AWS Security ChangesHomeSearch

AWS payment-cryptography medium security documentation change

Service: payment-cryptography · 2025-11-13 · Security-related medium

File: payment-cryptography/latest/DataAPIReference/API_GenerateMac.md

Summary

Modified key usage requirements (removed 'Verify' from KeyModesOfUse) and increased maximum length for a field.

Security assessment

Removing 'Verify' from KeyModesOfUse for MAC generation keys could prevent unintended verification misuse, addressing a potential security misconfiguration. This is a direct security-related change.

Diff

diff --git a/payment-cryptography/latest/DataAPIReference/API_GenerateMac.md b/payment-cryptography/latest/DataAPIReference/API_GenerateMac.md
index 74e1c6abb..b15c61328 100644
--- a//payment-cryptography/latest/DataAPIReference/API_GenerateMac.md
+++ b//payment-cryptography/latest/DataAPIReference/API_GenerateMac.md
@@ -13 +13 @@ You can use this operation to authenticate card-related data by using known data
-You can use this operation to generate a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. The MAC generation encryption key must have valid values for `KeyUsage` such as `TR31_M7_HMAC_KEY` for HMAC generation, and they key must have `KeyModesOfUse` set to `Generate` and `Verify`.
+You can use this operation to generate a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. The MAC generation encryption key must have valid values for `KeyUsage` such as `TR31_M7_HMAC_KEY` for HMAC generation, and the key must have `KeyModesOfUse` set to `Generate`.
@@ -89 +89 @@ Type: String
-Length Constraints: Minimum length of 2. Maximum length of 4096.
+Length Constraints: Minimum length of 2. Maximum length of 8192.