# IAM JSON policy reference
This section presents detailed syntax, descriptions, and examples of the elements, variables, and evaluation logic of JSON policies in IAM. For more general information, see [Overview of JSON policies](access_policies.md#access_policies-json).
This reference includes the following sections.
+ [IAM JSON policy element reference](reference_policies_elements.md) — Learn more about the elements that you can use when you create a policy. View additional policy examples and learn about conditions, supported data types, and how they are used in various services.
+ [Policy evaluation logic](reference_policies_evaluation-logic.md) — This section describes AWS requests, how they are authenticated, and how AWS uses policies to determine access to resources.
+ [Grammar of the IAM JSON policy language](reference_policies_grammar.md) — This section presents a formal grammar for the language that is used to create policies in IAM.
+ [AWS managed policies for job functions](access_policies_job-functions.md) — This section lists all the AWS managed policies that directly map to common job functions in the IT industry. Use these policies to grant the permissions that are needed to carry out the tasks expected of someone in a specific job function. These policies consolidate permissions for many services into a single policy.
+ [AWS global condition context keys](reference_policies_condition-keys.md) — This section includes a list of all the AWS global condition keys that you can use to limit permissions in an IAM policy.
+ [IAM and AWS STS condition context keys](reference_policies_iam-condition-keys.md) — This section includes a list of all the IAM and AWS STS condition keys that you can use to limit permissions in an IAM policy.
+ [Actions, Resources, and Condition Keys for AWS Services](reference_policies_actions-resources-contextkeys.html) — This section presents a list of all the AWS API operations that you can use as permissions in an IAM policy. It also includes the service-specific condition keys that can be used to further refine the request.
# IAM JSON policy element reference
JSON policy documents are made up of elements. The elements are listed here in the general order you use them in a policy. The order of the elements doesn't matter—for example, the `Resource` element can come before the `Action` element. You're not required to specify any `Condition` elements in the policy. To learn more about the general structure and purpose of a JSON policy document, see [Overview of JSON policies](access_policies.md#access_policies-json).
Some JSON policy elements are mutually exclusive. This means that you cannot create a policy that uses both. For example, you cannot use both `Action` and `NotAction` in the same policy statement. Other pairs that are mutually exclusive include `Principal`/`NotPrincipal` and `Resource`/`NotResource`.
The details of what goes into a policy vary for each service, depending on what actions the service makes available, what types of resources it contains, and so on. When you're writing policies for a specific service, it's helpful to see examples of policies for that service. For a list of all the services that support IAM, and for links to the documentation in those services that discusses IAM and policies, see [AWS services that work with IAM](reference_aws-services-that-work-with-iam.md).
When you create or edit a JSON policy, IAM can perform policy validation to help you create an effective policy. IAM identifies JSON syntax errors, while IAM Access Analyzer provides additional policy checks with recommendations to help you further refine your policies. To learn more about policy validation, see [IAM policy validation](access_policies_policy-validator.md). To learn more about IAM Access Analyzer policy checks and actionable recommendations, see [ IAM Access Analyzer policy validation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html).
**Topics**
+ [Version](reference_policies_elements_version.md)
+ [Id](reference_policies_elements_id.md)
+ [Statement](reference_policies_elements_statement.md)
+ [Sid](reference_policies_elements_sid.md)
+ [Effect](reference_policies_elements_effect.md)
+ [Principal](reference_policies_elements_principal.md)
+ [NotPrincipal](reference_policies_elements_notprincipal.md)
+ [Action](reference_policies_elements_action.md)
+ [NotAction](reference_policies_elements_notaction.md)
+ [Resource](reference_policies_elements_resource.md)
+ [NotResource](reference_policies_elements_notresource.md)
+ [Condition](reference_policies_elements_condition.md)
+ [Variables and tags](reference_policies_variables.md)
+ [Supported data types](reference_policies_elements_datatypes.md)
# IAM JSON policy elements: Version
**Disambiguation note**
This `Version` JSON policy element is different from a *policy version*. The `Version` policy element is used within a policy and defines the version of the policy language. A policy version, on the other hand, is created when you make changes to a customer managed policy in IAM. The changed policy doesn't overwrite the existing policy. Instead, IAM creates a new version of the managed policy. If you were searching for information about the multiple version support available for managed policies, see [Versioning IAM policies](access_policies_managed-versioning.md).
