Using condition keys
You can specify conditions that determine how an IAM policy takes effect. In ElastiCache, you can use the Condition
element of a JSON policy to compare keys in the request context with key values that you specify in your policy.
For more information, see IAM JSON policy elements: Condition.
For a list of global condition keys, see AWS global condition context keys.
Specifying Conditions: Using Condition Keys
To implement fine-grained control, you write an IAM permissions policy that specifies conditions to control a set of individual parameters on certain requests. You then apply the policy to IAM users, groups, or roles that you create using the IAM console.
To apply a condition, you add the condition information to the IAM policy statement. In the following example, you specify the condition that any cache cluster created will be of node type cache.r5.large
.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:CacheNodeType": [ "cache.r5.large" ] } } } ] }
The following table shows the service-specific condition keys that apply to ElastiCache and the actions that use them.
Key name | Description | Datatype | Used by | Affected resource type (* If marked with an asterisk, only this resource will be affected if present in the request.) |
---|---|---|---|---|
elasticache:CacheNodeType |
Filters access by the cacheNodeType parameter present in the request. This key can be used to restrict which cache node types can be used on cluster creation or scaling operations. |
String |
|
|
|
| |||
|
| |||
|
| |||
|
|
|||
elasticache:NumNodeGroups |
Filters access by the NumNodeGroups or NodeGroupCount parameter specified in the request. This key can be used to restrict the number of node groups (shards) clusters can have after creation or scaling operations. |
Number |
|
|
|
| |||
|
| |||
|
|
|||
elasticache:ReplicasPerNodeGroup |
Filters access by the number of replicas per node group (shards) specified in creations or scaling requests. |
Number |
|
|
|
| |||
|
| |||
|
| |||
elasticache:EngineVersion |
Filters access by the |
String |
|
|
|
| |||
|
| |||
|
| |||
|
|
|||
elasticache:EngineType |
Filters access by the engine type present in creation requests. For replication group creations, default engine "redis" is used as key if parameter is not present. |
String |
|
|
|
| |||
elasticache:AutomaticFailoverEnabled |
Filters access by the |
Bool |
|
|
|
| |||
|
|
|||
elasticache:AtRestEncryptionEnabled |
Filters access by the |
Bool |
|
|
elasticache:TransitEncryptionEnabled |
Filters access by the |
Bool |
|
|
|
|
|||
elasticache:MultiAZEnabled |
Filters access by the |
Bool |
|
|
|
| |||
|
| |||
|
| |||
|
|
|||
elasticache:ClusterModeEnabled |
Filters access by the |
Bool |
|
|
elasticache:AuthTokenEnabled |
Filters access by the presence of non empty |
Bool |
|
|
|
| |||
|
| |||
|
| |||
|
|
|||
elasticache:SnapshotRetentionLimit |
Filters access by the |
Number |
|
|
|
| |||
|
| |||
|
| |||
|
|
|||
elasticache:KmsKeyId |
Filters access by the |
String |
|
|
|
| |||
|
|
|||
elasticache:CacheParameterGroupName |
Filters access by the the |
String |
|
|
|
| |||
|
| |||
|
| |||
|
| |||
|
| |||
|
| |||
|
|
For more information, see Tag-Based access control policy examples.
For more information on using policy condition operators, see ElastiCache API permissions: Actions, resources, and conditions reference.
Example Policies: Using Conditions for Fine-Grained Parameter Control
This section shows example policies for implementing fine-grained access control on the previously listed ElastiCache parameters.
