CancelKeyDeletion

valid {
    input.Body.KeyId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ConnectCustomKeyStore

valid {
    input.Body.CustomKeyStoreId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateAlias

valid {
    input.Body.AliasName == STRING
    input.Body.TargetKeyId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateCustomKeyStore

enum_CustomKeyStoreType := [ "AWS_CLOUDHSM", "EXTERNAL_KEY_STORE" ]
enum_XksProxyConnectivityType := [ "PUBLIC_ENDPOINT", "VPC_ENDPOINT_SERVICE" ]

valid {
    input.Body.CustomKeyStoreName == STRING
    input.Body.CloudHsmClusterId == STRING
    input.Body.TrustAnchorCertificate == STRING
    input.Body.KeyStorePassword == STRING
    input.Body.CustomKeyStoreType == enum_CustomKeyStoreType[_]
    input.Body.XksProxyUriEndpoint == STRING
    input.Body.XksProxyUriPath == STRING
    input.Body.XksProxyVpcEndpointServiceName == STRING
    input.Body.XksProxyAuthenticationCredential.AccessKeyId == STRING
    input.Body.XksProxyAuthenticationCredential.RawSecretAccessKey == STRING
    input.Body.XksProxyConnectivity == enum_XksProxyConnectivityType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateGrant

enum_GrantOperation := [ "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateMac", "VerifyMac" ]

valid {
    input.Body.KeyId == STRING
    input.Body.GranteePrincipal == STRING
    input.Body.RetiringPrincipal == STRING
    input.Body.Operations[_] == enum_GrantOperation[_]
    input.Body.Constraints.EncryptionContextSubset.STRING == STRING
    input.Body.Constraints.EncryptionContextEquals.STRING == STRING
    input.Body.GrantTokens[_] == STRING
    input.Body.Name == STRING
    input.Body.DryRun == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateKey

enum_CustomerMasterKeySpec := [ "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2" ]
enum_KeySpec := [ "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT", "HMAC_224", "HMAC_256", "HMAC_384", "HMAC_512", "SM2" ]
enum_KeyUsageType := [ "SIGN_VERIFY", "ENCRYPT_DECRYPT", "GENERATE_VERIFY_MAC" ]
enum_OriginType := [ "AWS_KMS", "EXTERNAL", "AWS_CLOUDHSM", "EXTERNAL_KEY_STORE" ]

valid {
    input.Body.Policy == STRING
    input.Body.Description == STRING
    input.Body.KeyUsage == enum_KeyUsageType[_]
    input.Body.CustomerMasterKeySpec == enum_CustomerMasterKeySpec[_]
    input.Body.KeySpec == enum_KeySpec[_]
    input.Body.Origin == enum_OriginType[_]
    input.Body.CustomKeyStoreId == STRING
    input.Body.BypassPolicyLockoutSafetyCheck == BOOLEAN
    input.Body.Tags[_].TagKey == STRING
    input.Body.Tags[_].TagValue == STRING
    input.Body.MultiRegion == BOOLEAN
    input.Body.XksKeyId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

Decrypt

enum_EncryptionAlgorithmSpec := [ "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE" ]
enum_KeyEncryptionMechanism := [ "RSAES_OAEP_SHA_256" ]

valid {
    input.Body.CiphertextBlob == BLOB
    input.Body.EncryptionContext.STRING == STRING
    input.Body.GrantTokens[_] == STRING
    input.Body.KeyId == STRING
    input.Body.EncryptionAlgorithm == enum_EncryptionAlgorithmSpec[_]
    input.Body.Recipient.KeyEncryptionAlgorithm == enum_KeyEncryptionMechanism[_]
    input.Body.Recipient.AttestationDocument == BLOB
    input.Body.DryRun == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteAlias

valid {
    input.Body.AliasName == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteCustomKeyStore

valid {
    input.Body.CustomKeyStoreId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteImportedKeyMaterial

valid {
    input.Body.KeyId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeCustomKeyStores

valid {
    input.Body.CustomKeyStoreId == STRING
    input.Body.CustomKeyStoreName == STRING
    input.Body.Limit == INTEGER
    input.Body.Marker == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeKey

valid {
    input.Body.KeyId == STRING
    input.Body.GrantTokens[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DisableKey

valid {
    input.Body.KeyId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DisableKeyRotation

valid {
    input.Body.KeyId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DisconnectCustomKeyStore

valid {
    input.Body.CustomKeyStoreId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

EnableKey

valid {
    input.Body.KeyId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

EnableKeyRotation

valid {
    input.Body.KeyId == STRING
    input.Body.RotationPeriodInDays == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

