UNPKG

@cloud-copilot/iam-data

Version:

AWS IAM Data

github.com/cloud-copilot/iam-data

cloud-copilot/iam-data

352 lines 19.5 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
{ "aws:requesttag/${tagkey}": { "key": "aws:RequestTag/${TagKey}", "description": "Filters access to the specified AWS KMS operations based on both the key and value of the tag in the request", "type": "String" }, "aws:resourcetag/${tagkey}": { "key": "aws:ResourceTag/${TagKey}", "description": "Filters access to the specified AWS KMS operations based on tags assigned to the AWS KMS key", "type": "String" }, "aws:tagkeys": { "key": "aws:TagKeys", "description": "Filters access to the specified AWS KMS operations based on tag keys in the request", "type": "ArrayOfString" }, "kms:bypasspolicylockoutsafetycheck": { "key": "kms:BypassPolicyLockoutSafetyCheck", "description": "Filters access to the CreateKey and PutKeyPolicy operations based on the value of the BypassPolicyLockoutSafetyCheck parameter in the request", "type": "Bool" }, "kms:calleraccount": { "key": "kms:CallerAccount", "description": "Filters access to specified AWS KMS operations based on the AWS account ID of the caller. You can use this condition key to allow or deny access to all IAM users and roles in an AWS account in a single policy statement", "type": "String" }, "kms:customermasterkeyspec": { "key": "kms:CustomerMasterKeySpec", "description": "The kms:CustomerMasterKeySpec condition key is deprecated. Instead, use the kms:KeySpec condition key", "type": "String" }, "kms:customermasterkeyusage": { "key": "kms:CustomerMasterKeyUsage", "description": "The kms:CustomerMasterKeyUsage condition key is deprecated. Instead, use the kms:KeyUsage condition key", "type": "String" }, "kms:datakeypairspec": { "key": "kms:DataKeyPairSpec", "description": "Filters access to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations based on the value of the KeyPairSpec parameter in the request", "type": "String" }, "kms:encryptionalgorithm": { "key": "kms:EncryptionAlgorithm", "description": "Filters access to encryption operations based on the value of the encryption algorithm in the request", "type": "String" }, "kms:encryptioncontext:${encryptioncontextkey}": { "key": "kms:EncryptionContext:${EncryptionContextKey}", "description": "Filters access to a symmetric AWS KMS key based on the encryption context in a cryptographic operation. This condition evaluates the key and value in each key-value encryption context pair", "type": "String" }, "kms:encryptioncontextkeys": { "key": "kms:EncryptionContextKeys", "description": "Filters access to a symmetric AWS KMS key based on the encryption context in a cryptographic operation. This condition key evaluates only the key in each key-value encryption context pair", "type": "ArrayOfString" }, "kms:expirationmodel": { "key": "kms:ExpirationModel", "description": "Filters access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request", "type": "String" }, "kms:grantconstrainttype": { "key": "kms:GrantConstraintType", "description": "Filters access to the CreateGrant operation based on the grant constraint in the request", "type": "String" }, "kms:grantisforawsresource": { "key": "kms:GrantIsForAWSResource", "description": "Filters access to the CreateGrant operation when the request comes from a specified AWS service", "type": "Bool" }, "kms:grantoperations": { "key": "kms:GrantOperations", "description": "Filters access to the CreateGrant operation based on the operations in the grant", "type": "ArrayOfString" }, "kms:granteeprincipal": { "key": "kms:GranteePrincipal", "description": "Filters access to the CreateGrant operation based on the grantee principal in the grant", "type": "String" }, "kms:keyagreementalgorithm": { "key": "kms:KeyAgreementAlgorithm", "description": "Filters access to the DeriveSharedSecret operation based on the value of the KeyAgreementAlgorithm parameter in the request", "type": "String" }, "kms:keyorigin": { "key": "kms:KeyOrigin", "description": "Filters access to an API operation based on the Origin property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key", "type": "String" }, "kms:keyspec": { "key": "kms:KeySpec", "description": "Filters access to an API operation based on the KeySpec property of the AWS KMS key that is created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", "type": "String" }, "kms:keyusage": { "key": "kms:KeyUsage", "description": "Filters access to an API operation based on the KeyUsage property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", "type": "String" }, "kms:macalgorithm": { "key": "kms:MacAlgorithm", "description": "Filters access to the GenerateMac and VerifyMac operations based on the MacAlgorithm parameter in the request", "type": "String" }, "kms:messagetype": { "key": "kms:MessageType", "description": "Filters access to the Sign and Verify operations based on the value of the MessageType parameter in the request", "type": "String" }, "kms:multiregion": { "key": "kms:MultiRegion", "description": "Filters access to an API operation based on the MultiRegion property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", "type": "Bool" }, "kms:multiregionkeytype": { "key": "kms:MultiRegionKeyType", "description": "Filters access to an API operation based on the MultiRegionKeyType