密钥类型的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_TranslatePinData.html](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_TranslatePinData.html) **
- **描述:** 授予将加密 PIN 块与 ISO 9564 格式 0、1、3、4 相互转换的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_UntagResource.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_UntagResource.html) **
- **描述:** 授予从指定资源中删除一个或多个指定标签的权限
- **访问级别:** 标签
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-aws_TagKeys](#awspaymentcryptography-aws_TagKeys) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_UpdateAlias.html](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_UpdateAlias.html) **
- **描述:** 授予更改已分配别名的密钥或从当前密钥取消别名分配的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-aws_RequestTag___TagKey_](#awspaymentcryptography-aws_RequestTag___TagKey_)
[#awspaymentcryptography-aws_TagKeys](#awspaymentcryptography-aws_TagKeys) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_VerifyAuthRequestCryptogram.html](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_VerifyAuthRequestCryptogram.html) **
- **描述:** 授予验证 EMV 芯片支付卡授权的授权请求加密(ARQC)的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_VerifyCardValidationData.html](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_VerifyCardValidationData.html) **
- **描述:** 授予使用信用卡验证值 (CVV/CVV2)、动态卡验证值 () 和信用卡安全码 (CSC) 等算法验证信用卡相关验证数据的权限 dCVV/dCVV2
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_VerifyMac.html](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_VerifyMac.html) **
- **描述:** 授予根据提供的 MAC 验证输入数据的 MAC(消息身份验证代码)的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
- ** [https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_VerifyPinData.html](https://docs.aws.amazon.com/payment-cryptography/latest/DataAPIReference/API_VerifyPinData.html) **
- **描述:** 授予使用包括 VISA PVV 和 IBM3624 在内的算法验证 PIN 和 PIN 偏移等密码相关数据的权限
- **访问级别:** 写入
- **资源类型(\* 为必需):** [#awspaymentcryptography-alias](#awspaymentcryptography-alias) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** [#awspaymentcryptography-key](#awspaymentcryptography-key) / **条件键:** / **相关操作:**
- **资源类型(\* 为必需):** / **条件键:** [#awspaymentcryptography-payment-cryptography_RequestAlias](#awspaymentcryptography-payment-cryptography_RequestAlias) / **相关操作:**
## 由 AWS 支付密码学定义的资源类型
以下资源类型是由该服务定义的,可以在 IAM 权限策略语句的 `Resource` 元素中使用这些资源类型。[操作表](#awspaymentcryptography-actions-as-permissions)中的每个操作指定了可以使用该操作指定的资源类型。您也可以在策略中包含条件键,从而定义资源类型。这些键显示在资源类型表的最后一列。有关下表中各列的详细信息,请参阅[资源类型表](reference_policies_actions-resources-contextkeys.html#resources_table)。
****
| 资源类型 | ARN | 条件键 |
| --- | --- | --- |
| [${APIReferenceDocPage}API_Key.html](${APIReferenceDocPage}API_Key.html) | arn:${Partition}:payment-cryptography:${Region}:${Account}:key/${KeyId} | [#awspaymentcryptography-aws_ResourceTag___TagKey_](#awspaymentcryptography-aws_ResourceTag___TagKey_)
[#awspaymentcryptography-payment-cryptography_ResourceAliases](#awspaymentcryptography-payment-cryptography_ResourceAliases) |
| [${APIReferenceDocPage}API_Alias.html](${APIReferenceDocPage}API_Alias.html) | arn:${Partition}:payment-cryptography:${Region}:${Account}:alias/${Alias} | [#awspaymentcryptography-payment-cryptography_ResourceAliases](#awspaymentcryptography-payment-cryptography_ResourceAliases) |
| [https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html](https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html) | arn:${Partition}:mpa:${Region}:${Account}:approval-team/${ApprovalTeamId} | [#awspaymentcryptography-aws_ResourceTag___TagKey_](#awspaymentcryptography-aws_ResourceTag___TagKey_) |
## AWS 支付密码学的条件密钥
AWS Payment Cryptography 定义了以下条件密钥,这些密钥可用于 IAM 策略的`Condition`元素。您可以使用这些键进一步细化应用策略语句的条件。有关下表中各列的详细信息,请参阅[条件键表](reference_policies_actions-resources-contextkeys.html#context_keys_table)。
要查看适用于所有服务的全局条件键,请参阅 [AWS 全局条件上下文键](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)。
****
| 条件键 | 描述 | Type |
| --- | --- | --- |
| [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag) | 按指定操作请求中标签的键与值筛选访问权限 | 字符串 |
| [https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/security_iam_service-with-iam.html#security_iam_service-with-iam-tags](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/security_iam_service-with-iam.html#security_iam_service-with-iam-tags) | 按分配给指定操作的密钥的标签筛选访问权限 | 字符串 |
| [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys) | 按指定操作请求中的标签键筛选访问权限 | ArrayOfString |
| [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html) | 按请求中 CertificateAuthorityPublicKeyIdentifier 指定的或和 ExportKey 操作筛选访问权限 ImportKey | 字符串 |
| [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html) | 按为 ImportKey 操作导入的密钥材料的类型 [RootCertificatePublicKey TrustedCertificatePublicKey、 Tr34KeyBlock、 Tr31KeyBlock、 DiffieHellmanTr31KeyBlock、 As2805KeyCryptogram、 KeyCryptogram] 筛选访问权限 | 字符串 |
| [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html) | 按 CreateKey 操作请求中 KeyAlgorithm 指定的方式筛选访问权限 | 字符串 |
| [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html) | 按 CreateKey 操作请求中 KeyClass 指定的方式筛选访问权限 | 字符串 |
| [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html) | 按请求中 KeyClass 指定的或与 CreateKey 操作的密钥关联来筛选访问权限 | 字符串 |
| [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html) | 按指定操作请求中的别名筛选访问权限 | 字符串 |
| [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html) | 按与指定操作的密钥关联的别名筛选访问权限 | ArrayOfString |
| [{ActionsDocRoot}security-iam.html]({ActionsDocRoot}security-iam.html) | 按请求中 WrappingKeyIdentifier 指定的 ImportKey、和 ExportKey 操作筛选访问权限 | 字符串 |