Encrypt

enum_EncryptionAlgorithmSpec := [ "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE" ]

valid {
    input.Body.KeyId == STRING
    input.Body.Plaintext == BLOB
    input.Body.EncryptionContext.STRING == STRING
    input.Body.GrantTokens[_] == STRING
    input.Body.EncryptionAlgorithm == enum_EncryptionAlgorithmSpec[_]
    input.Body.DryRun == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GenerateDataKey

enum_DataKeySpec := [ "AES_256", "AES_128" ]
enum_KeyEncryptionMechanism := [ "RSAES_OAEP_SHA_256" ]

valid {
    input.Body.KeyId == STRING
    input.Body.EncryptionContext.STRING == STRING
    input.Body.NumberOfBytes == INTEGER
    input.Body.KeySpec == enum_DataKeySpec[_]
    input.Body.GrantTokens[_] == STRING
    input.Body.Recipient.KeyEncryptionAlgorithm == enum_KeyEncryptionMechanism[_]
    input.Body.Recipient.AttestationDocument == BLOB
    input.Body.DryRun == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GenerateDataKeyPair

enum_DataKeyPairSpec := [ "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SM2" ]
enum_KeyEncryptionMechanism := [ "RSAES_OAEP_SHA_256" ]

valid {
    input.Body.EncryptionContext.STRING == STRING
    input.Body.KeyId == STRING
    input.Body.KeyPairSpec == enum_DataKeyPairSpec[_]
    input.Body.GrantTokens[_] == STRING
    input.Body.Recipient.KeyEncryptionAlgorithm == enum_KeyEncryptionMechanism[_]
    input.Body.Recipient.AttestationDocument == BLOB
    input.Body.DryRun == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GenerateDataKeyPairWithoutPlaintext

enum_DataKeyPairSpec := [ "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SM2" ]

valid {
    input.Body.EncryptionContext.STRING == STRING
    input.Body.KeyId == STRING
    input.Body.KeyPairSpec == enum_DataKeyPairSpec[_]
    input.Body.GrantTokens[_] == STRING
    input.Body.DryRun == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GenerateDataKeyWithoutPlaintext

enum_DataKeySpec := [ "AES_256", "AES_128" ]

valid {
    input.Body.KeyId == STRING
    input.Body.EncryptionContext.STRING == STRING
    input.Body.KeySpec == enum_DataKeySpec[_]
    input.Body.NumberOfBytes == INTEGER
    input.Body.GrantTokens[_] == STRING
    input.Body.DryRun == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GenerateMac

enum_MacAlgorithmSpec := [ "HMAC_SHA_224", "HMAC_SHA_256", "HMAC_SHA_384", "HMAC_SHA_512" ]

valid {
    input.Body.Message == BLOB
    input.Body.KeyId == STRING
    input.Body.MacAlgorithm == enum_MacAlgorithmSpec[_]
    input.Body.GrantTokens[_] == STRING
    input.Body.DryRun == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GenerateRandom

enum_KeyEncryptionMechanism := [ "RSAES_OAEP_SHA_256" ]

valid {
    input.Body.NumberOfBytes == INTEGER
    input.Body.CustomKeyStoreId == STRING
    input.Body.Recipient.KeyEncryptionAlgorithm == enum_KeyEncryptionMechanism[_]
    input.Body.Recipient.AttestationDocument == BLOB
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetKeyPolicy

valid {
    input.Body.KeyId == STRING
    input.Body.PolicyName == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetKeyRotationStatus

valid {
    input.Body.KeyId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetParametersForImport

enum_AlgorithmSpec := [ "RSAES_PKCS1_V1_5", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "RSA_AES_KEY_WRAP_SHA_1", "RSA_AES_KEY_WRAP_SHA_256" ]
enum_WrappingKeySpec := [ "RSA_2048", "RSA_3072", "RSA_4096" ]

valid {
    input.Body.KeyId == STRING
    input.Body.WrappingAlgorithm == enum_AlgorithmSpec[_]
    input.Body.WrappingKeySpec == enum_WrappingKeySpec[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetPublicKey

valid {
    input.Body.KeyId == STRING
    input.Body.GrantTokens[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ImportKeyMaterial

enum_ExpirationModelType := [ "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE" ]

valid {
    input.Body.KeyId == STRING
    input.Body.ImportToken == BLOB
    input.Body.EncryptedKeyMaterial == BLOB
    input.Body.ValidTo == TIMESTAMP
    input.Body.ExpirationModel == enum_ExpirationModelType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListAliases

valid {
    input.Body.KeyId == STRING
    input.Body.Limit == INTEGER
    input.Body.Marker == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListGrants

valid {
    input.Body.Limit == INTEGER
    input.Body.Marker == STRING
    input.Body.KeyId == STRING
    input.Body.GrantId == STRING
    input.Body.GranteePrincipal == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListKeyPolicies

valid {
    input.Body.KeyId == STRING
    input.Body.Limit == INTEGER
    input.Body.Marker == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListKeyRotations

valid {
    input.Body.KeyId == STRING
    input.Body.Limit == INTEGER
    input.Body.Marker == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListKeys

valid {
    input.Body.Limit == INTEGER
    input.Body.Marker == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListResourceTags

valid {
    input.Body.KeyId == STRING
    input.Body.Limit == INTEGER
    input.Body.Marker == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListRetirableGrants

valid {
    input.Body.Limit == INTEGER
    input.Body.Marker == STRING
    input.Body.RetiringPrincipal == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutKeyPolicy

valid {
    input.Body.KeyId == STRING
    input.Body.PolicyName == STRING
    input.Body.Policy == STRING
    input.Body.BypassPolicyLockoutSafetyCheck == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ReEncrypt

enum_EncryptionAlgorithmSpec := [ "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256", "SM2PKE" ]

valid {
    input.Body.CiphertextBlob == BLOB
    input.Body.SourceEncryptionContext.STRING == STRING
    input.Body.SourceKeyId == STRING
    input.Body.DestinationKeyId == STRING
    input.Body.DestinationEncryptionContext.STRING == STRING
    input.Body.SourceEncryptionAlgorithm == enum_EncryptionAlgorithmSpec[_]
    input.Body.DestinationEncryptionAlgorithm == enum_EncryptionAlgorithmSpec[_]
    input.Body.GrantTokens[_] == STRING
    input.Body.DryRun == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ReplicateKey

valid {
    input.Body.KeyId == STRING
    input.Body.ReplicaRegion == STRING
    input.Body.Policy == STRING
    input.Body.BypassPolicyLockoutSafetyCheck == BOOLEAN
    input.Body.Description == STRING
    input.Body.Tags[_].TagKey == STRING
    input.Body.Tags[_].TagValue == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

RetireGrant

valid {
    input.Body.GrantToken == STRING
    input.Body.KeyId == STRING
    input.Body.GrantId == STRING
    input.Body.DryRun == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

RevokeGrant

valid {
    input.Body.KeyId == STRING
    input.Body.GrantId == STRING
    input.Body.DryRun == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

RotateKeyOnDemand

valid {
    input.Body.KeyId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ScheduleKeyDeletion

valid {
    input.Body.KeyId == STRING
    input.Body.PendingWindowInDays == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

Sign

enum_MessageType := [ "RAW", "DIGEST" ]
enum_SigningAlgorithmSpec := [ "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA" ]

valid {
    input.Body.KeyId == STRING
    input.Body.Message == BLOB
    input.Body.MessageType == enum_MessageType[_]
    input.Body.GrantTokens[_] == STRING
    input.Body.SigningAlgorithm == enum_SigningAlgorithmSpec[_]
    input.Body.DryRun == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

TagResource

valid {
    input.Body.KeyId == STRING
    input.Body.Tags[_].TagKey == STRING
    input.Body.Tags[_].TagValue == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UntagResource

valid {
    input.Body.KeyId == STRING
    input.Body.TagKeys[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdateAlias

valid {
    input.Body.AliasName == STRING
    input.Body.TargetKeyId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdateCustomKeyStore

enum_XksProxyConnectivityType := [ "PUBLIC_ENDPOINT", "VPC_ENDPOINT_SERVICE" ]

valid {
    input.Body.CustomKeyStoreId == STRING
    input.Body.NewCustomKeyStoreName == STRING
    input.Body.KeyStorePassword == STRING
    input.Body.CloudHsmClusterId == STRING
    input.Body.XksProxyUriEndpoint == STRING
    input.Body.XksProxyUriPath == STRING
    input.Body.XksProxyVpcEndpointServiceName == STRING
    input.Body.XksProxyAuthenticationCredential.AccessKeyId == STRING
    input.Body.XksProxyAuthenticationCredential.RawSecretAccessKey == STRING
    input.Body.XksProxyConnectivity == enum_XksProxyConnectivityType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdateKeyDescription

valid {
    input.Body.KeyId == STRING
    input.Body.Description == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdatePrimaryRegion

valid {
    input.Body.KeyId == STRING
    input.Body.PrimaryRegion == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

Verify

enum_MessageType := [ "RAW", "DIGEST" ]
enum_SigningAlgorithmSpec := [ "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512", "SM2DSA" ]

valid {
    input.Body.KeyId == STRING
    input.Body.Message == BLOB
    input.Body.MessageType == enum_MessageType[_]
    input.Body.Signature == BLOB
    input.Body.SigningAlgorithm == enum_SigningAlgorithmSpec[_]
    input.Body.GrantTokens[_] == STRING
    input.Body.DryRun == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

VerifyMac

enum_MacAlgorithmSpec := [ "HMAC_SHA_224", "HMAC_SHA_256", "HMAC_SHA_384", "HMAC_SHA_512" ]

valid {
    input.Body.Message == BLOB
    input.Body.KeyId == STRING
    input.Body.MacAlgorithm == enum_MacAlgorithmSpec[_]
    input.Body.Mac == BLOB
    input.Body.GrantTokens[_] == STRING
    input.Body.DryRun == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}