AWS cli documentation change
Summary
Updated documentation for the GenerateAs2805KekValidation command, including changes to navigation links, CLI version, command description, cross-account use policy, parameter definitions, syntax, and validation patterns. Added new 'RandomKeyMaxLength' parameter and clarified KEK validation request/response workflow.
Security assessment
The changes clarify security-related features like KEK validation processes and cross-account access via resource-based policies, but there's no evidence of addressing a specific security vulnerability. The added security documentation includes resource-based policy references and KEK validation details.
Diff
diff --git a/cli/latest/reference/payment-cryptography-data/generate-as2805-kek-validation.md b/cli/latest/reference/payment-cryptography-data/generate-as2805-kek-validation.md index ac13d0fa7..65d068033 100644 --- a//cli/latest/reference/payment-cryptography-data/generate-as2805-kek-validation.md +++ b//cli/latest/reference/payment-cryptography-data/generate-as2805-kek-validation.md @@ -13 +13 @@ - * [next](generate-card-validation-data.html "generate-card-validation-data") | + * [next](generate-auth-request-cryptogram.html "generate-auth-request-cryptogram") | @@ -15 +15 @@ - * [AWS CLI 2.34.49 Command Reference](../../index.html) » + * [AWS CLI 2.34.52 Command Reference](../../index.html) » @@ -23 +23 @@ - * [generate-card-validation-data →](generate-card-validation-data.html "next chapter \(use the right arrow\)") + * [generate-auth-request-cryptogram →](generate-auth-request-cryptogram.html "next chapter \(use the right arrow\)") @@ -59 +59 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c -Establishes node-to-node initialization between payment processing nodes such as an acquirer, issuer or payment network using Australian Standard 2805 (AS2805). +Generates a `KekValidationRequest` or a `KekValidationResponse` for node-to-node initialization between payment processing nodes using [Australian Standard 2805 (AS2805)](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/as2805.html) . @@ -63 +63,3 @@ During node-to-node initialization, both communicating nodes must validate that -The node initiating communication can use `GenerateAS2805KekValidation` to generate a combined KEK validation request and KEK validation response to send to the partnering node for validation. When invoked, the API internally generates a random sending key encrypted under KEKs and provides a receiving key encrypted under KEKr as response. The initiating node sends the response returned by this API to its partner for validation. +To use `GenerateAs2805KekValidation` to generate a KEK validation request, set `KekValidationType` to `KekValidationRequest` . This operation returns both `RandomKeySend` (KRs) and `RandomKeyReceive` (KRr) as response values. The partnering node receives the KRs, uses its KEKr to decrypt it, and generates a KRr which is an inverted value of KRs. The node receiving the KRr validates it against its own KRr generated during KEK validation request outside of Amazon Web Services Payment Cryptography. + +You can also use this operation to generate a KEK validation response, by setting `KekValidationType` to `KekValidationResponse` and providing the incoming KRs. This operation then calculates a KRr. To learn more about more about node-to-node initialization, see [Validation of KEK](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/as2805.kekvalidation.html) in the _Amazon Web Services Payment Cryptography User Guide_ . @@ -67 +69 @@ For information about valid keys for this operation, see [Understanding key attr -> **Cross-account use** : This operation can’t be used across different Amazon Web Services accounts. +> **Cross-account use** : This operation supports cross-account use when the key has a resource-based policy that grants access. For more information, see [Resource-based policies](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/security_iam_resource-based-policies.html) . @@ -117 +119 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/paymen -> Parameter information for generating a random key for KEK validation to perform node-to-node initialization. +> Defines whether to generate a KEK validation request or KEK validation response for node-to-node initialization. @@ -143,0 +146,12 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/paymen +>> +>> RandomKeyMaxLength -> (string) +>> +>>> The maximum length of the random key to generate for a KEK validation request. +>>> +>>> Possible values: +>>> +>>> * `BYTES_8` +>>> * `BYTES_16` +>>> * `BYTES_24` +>>> + @@ -151 +165 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/paymen ->>> The random key for generating a KEK validation response. +>>> The random key send value received from the initiating node to generate a KEK validation response. @@ -155 +169 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/paymen ->>> * min: `32` +>>> * min: `16` @@ -157 +171 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/paymen ->>> * pattern: `(?:[0-9a-fA-F]{32}|[0-9a-fA-F]{48})` +>>> * pattern: `(?:[0-9a-fA-F]{16}|[0-9a-fA-F]{32}|[0-9a-fA-F]{48})` @@ -164 +178 @@ Shorthand Syntax: - KekValidationRequest={DeriveKeyAlgorithm=string},KekValidationResponse={RandomKeySend=string} + KekValidationRequest={DeriveKeyAlgorithm=string,RandomKeyMaxLength=string},KekValidationResponse={RandomKeySend=string} @@ -172 +186,2 @@ JSON Syntax: - "DeriveKeyAlgorithm": "TDES_2KEY"|"TDES_3KEY"|"AES_128"|"AES_192"|"AES_256"|"HMAC_SHA256"|"HMAC_SHA384"|"HMAC_SHA512"|"HMAC_SHA224" + "DeriveKeyAlgorithm": "TDES_2KEY"|"TDES_3KEY"|"AES_128"|"AES_192"|"AES_256"|"HMAC_SHA256"|"HMAC_SHA384"|"HMAC_SHA512"|"HMAC_SHA224", + "RandomKeyMaxLength": "BYTES_8"|"BYTES_16"|"BYTES_24" @@ -334 +349 @@ RandomKeySend -> (string) -> * min: `32` +> * min: `16` @@ -336 +351 @@ RandomKeySend -> (string) -> * pattern: `(?:[0-9a-fA-F]{32}|[0-9a-fA-F]{48})` +> * pattern: `(?:[0-9a-fA-F]{16}|[0-9a-fA-F]{32}|[0-9a-fA-F]{48})` @@ -346 +361 @@ RandomKeyReceive -> (string) -> * min: `32` +> * min: `16` @@ -348 +363 @@ RandomKeyReceive -> (string) -> * pattern: `(?:[0-9a-fA-F]{32}|[0-9a-fA-F]{48})` +> * pattern: `(?:[0-9a-fA-F]{16}|[0-9a-fA-F]{32}|[0-9a-fA-F]{48})` @@ -353 +368 @@ RandomKeyReceive -> (string) - * [generate-card-validation-data →](generate-card-validation-data.html "next chapter \(use the right arrow\)") + * [generate-auth-request-cryptogram →](generate-auth-request-cryptogram.html "next chapter \(use the right arrow\)") @@ -360 +375 @@ RandomKeyReceive -> (string) - * [next](generate-card-validation-data.html "generate-card-validation-data") | + * [next](generate-auth-request-cryptogram.html "generate-auth-request-cryptogram") | @@ -362 +377 @@ RandomKeyReceive -> (string) - * [AWS CLI 2.34.49 Command Reference](../../index.html) » + * [AWS CLI 2.34.52 Command Reference](../../index.html) »