The `Version` policy element specifies the language syntax rules that are to be used to process a policy. To use all of the available policy features, include the following `Version` element **outside** the `Statement` element in all of your policies.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
```
------
IAM supports the following `Version` element values:
+ `2012-10-17`. This is the current version of the policy language, and you should always include a `Version` element and set it to `2012-10-17`. Otherwise, you cannot use features such as [policy variables](reference_policies_variables.md) that were introduced with this version.
+ `2008-10-17`. This was an earlier version of the policy language. You might see this version on older existing policies. Do not use this version for any new policies or when you update any existing policies. Newer features, such as policy variables, will not work with your policy. For example, variables such as `${aws:username}` aren't recognized as variables and are instead treated as literal strings in the policy.
# IAM JSON policy elements: Id
The `Id` element specifies an optional identifier for the policy. The ID is used differently in different services. ID is allowed in resource-based policies, but not in identity-based policies.
For services that let you set an `ID` element, we recommend you use a UUID (GUID) for the value, or incorporate a UUID as part of the ID to ensure uniqueness.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "cd3ad3d9-2776-4ef1-a904-4c229d1642ee",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
```
------
**Note**
Some AWS services (for example, Amazon SQS or Amazon SNS) might require this element and have uniqueness requirements for it. For service-specific information about writing policies, refer to the documentation for the service you're working with.
# IAM JSON policy elements: Statement
The `Statement` element is the main element for a policy. This element is required. The `Statement` element can contain a single statement or an array of individual statements. Each individual statement block must be enclosed in curly braces \$1 \$1. For multiple statements, the array must be enclosed in square brackets [ ].
```
"Statement": [{...},{...},{...}]
```
The following example shows a policy that contains an array of three statements inside a single `Statement` element. (The policy allows you to access your own "home folder" in the Amazon S3 console.) The policy includes the `aws:username` variable, which is replaced during policy evaluation with the user name from the request. For more information, see [Introduction](reference_policies_variables.md#policy-vars-intro).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {"StringLike": {"s3:prefix": [
"",
"home/",
"home/${aws:username}/"
]}}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/home/${aws:username}",
"arn:aws:s3:::amzn-s3-demo-bucket/home/${aws:username}/*"
]
}
]
}
```
------
# IAM JSON policy elements: Sid
You can provide a `Sid` (statement ID) as an optional identifier for the policy statement. You can assign a `Sid` value to each statement in a statement array. You can use the `Sid` value as a description for the policy statement. In services that let you specify an `ID` element, such as SQS and SNS, the `Sid` value is just a sub-ID of the policy document ID. In IAM, the `Sid` value must be unique within a JSON policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ExampleStatementID",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
```
------
The `Sid` element supports ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).
IAM does not expose the `Sid` in the IAM API. You can't retrieve a particular statement based on this ID.
**Note**
Some AWS services (for example, Amazon SQS or Amazon SNS) might require this element and have uniqueness requirements for it. For service-specific information about writing policies, refer to the documentation for the service you work with.
# IAM JSON policy elements: Effect
The `Effect` element is required and specifies whether the statement results in an allow or an explicit deny. Valid values for `Effect` are `Allow` and `Deny`. The `Effect` value is case sensitive.
```
"Effect":"Allow"
```
By default, access to resources is denied. To allow access to a resource, you must set the `Effect` element to `Allow`. To override an allow (for example, to override an allow that is otherwise in force), you set the `Effect` element to `Deny`. For more information, see [Policy evaluation logic](reference_policies_evaluation-logic.md).
# AWS JSON policy elements: Principal
Use the `Principal` element in a resource-based JSON policy to specify the principal that is allowed or denied access to a resource.
