AWS Identity and Access Management
User Guide

IAM JSON Policy Elements: Condition

The Condition element (or Condition block) lets you specify conditions for when a policy is in effect. The Condition element is optional. In the Condition element, you build expressions in which you use condition operators (equal, less than, etc.) to match the condition in the policy against values in the request. For example, you can use the date or the IP address of the requester in the condition value. Some services let you specify additional values in conditions; for example, Amazon EC2 lets you write a condition using the ec2:InstanceType key, which is unique to that service.

Condition key names are not case-sensitive. For example, including the aws:SourceIP condition key is equivalent to testing for AWS:SourceIp. Case-sensitivity of condition key values depends on the condition operator that you use. For example, the following condition includes the StringEquals operator to ensure that only requests made by johndoe will match. Users named JohnDoe are denied access.

"Condition" : { "StringEquals" : { "aws:username" : "johndoe" }}

The following condition uses the StringEqualsIgnoreCase operator to match users named johndoe or JohnDoe.

"Condition" : { "StringEqualsIgnoreCase" : { "aws:username" : "johndoe" }}

Some condition keys support key–value pairs that allow you to specify part of the key name. Examples include the aws:RequestTag/tag-key global condition key, the AWS KMS kms:EncryptionContext:encryption_context_key, and the ResourceTag/tag-key condition key supported by multiple services. If you use the ResourceTag/tag-key condition key for a service such as Amazon EC2, then you must specify a key name for the tag-key. Key names are not case-sensitive. This means that if you specify "ec2:ResourceTag:TagKey1": "Value1" in the condition element of your policy, then the condition matches a resource tag key named either TagKey1 or tagkey1, but not both. AWS services that support these attributes might allow you to create multiple key names that differ only by case. An example is tagging an Amazon EC2 instance with foo=bar1 and Foo=bar2. When you use a condition such as "ec2:ResourceTag:Foo": "bar1" to allow access to that resource, the key name matches both tags, but only one value matches. This can result in unexpected condition failures.


As a best practice, make sure that members of your account follow a consistent naming convention when naming key–value pair attributes. Examples include tags or AWS KMS encryption contexts. You can enforce this using the aws:TagKeys condition key for tagging, or the kms:EncryptionContextKeys for the AWS KMS encryption context.

The Condition Block

The following example shows the basic format of a Condition element:

"Condition": { "DateGreaterThan" : { "aws:CurrentTime" : "2013-12-15T12:00:00Z" } }

A value from the request is represented by a key, in this case aws:CurrentTime. The key value is compared to a value that you specify either as a literal value (2013-08-16T12:00:00Z) or as a policy variable, as explained later. The type of comparison to make is specified by the condition operator (here, DateGreaterThan). You can create conditions that compare strings, dates, numbers, and so on, using typical Boolean comparisons like equals, greater than, and less than.

Under some circumstances, keys can contain multiple values. For example, a request to Amazon DynamoDB might ask to return or update multiple attributes from a table. A policy for access to DynamoDB tables can include the dynamodb:Attributes key, which contains all the attributes listed in the request. You can test the multiple attributes in the request against a list of allowed attributes in a policy by using set operators in the Condition element. For more information, see Creating a Condition with Multiple Keys or Values.

When the policy is evaluated during a request, AWS replaces the key with the corresponding value from the request. (In this example, AWS would use the date and time of the request.) The condition is evaluated to return true or false, which is then factored into whether the policy as a whole allows or denies the request.

Multiple Values in a Condition

A Condition element can contain multiple conditions, and each condition can contain multiple key-value pairs. The following figure illustrates this.

For more information, see Creating a Condition with Multiple Keys or Values.

On this page: