Example: Deny policy with condition set operator ForAllValues Example: Deny policy with condition set operator ForAnyValue

Multivalued context key examples

The following set of policy examples demonstrate how to create policy conditions with multivalued context keys.

Example: Deny policy with condition set operator ForAllValues

The following example identity-based policy denies the use of IAM tagging actions when specific tag key prefixes are included in the request. Each value for context key aws:TagKeys includes a wildcard (*) for partial string matching. The policy includes the ForAllValues set operator with context key aws:TagKeys because the request context key can include multiple values. In order for context key aws:TagKeys to return true, every value in the request must match at least one value in the policy.

The ForAllValues set operator also returns true if there are no context keys in the request, or if the context key value resolves to a null dataset, such as an empty string. To prevent missing context keys or context keys with empty values from evaluating to true, include the Null condition operator in your policy with a value of false to check if the context key in the request exists and its value is not null.

Important

This policy does not allow any actions. Use this policy in combination with other policies that allow specific actions.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRestrictedTags",
      "Effect": "Deny",
      "Action": [
        "iam:Tag*",
        "iam:UnTag*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "Null": {
          "aws:TagKeys": "false"
        },
        "ForAllValues:StringLike": {
          "aws:TagKeys": [
            "key1*",
            "key2*",
            "key3*"
          ]
        }
      }
    }
  ]
}

Example: Deny policy with condition set operator ForAnyValue

The following identity-based policy example denies creating snapshots of EC2 instance volumes if any snapshots are tagged with one of the tag keys specified in the policy, environment or webserver. The policy includes the ForAnyValue set operator with context key aws:TagKeys because the request context key can include multiple values. If your tagging request includes any one of the tag key values specified in the policy, the aws:TagKeys context key returns true invoking the deny policy effect.

Important

This policy does not allow any actions. Use this policy in combination with other policies that allow specific actions.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ec2:CreateSnapshot",
                "ec2:CreateSnapshots"
            ],
            "Resource": "arn:aws:ec2:us-west-2::snapshot/*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:TagKeys": ["environment", "webserver"]
                }
            }
        }
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Condition policy examples

Single-valued context key policy examples