kms:RecipientAttestation:NitroTPMPCR<PCR_ID>

Condition keys for NitroTPM

The following condition keys are specific to NitroTPM attestation:

kms:RecipientAttestation:NitroTPMPCR<PCR_ID>

Amazon KMS Condition Keys Condition Type Value type API Operations Policy Type

Amazon KMS Condition Keys	Condition Type	Value type	API Operations	Policy Type
`kms:RecipientAttestation:NitroTPMPCR<PCR_ID>`	String	Single-valued	`Decrypt` `DeriveSharedSecret` `GenerateDataKey` `GenerateDataKeyPair` `GenerateRandom`	Key policies and IAM policies

kms:RecipientAttestation:NitroTPMPCR<PCR_ID>

String

Single-valued

Decrypt

DeriveSharedSecret

GenerateDataKey

GenerateDataKeyPair

GenerateRandom

Key policies and IAM policies

The kms:RecipientAttestation:NitroTPMPCR<PCR_ID> condition key controls access to Decrypt, DeriveSharedSecret, GenerateDataKey, GenerateDataKeyPair, and GenerateRandom with a KMS key only when the platform configuration registers (PCRs) from the signed attestation document in the request match the PCRs in the condition key. This condition key is effective only when the Recipient parameter in the request specifies a signed attestation document from NitroTPM.

This value is also included in CloudTrail events that represent requests to Amazon KMS for NitroTPM.

To specify a PCR value, use the following format. Concatenate the PCR ID to the condition key name. The PCR value must be a lower-case hexadecimal string of up to 96 bytes.


"kms:RecipientAttestation:NitroTPMPCRPCR_ID": "PCR_value"

For example, the following condition key specifies a particular value for PCR4:


kms:RecipientAttestation:NitroTPMPCR4: "abc1abcdef2abcdef3abcdef4abcdef5abcdef6abcdef7abcdef8abcdef9abcdef8abcdef7abcdef6abcdef5abcdef4abcdef3abcdef2abcdef1abcdef0abcde"

The following example key policy statement allows the data-processing role to use the KMS key for the Decrypt operation.

The kms:RecipientAttestation:NitroTPMPCR condition key in this statement allows the operation only when the PCR4 value in the signed attestation document in the request matches kms:RecipientAttestation:NitroTPMPCR4 value in the condition. Use the StringEqualsIgnoreCase policy operator to require a case-insensitive comparison of the PCR values.

If the request does not include an attestation document, permission is denied because this condition is not satisfied.


{
  "Sid" : "Enable NitroTPM data processing",
  "Effect" : "Allow",
  "Principal" : {
    "AWS" : "arn:aws:iam::111122223333:role/data-processing"
  },
  "Action": "kms:Decrypt",
  "Resource" : "*",
  "Condition": {
    "StringEqualsIgnoreCase": {
      "kms:RecipientAttestation:NitroTPMPCR4": "abc1de4f2dcf774f6e3b679f62e5f120065b2e408dcea327bd1c9dddaea6664e7af7935581474844767453082c6f1586116376cede396a30a39a611b9aad7966c87"
    }
  }
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Condition keys for Nitro Enclaves

Least-privilege permissions