AWS IAM Policy Conditions – Complete Guide
Table of Contents
- Introduction
- IAM Policy Structure
- Condition Block Structure
- Condition Operator Types
- Global Condition Keys
- Service-Specific Condition Keys
- Multi-Value Operators
- Policy Evaluation Logic
- Real-World Examples
- ABAC (Tag-Based Access Control)
1. Introduction
AWS IAM Policy Conditions allow you to control when a policy statement applies.
They help enforce:
- IP restrictions
- MFA requirements
- Time-based access
- Region restrictions
- Tag-based access control (ABAC)
- Encryption enforcement
- HTTPS enforcement
2. IAM Policy Structure
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStatement",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {}
}
]
}
- Condition Block Structure
"Condition": {
"ConditionOperator": {
"ConditionKey": "ConditionValue"
}
}
ConditionOperator → Type of comparison
ConditionKey → AWS context key
ConditionValue → Value to compare
- Condition Operator Types
4.1 String Operators
StringEquals
StringNotEquals
StringEqualsIgnoreCase
StringLike
StringNotLike
Example:
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
4.2 Numeric Operators NumericEquals
NumericLessThan
NumericGreaterThan
NumericLessThanEquals
NumericGreaterThanEquals
Example:
"Condition": {
"NumericLessThan": {
"aws:MultiFactorAuthAge": "3600"
}
}
4.3 Date Operators DateEquals
DateLessThan
DateGreaterThan
Example:
"Condition": {
"DateLessThan": {
"aws:CurrentTime": "2026-12-31T23:59:59Z"
}
}
4.4 Boolean Operator Bool
Example:
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
4.5 IP Address Operators IpAddress
NotIpAddress
Example:
json
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
4.6 ARN Operators ArnEquals
ArnLike
ArnNotEquals
ArnNotLike
Example:
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:123456789012:function:*"
}
}
4.7 Null Operator Used to check if a key exists.
"Condition": {
"Null": {
"aws:RequestTag/Environment": "false"
}
}
- Global Condition Keys Common keys:
aws:SourceIp
aws:CurrentTime
aws:PrincipalArn
aws:RequestedRegion
aws:MultiFactorAuthPresent
aws:SecureTransport
aws:SourceVpc
aws:RequestTag/tag-key
aws:ResourceTag/tag-key
- Service-Specific Condition Keys Examples:
s3:prefix
ec2:InstanceType
kms:ViaService
lambda:FunctionArn
Example:
"Condition": {
"StringEquals": {
"ec2:InstanceType": "t3.micro"
}
}
- Multi-Value Operators ForAnyValue:StringEquals
ForAllValues:StringEquals
Example:
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": ["Environment", "Owner"]
}
}
- Policy Evaluation Logic Evaluation order:
Explicit Deny
Explicit Allow
Default Deny
Important rules:
Deny overrides Allow
Conditions must evaluate TRUE
Multiple conditions = logical AND
- Real-World Examples Enforce HTTPS for S3
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
Restrict to Specific Region
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}
- ABAC (Tag-Based Access Control) Example:
{
"Effect": "Allow",
"Action": "ec2:StartInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Department": "${aws:PrincipalTag/Department}"
}
}
}
- Best Practices Use Explicit Deny for guardrails
Enforce MFA for admin roles
Restrict by IP and Region
Enforce HTTPS
Use ABAC for scalability
Avoid wildcard actions
- Troubleshooting
Tools:
-
IAM Policy Simulator
-
AWS CloudTrail
-
Access Analyzer
Common Issues:
-
Typo in condition key
-
Case sensitivity problems
-
Explicit Deny overriding Allow
-
Missing required tags
yaml