property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource", "type": "String" }, "kms:primaryregion": { "key": "kms:PrimaryRegion", "description": "Filters access to the UpdatePrimaryRegion operation based on the value of the PrimaryRegion parameter in the request", "type": "String" }, "kms:reencryptonsamekey": { "key": "kms:ReEncryptOnSameKey", "description": "Filters access to the ReEncrypt operation when it uses the same AWS KMS key that was used for the Encrypt operation", "type": "Bool" }, "kms:recipientattestation:imagesha384": { "key": "kms:RecipientAttestation:ImageSha384", "description": "Filters access to the API operations based on the image hash in the attestation document in the request", "type": "String" }, "kms:recipientattestation:pcr0": { "key": "kms:RecipientAttestation:PCR0", "description": "Filters access by the platform configuration register (PCR) 0 in the attestation document. PCR0 is a contiguous measure of the contents of the enclave image file, without the section data", "type": "String" }, "kms:recipientattestation:pcr1": { "key": "kms:RecipientAttestation:PCR1", "description": "Filters access by the platform configuration register (PCR) 1 in the attestation document. PCR1 is a contiguous measurement of the Linux kernel and bootstrap data", "type": "String" }, "kms:recipientattestation:pcr10": { "key": "kms:RecipientAttestation:PCR10", "description": "Filters access by the platform configuration register (PCR) 10 in the attestation document in the request. PCR10 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr11": { "key": "kms:RecipientAttestation:PCR11", "description": "Filters access by the platform configuration register (PCR) 11 in the attestation document in the request. PCR11 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr12": { "key": "kms:RecipientAttestation:PCR12", "description": "Filters access by the platform configuration register (PCR) 12 in the attestation document in the request. PCR12 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr13": { "key": "kms:RecipientAttestation:PCR13", "description": "Filters access by the platform configuration register (PCR) 13 in the attestation document in the request. PCR13 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr14": { "key": "kms:RecipientAttestation:PCR14", "description": "Filters access by the platform configuration register (PCR) 14 in the attestation document in the request. PCR14 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr15": { "key": "kms:RecipientAttestation:PCR15", "description": "Filters access by the platform configuration register (PCR) 15 in the attestation document in the request. PCR15 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr16": { "key": "kms:RecipientAttestation:PCR16", "description": "Filters access by the platform configuration register (PCR) 16 in the attestation document in the request. PCR16 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr17": { "key": "kms:RecipientAttestation:PCR17", "description": "Filters access by the platform configuration register (PCR) 17 in the attestation document in the request. PCR17 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr18": { "key": "kms:RecipientAttestation:PCR18", "description": "Filters access by the platform configuration register (PCR) 18 in the attestation document in the request. PCR18 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr19": { "key": "kms:RecipientAttestation:PCR19", "description": "Filters access by the platform configuration register (PCR) 19 in the attestation document in the request. PCR19 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr2": { "key": "kms:RecipientAttestation:PCR2", "description": "Filters access by the platform configuration register (PCR) 2 in the attestation document. PCR2 is a contiguous, in-order measurement of the user applications, without the boot ramfs", "type": "String" }, "kms:recipientattestation:pcr20": { "key": "kms:RecipientAttestation:PCR20", "description": "Filters access by the platform configuration register (PCR) 20 in the attestation document in the request. PCR20 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr21": { "key": "kms:RecipientAttestation:PCR21", "description": "Filters access by the platform configuration register (PCR) 21 in the attestation document in the request. PCR21 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr22": { "key": "kms:RecipientAttestation:PCR22", "description": "Filters access by the platform configuration register (PCR) 22 in the attestation document in the request. PCR22 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr23": { "key": "kms:RecipientAttestation:PCR23", "description": "Filters access by the platform configuration register (PCR) 23 in the attestation document in the request. PCR23 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr24": { "key": "kms:RecipientAttestation:PCR24", "description": "Filters access by the platform configuration register (PCR) 24 in the attestation document in the request. PCR24 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr25": { "key": "kms:RecipientAttestation:PCR25", "description": "Filters access by the platform configuration register (PCR) 25 in the attestation document in the request. PCR25 