AWS Payment Cryptography adds integration to Multi-party approval for sensitive operations
AWS Payment Cryptography(APC) now supports Multi-party approval (MPA) for importing root certificates, giving customers an additional layer of governance over critical key management operations.
Customers using X.509 and public key infrastructure (PKI) certificates with asymmetric keys (RSA and ECC) can now require two or more authorized individuals to approve a root certificate import request before it takes effect — even when the requester already holds the necessary IAM permissions. This distributed approval model prevents any single individual from making unilateral changes to certificate trust anchors.
Built on AWS Multi-party approval, this feature integrates natively with AWS IAM Identity Center, allowing team members to review and act on pending requests through a managed approval portal. Once approved, the new root certificate becomes active and available for use within the service. There is no additional charge for this feature beyond standard per-API rates.
This feature is available across all AWS Regions where AWS Payment Cryptography is available. To get started with this feature, review the AWS Payment Cryptography MPA guide and the Multi-Party Approval documentation.