elasticache:CacheNodeType: Specify which NodeType(s) a user can create. Using the provided conditions, the customer can specify a single or a range value for a node type.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:CacheNodeType": [ "cache.t2.micro", "cache.t2.medium" ] } } } ] }
elasticache:NumNodeGroups: Create a replication group with fewer than 20 node groups.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "NumericLessThanEquals": { "elasticache:NumNodeGroups": "20" } } } ] }
elasticache:ReplicasPerNodeGroup: Specify the replicas per node between 5 and 10.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "NumericGreaterThanEquals": { "elasticache:ReplicasPerNodeGroup": "5" }, "NumericLessThanEquals": { "elasticache:ReplicasPerNodeGroup": "10" } } } ] }
elasticache:EngineVersion: Specify usage of engine version 5.0.6.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:EngineVersion": "5.0.6" } } } ] }
elasticache:EngineType: Specify using Redis engine only.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:EngineType": "redis" } } } ] }
elasticache:AtRestEncryptionEnabled: Specify that replication groups would be created only with encryption enabled.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:AtRestEncryptionEnabled": "true" } } } ] }
-
elasticache:TransitEncryptionEnabled
-
Set the
elasticache:TransitEncryptionEnabled
condition key tofalse
for the CreateReplicationGroup action to specify that replication groups can only be created when TLS is not being used:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:TransitEncryptionEnabled": "false" } } } ] }
When the
elasticache:TransitEncryptionEnabled
condition key is set tofalse
in a policy for the CreateReplicationGroup action, aCreateReplicationGroup
request will be allowed only if TLS is not being used (that is, if the request does not include aTransitEncryptionEnabled
parameter set totrue
or aTransitEncryptionMode
parameter set torequired
. -
Set the
elasticache:TransitEncryptionEnabled
conditon key totrue
for the CreateReplicationGroup action to specify that replication groups can only be created when TLS is being used:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:TransitEncryptionEnabled": "true" } } } ] }
When the
elasticache:TransitEncryptionEnabled
condition key is set totrue
in a policy for the CreateReplicationGroup action, aCreateReplicationGroup
request will be allowed only if the request includes aTransitEncryptionEnabled
parameter set totrue
and aTransitEncryptionMode
parameter set torequired
. -
Set
elasticache:TransitEncryptionEnabled
totrue
for theModifyReplicationGroup
action to specify that replication groups can only be modified when TLS is being used:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:ModifyReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "BoolIfExists": { "elasticache:TransitEncryptionEnabled": "true" } } } ] }
When the
elasticache:TransitEncryptionEnabled
condition key is set totrue
in a policy for the ModifyReplicationGroup action, aModifyReplicationGroup
request will be allowed only if the request includes aTransitEncryptionMode
parameter set torequired
. TheTransitEncryptionEnabled
parameter set totrue
may optionally be included as well, but is not needed in this case to enable TLS.
-
-
elasticache:AutomaticFailoverEnabled: Specify that replication groups would be created only with automatic failover enabled.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:AutomaticFailoverEnabled": "true" } } } ] }
elasticache:MultiAZEnabled: Specify that replication groups cannot be created with Multi-AZ disabled.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Deny", "Action": [ "elasticache:CreateCacheCluster" "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" "arn:aws:elasticache:*:*:replicationgroup:*" "Condition": { "Bool": { "elasticache:MultiAZEnabled": "false" } } } ] }
elasticache:ClusterModeEnabled: Specify that replication groups can only be created with cluster mode enabled.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:ClusterModeEnabled": "true" } } } ] }
elasticache:AuthTokenEnabled: Specify that replication groups can only be created with AUTH token enabled.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "Bool": { "elasticache:AuthTokenEnabled": "true" } } } ] }
elasticache:SnapshotRetentionLimit: Specify the number of days (or min/max) to keep the snapshot. Below policy enforces storing backups for at least 30 days.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "NumericGreaterThanEquals": { "elasticache:SnapshotRetentionLimit": "30" } } } ] }
elasticache:KmsKeyId: Specify usage of customer managed AWS KMS keys. This key would complement the At-Rest Encryption one.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:KmsKeyId": "my-key" } } } ] }
elasticache:CacheParameterGroupName: Specify a non default parameter group with specific parameters from an organization on your clusters. You could also specify a naming pattern for your parameter groups or block delete on a specific parameter group name. Following is an example constraining usage of only "my-org-param-group".
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "StringEquals": { "elasticache:CacheParameterGroupName": "my-org-param-group" } } } ] }
-
elasticache:CreateCacheCluster: Denying
CreateCacheCluster
action if the request tagProject
is missing or is not equal toDev
,QA
orProd
.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*", "arn:aws:elasticache:*:*:securitygroup:*", "arn:aws:elasticache:*:*:replicationgroup:*" ] }, { "Effect": "Deny", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "Null": { "aws:RequestTag/Project": "true" } } }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:AddTagsToResource" ], "Resource": "arn:aws:elasticache:*:*:cluster:*", "Condition": { "StringEquals": { "aws:RequestTag/Project": [ "Dev", "Prod", "QA" ] } } } ] }
elasticache:createcachecluster: Allowing
CreateCacheCluster
withcacheNodeType
cache.r5.large or cache.r6g.4xlarge and tagProject=XYZ
.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:CreateReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEqualsIfExists": { "elasticache:CacheNodeType": [ "cache.r5.large", "cache.r6g.4xlarge" ] }, "StringEquals": { "aws:RequestTag/Project": "XYZ" } } } ] }
Note
When creating polices to enforce tags and other condition keys together, the conditional IfExists
may be required on condition key elements due to the extra elasticache:AddTagsToResource
policy requirements for creation requests with the --tags
parameter.