Skip to content

AWS Technologies Blog

Menu
  • Home
  • KB
  • Services
  • Resources
  • Posts
  • Find
    • Categories
    • Tags
  • About
Menu

AWS IAM Policy Conditions

Posted on January 31, 2025 by wpadmin

AWS IAM Policy Conditions allow you to apply specific constraints or rules to control access in your AWS environment. These conditions can be used in IAM policies (Identity and Access Management) to refine permissions based on attributes, such as time of day, source IP, or the presence of tags, among others. Conditions help you to enforce more granular access control.

Key Components of IAM Policy Conditions:

  1. Condition Keys:
    • Condition keys are predefined global keys that AWS services support to apply conditions to actions. These keys can refer to metadata like IP address, time, and resource tags.
    • Some of the most common AWS condition keys include aws:RequestTag, aws:PrincipalTag, aws:CurrentTime, and aws:SourceIp.
  2. Condition Operators:
    • AWS IAM allows various operators in policies, such as:
      • StringEquals: Checks if a string is equal to the condition value.
      • StringLike: Checks if a string matches a wildcard pattern.
      • StringNotEquals: Checks if a string is not equal to the condition value.
      • NumericEquals: Compares numeric values for equality.
      • NumericLessThan: Compares numeric values for less than.
      • Bool: Evaluates the condition as a Boolean (True/False).
      • IpAddress: Matches the source IP address against a given range.
  3. Condition Context:
    • Conditions are often context-dependent, meaning they are based on values that can change in time, environment, or request.
    • Conditions are generally expressed using the Condition Block in the IAM policy, and they apply the specified constraints based on the conditions defined in the policy.

General Syntax of a Policy Condition:

A condition block is structured as follows:

jsonCopyEdit"Condition": {
    "operator": {
        "key": "value"
    }
}

Common IAM Policy Condition Keys:

Here are some of the commonly used AWS policy condition keys for refining access permissions:

  1. Time-based Conditions:
    • aws:CurrentTime: This key allows you to limit access to specific times of day or specific dates.
    Example:jsonCopyEdit"Condition": { "StringGreaterThan": { "aws:CurrentTime": "2025-01-01T00:00:00Z" } } This condition would restrict the access to dates after January 1, 2025.
  2. IP Address-based Conditions:
    • aws:SourceIp: Restrict access based on the IP address of the requester.
    Example:jsonCopyEdit"Condition": { "IpAddress": { "aws:SourceIp": "203.0.113.0/24" } } This allows access only from IP addresses in the range 203.0.113.0/24.
  3. User and Resource Tag Conditions:
    • aws:RequestTag: Allows or denies access based on the tags associated with a resource or request.
    • aws:PrincipalTag: Evaluates tags that are associated with the principal (user or role) making the request.
    Example:jsonCopyEdit"Condition": { "StringEquals": { "aws:RequestTag/Environment": "Production" } } This condition ensures that actions are only allowed if the resource being requested has a tag of Environment=Production.
  4. Region-based Conditions:
    • aws:RequestedRegion: Limits the access to a specific AWS region.
    Example:jsonCopyEdit"Condition": { "StringEquals": { "aws:RequestedRegion": "us-west-1" } } This allows access only from the us-west-1 region.
  5. AWS Account and Service Conditions:
    • aws:userid: Restrict access to certain accounts or users.
    • aws:PrincipalAccount: Restrict access based on the IAM principal’s AWS account.
    Example:jsonCopyEdit"Condition": { "StringEquals": { "aws:PrincipalAccount": "123456789012" } } This condition allows actions only for the principal belonging to AWS account 123456789012.
  6. Authentication-based Conditions:
    • aws:SecureTransport: Restricts actions to be only allowed over a secure connection (HTTPS).
    Example:jsonCopyEdit"Condition": { "Bool": { "aws:SecureTransport": "true" } } This ensures that requests can only be made over HTTPS (not HTTP).

Examples of IAM Policy with Conditions:

1. Allow S3 Access Only During Business Hours (9 AM – 5 PM):

This example restricts S3 access to only business hours.

jsonCopyEdit{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "StringGreaterThan": {
                    "aws:CurrentTime": "2025-01-01T09:00:00Z"
                },
                "StringLessThan": {
                    "aws:CurrentTime": "2025-01-01T17:00:00Z"
                }
            }
        }
    ]
}

2. Allow Access Only From a Specific IP Range:

This example limits access to an S3 bucket to specific IP addresses.

jsonCopyEdit{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "203.0.113.0/24"
                }
            }
        }
    ]
}

3. Restrict Access Based on Resource Tags:

In this example, access is only allowed to resources that have a tag Environment: Production.

jsonCopyEdit{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Environment": "Production"
                }
            }
        }
    ]
}

4. Enforce Secure HTTPS Access:

This condition ensures that S3 access is only allowed if the request is made over HTTPS.

jsonCopyEdit{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                }
            }
        }
    ]
}

5. Allow Access Only From Specific IAM Users:

This condition allows access only if the user is tagged with a specific value (e.g., Role: Admin).

jsonCopyEdit{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalTag/Role": "Admin"
                }
            }
        }
    ]
}

Conclusion:

  • IAM Policy Conditions provide fine-grained access control for AWS resources. They allow administrators to enforce rules based on various attributes like time, IP address, user tags, and more.
  • Conditions improve security by ensuring that permissions are enforced only when specific criteria are met, reducing the attack surface.
  • Understanding and leveraging IAM policy conditions is key to implementing best practices for least-privilege access and secure resource management in AWS.

  • Product List
  • Documentation

billing ciem containers cost cspm ebs ec2 ecs edge eks elb event Firewall fsx hybrid iam lambda NACL outpostd policies pop princing rds route53 s3 security serverless services SG siem storage vpc

  • Amazon FSx
  • aws
  • aws notes
  • billing
  • cloud
  • compute
  • containers
  • core
  • databases
  • development
  • ebs
  • ec2
  • ecs
  • edge
  • efs
  • eks
  • hybrid
  • iam
  • lambda
  • network
  • outposts
  • pricing
  • rds
  • route53
  • s3
  • security
  • serverless
  • services
  • storage
  • support
  • vpc
©2025 AWS Technologies Blog | Built using WordPress and Responsive Blogily theme by Superb