AWS payment-cryptography documentation change
Summary
Updated IAM references and corrected API documentation links for key management operations
Security assessment
Changes clarify IAM terminology and fix API links but do not introduce new security information or address vulnerabilities. The security controls described remain unchanged.
Diff
diff --git a/payment-cryptography/latest/userguide/pin-compliance-control-3.md b/payment-cryptography/latest/userguide/pin-compliance-control-3.md index d70adeb06..008be7527 100644 --- a//payment-cryptography/latest/userguide/pin-compliance-control-3.md +++ b//payment-cryptography/latest/userguide/pin-compliance-control-3.md @@ -9 +9 @@ _Requirement 8:_ Key conveyance with AWS Payment Cryptography was assessed as pa -Requirement 8-4 requires that public keys are conveyed in a manner that protects their integrity and authenticity. Conveyance between your application and AWS is controlled by the application’s authentication to AWS, using AWS IAM methods, AWS’ API end point authentication to the application via TLS server certificates. Additionally, public keys exported from or imported to AWS Payment Cryptography have certificates signed by ephemeral, customer-specific CAs (See [GetPublicKeyCertificate](https://docs.aws.amazon.com/cli/latest/APIReference/API_GetPublicKeyCertificate), [GetParametersForImport](https://docs.aws.amazon.com/cli/latest/APIReference/API_GetParametersForImport), and [GetParametersForExport](https://docs.aws.amazon.com/cli/latest/APIReference/API_GetParametersForExport)). These CAs cannot be used as the sole method of authentication, because they are not compliant with PCI PIN Security Annex A2. However, the certificates still provide integrity assurance for public keys with AWS IAM providing authentication. +Requirement 8-4 requires that public keys are conveyed in a manner that protects their integrity and authenticity. Conveyance between your application and AWS is controlled by the application’s authentication to AWS, using AWS Identity and Access Management methods, AWS’ API end point authentication to the application via TLS server certificates. Additionally, public keys exported from or imported to AWS Payment Cryptography have certificates signed by ephemeral, customer-specific CAs (See [GetPublicKeyCertificate](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate), [GetParametersForImport](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForImport), and [GetParametersForExport](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetParametersForExport)). These CAs cannot be used as the sole method of authentication, because they are not compliant with PCI PIN Security Annex A2. However, the certificates still provide integrity assurance for public keys with IAM providing authentication. @@ -17 +17 @@ _Requirement 10:_ The service enforces relative key strength of protecting keys -_Requirement 11:_ Documentation of your procedures must specify how keys are conveyed. Procedures for key conveyance using the AWS Payment Cryptography API should include use of roles with key import and export permissions and approvals for running scripts or other code that creates keys. AWS CloudTrail logs contain all [ImportKey](https://docs.aws.amazon.com/cli/latest/APIReference/API_ImportKey) and [ExportKey](https://docs.aws.amazon.com/cli/latest/APIReference/API_ExportKey) events. +_Requirement 11:_ Documentation of your procedures must specify how keys are conveyed. Procedures for key conveyance using the AWS Payment Cryptography API should include use of roles with key import and export permissions and approvals for running scripts or other code that creates keys. AWS CloudTrail logs contain all [ImportKey](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey) and [ExportKey](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ExportKey) events.