AWS IAM Policy Conditions allow you to apply specific constraints or rules to control access in your AWS environment. These conditions can be used in IAM policies (Identity and Access Management) to refine permissions based on attributes, such as time of day, source IP, or the presence of tags, among others. Conditions help you to enforce more granular access control.
Key Components of IAM Policy Conditions:
- Condition Keys:
- Condition keys are predefined global keys that AWS services support to apply conditions to actions. These keys can refer to metadata like IP address, time, and resource tags.
- Some of the most common AWS condition keys include
aws:RequestTag,aws:PrincipalTag,aws:CurrentTime, andaws:SourceIp.
- Condition Operators:
- AWS IAM allows various operators in policies, such as:
StringEquals: Checks if a string is equal to the condition value.StringLike: Checks if a string matches a wildcard pattern.StringNotEquals: Checks if a string is not equal to the condition value.NumericEquals: Compares numeric values for equality.NumericLessThan: Compares numeric values for less than.Bool: Evaluates the condition as a Boolean (True/False).IpAddress: Matches the source IP address against a given range.
- AWS IAM allows various operators in policies, such as:
- Condition Context:
- Conditions are often context-dependent, meaning they are based on values that can change in time, environment, or request.
- Conditions are generally expressed using the Condition Block in the IAM policy, and they apply the specified constraints based on the conditions defined in the policy.
General Syntax of a Policy Condition:
A condition block is structured as follows:
jsonCopyEdit"Condition": {
"operator": {
"key": "value"
}
}
Common IAM Policy Condition Keys:
Here are some of the commonly used AWS policy condition keys for refining access permissions:
- Time-based Conditions:
aws:CurrentTime: This key allows you to limit access to specific times of day or specific dates.
"Condition": { "StringGreaterThan": { "aws:CurrentTime": "2025-01-01T00:00:00Z" } }This condition would restrict the access to dates afterJanuary 1, 2025. - IP Address-based Conditions:
aws:SourceIp: Restrict access based on the IP address of the requester.
"Condition": { "IpAddress": { "aws:SourceIp": "203.0.113.0/24" } }This allows access only from IP addresses in the range203.0.113.0/24. - User and Resource Tag Conditions:
aws:RequestTag: Allows or denies access based on the tags associated with a resource or request.aws:PrincipalTag: Evaluates tags that are associated with the principal (user or role) making the request.
"Condition": { "StringEquals": { "aws:RequestTag/Environment": "Production" } }This condition ensures that actions are only allowed if the resource being requested has a tag ofEnvironment=Production. - Region-based Conditions:
aws:RequestedRegion: Limits the access to a specific AWS region.
"Condition": { "StringEquals": { "aws:RequestedRegion": "us-west-1" } }This allows access only from theus-west-1region. - AWS Account and Service Conditions:
aws:userid: Restrict access to certain accounts or users.aws:PrincipalAccount: Restrict access based on the IAM principal’s AWS account.
"Condition": { "StringEquals": { "aws:PrincipalAccount": "123456789012" } }This condition allows actions only for the principal belonging to AWS account123456789012. - Authentication-based Conditions:
aws:SecureTransport: Restricts actions to be only allowed over a secure connection (HTTPS).
"Condition": { "Bool": { "aws:SecureTransport": "true" } }This ensures that requests can only be made over HTTPS (not HTTP).
Examples of IAM Policy with Conditions:
1. Allow S3 Access Only During Business Hours (9 AM – 5 PM):
This example restricts S3 access to only business hours.
jsonCopyEdit{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringGreaterThan": {
"aws:CurrentTime": "2025-01-01T09:00:00Z"
},
"StringLessThan": {
"aws:CurrentTime": "2025-01-01T17:00:00Z"
}
}
}
]
}
2. Allow Access Only From a Specific IP Range:
This example limits access to an S3 bucket to specific IP addresses.
jsonCopyEdit{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}
3. Restrict Access Based on Resource Tags:
In this example, access is only allowed to resources that have a tag Environment: Production.
jsonCopyEdit{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/Environment": "Production"
}
}
}
]
}
4. Enforce Secure HTTPS Access:
This condition ensures that S3 access is only allowed if the request is made over HTTPS.
jsonCopyEdit{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
5. Allow Access Only From Specific IAM Users:
This condition allows access only if the user is tagged with a specific value (e.g., Role: Admin).
jsonCopyEdit{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/Role": "Admin"
}
}
}
]
}
Conclusion:
- IAM Policy Conditions provide fine-grained access control for AWS resources. They allow administrators to enforce rules based on various attributes like time, IP address, user tags, and more.
- Conditions improve security by ensuring that permissions are enforced only when specific criteria are met, reducing the attack surface.
- Understanding and leveraging IAM policy conditions is key to implementing best practices for least-privilege access and secure resource management in AWS.