While the custom authoriser is able to accept/reject a connection to (e.g.) a prod box based on its EC2 tags, it would be nice for this to be logged in CloudTrail. So we should support passing in arbitrary key=val pairs which
get logged to CloudTrail by means of inclusion in the encryption context
get passed to the custom authoriser
don't collide with the existing encryption context (maybe prefix user-submitted keys)
demonstrate how an admin can mandate the presence of a key=val pair using conditions in the KMS key policy
While the custom authoriser is able to accept/reject a connection to (e.g.) a prod box based on its EC2 tags, it would be nice for this to be logged in CloudTrail. So we should support passing in arbitrary key=val pairs which