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr26": { "key": "kms:RecipientAttestation:PCR26", "description": "Filters access by the platform configuration register (PCR) 26 in the attestation document in the request. PCR26 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr27": { "key": "kms:RecipientAttestation:PCR27", "description": "Filters access by the platform configuration register (PCR) 27 in the attestation document in the request. PCR27 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr28": { "key": "kms:RecipientAttestation:PCR28", "description": "Filters access by the platform configuration register (PCR) 28 in the attestation document in the request. PCR28 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr29": { "key": "kms:RecipientAttestation:PCR29", "description": "Filters access by the platform configuration register (PCR) 29 in the attestation document in the request. PCR29 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr3": { "key": "kms:RecipientAttestation:PCR3", "description": "Filters access by the platform configuration register (PCR) 3 in the attestation document. PCR3 is a contiguous measurement of the IAM role assigned to the parent instance", "type": "String" }, "kms:recipientattestation:pcr30": { "key": "kms:RecipientAttestation:PCR30", "description": "Filters access by the platform configuration register (PCR) 30 in the attestation document in the request. PCR30 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr31": { "key": "kms:RecipientAttestation:PCR31", "description": "Filters access by the platform configuration register (PCR) 31 in the attestation document in the request. PCR31 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr4": { "key": "kms:RecipientAttestation:PCR4", "description": "Filters access by the platform configuration register (PCR) 4 in the attestation document. PCR4 is a contiguous measurement of the ID of the parent instance", "type": "String" }, "kms:recipientattestation:pcr5": { "key": "kms:RecipientAttestation:PCR5", "description": "Filters access by the platform configuration register (PCR) 5 in the attestation document in the request. PCR5 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr6": { "key": "kms:RecipientAttestation:PCR6", "description": "Filters access by the platform configuration register (PCR) 6 in the attestation document in the request. PCR6 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr7": { "key": "kms:RecipientAttestation:PCR7", "description": "Filters access by platform configuration register (PCR) 7 in the attestation document in the request. PCR7 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:recipientattestation:pcr8": { "key": "kms:RecipientAttestation:PCR8", "description": "Filters access by the platform configuration register (PCR) 8 in the attestation document. PCR8 is a measure of the signing certificate specified for the enclave image file", "type": "String" }, "kms:recipientattestation:pcr9": { "key": "kms:RecipientAttestation:PCR9", "description": "Filters access by the platform configuration register (PCR) 9 in the attestation document in the request. PCR9 is a custom PCR that can be defined by the user for specific use cases", "type": "String" }, "kms:replicaregion": { "key": "kms:ReplicaRegion", "description": "Filters access to the ReplicateKey operation based on the value of the ReplicaRegion parameter in the request", "type": "String" }, "kms:requestalias": { "key": "kms:RequestAlias", "description": "Filters access to cryptographic operations, DescribeKey, and GetPublicKey based on the alias in the request", "type": "String" }, "kms:resourcealiases": { "key": "kms:ResourceAliases", "description": "Filters access to specified AWS KMS operations based on aliases associated with the AWS KMS key", "type": "ArrayOfString" }, "kms:retiringprincipal": { "key": "kms:RetiringPrincipal", "description": "Filters access to the CreateGrant operation based on the retiring principal in the grant", "type": "String" }, "kms:rotationperiodindays": { "key": "kms:RotationPeriodInDays", "description": "Filters access to the EnableKeyRotation operation based on the value of the RotationPeriodInDays parameter in the request", "type": "Numeric" }, "kms:schedulekeydeletionpendingwindowindays": { "key": "kms:ScheduleKeyDeletionPendingWindowInDays", "description": "Filters access to the ScheduleKeyDeletion operation based on the value of the PendingWindowInDays parameter in the request", "type": "Numeric" }, "kms:signingalgorithm": { "key": "kms:SigningAlgorithm", "description": "Filters access to the Sign and Verify operations based on the signing algorithm in the request", "type": "String" }, "kms:validto": { "key": "kms:ValidTo", "description": "Filters access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only when it expires by the specified date", "type": "Date" }, "kms:viaservice": { "key": "kms:ViaService", "description": "Filters access when a request made on the principal's behalf comes from a specified AWS service", "type": "String" }, "kms:wrappingalgorithm": { "key": "kms:WrappingAlgorithm", "description": "Filters access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request", "type": "String" }, "kms:wrappingkeyspec": { "key": "kms:WrappingKeySpec", "description": "Filters access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request", "type": "String" } }