You must use the `Principal` element in [resource-based policies](access_policies_identity-vs-resource.md). Several services support resource-based policies, including IAM. The IAM resource-based policy type is a role trust policy. In IAM roles, use the `Principal` element in the role trust policy to specify who can assume the role. For cross-account access, you must specify the 12-digit identifier of the trusted account. To learn whether principals in accounts outside of your zone of trust (trusted organization or account) have access to assume your roles, see [What is IAM Access Analyzer?](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html).
**Note**
After you create the role, you can change the account to "\$1" to allow everyone to assume the role. If you do this, we strongly recommend that you limit who can access the role through other means, such as a `Condition` element that limits access to only certain IP addresses. Do not leave your role accessible to everyone\$1
Other examples of resources that support resource-based policies include an Amazon S3 bucket or an AWS KMS key.
You cannot use the `Principal` element in an identity-based policy. Identity-based policies are permissions policies that you attach to IAM identities (users, groups, or roles). In those cases, the principal is implicitly the identity where the policy is attached.
**Topics**
+ [How to specify a principal](#Principal_specifying)
+ [AWS account principals](#principal-accounts)
+ [IAM role principals](#principal-roles)
+ [Role session principals](#principal-role-session)
+ [OIDC federated principals](#principal-federated-web-identity)
+ [SAML federated principals](#principal-saml)
+ [IAM user principals](#principal-users)
+ [IAM Identity Center principals](#principal-identity-users)
+ [AWS STS federated user principals](#sts-session-principals)
+ [AWS service principals](#principal-services)
+ [AWS service principals in opt-in Regions](#principal-services-in-opt-in-regions)
+ [All principals](#principal-anonymous)
+ [More information](#Principal_more-info)
## How to specify a principal
You specify a principal in the `Principal` element of a resource-based policy or in condition keys that support principals.
You can specify any of the following principals in a policy:
+ AWS account and root user
+ IAM roles
+ Role sessions
+ IAM users
+ Federated user principals
+ AWS services
+ All principals
You cannot identify a user group as a principal in a policy (such as a resource-based policy) because groups relate to permissions, not authentication, and principals are authenticated IAM entities.
You can specify more than one principal for each of the principal types in following sections using an array. Arrays can take one or more values. When you specify more than one principal in an element, you grant permissions to each principal. This is a logical `OR` and not a logical `AND`, because you authenticate as one principal at a time. If you include more than one value, use square brackets (`[` and `]`) and comma-delimit each entry for the array. The following example policy defines permissions for the 123456789012 account or the 555555555555 account.
```
"Principal" : {
"AWS": [
"123456789012",
"555555555555"
]
}
```
**Note**
You cannot use a wildcard to match part of a principal name or ARN.
## AWS account principals
You can specify AWS account identifiers in the `Principal` element of a resource-based policy or in condition keys that support principals. This delegates authority to the account. When you allow access to a different account, an administrator in that account must then grant access to an identity (IAM user or role) in that account. When you specify an AWS account, you can use the account ARN (arn:aws:iam::*account-ID*:root), or a shortened form that consists of the `"AWS":` prefix followed by the account ID.
For example, given an account ID of `123456789012`, you can use either of the following methods to specify that account in the `Principal` element:
```
"Principal": { "AWS": "arn:aws:iam::123456789012:root" }
```
```
"Principal": { "AWS": "123456789012" }
```
The account ARN and the shortened account ID behave the same way. Both delegate permissions to the account. Using the account ARN in the `Principal` element does not limit permissions to only the root user of the account.
**Note**
When you save a resource-based policy that includes the shortened account ID, the service might convert it to the principal ARN. This does not change the functionality of the policy.
Some AWS services support additional options for specifying an account principal. For example, Amazon S3 lets you specify a [canonical user ID](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html#FindingCanonicalId) using the following format:
```
"Principal": { "CanonicalUser": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be" }
```
You can also specify more than one AWS account, (or canonical user ID) as a principal using an array. For example, you can specify a principal in a bucket policy using all three methods.
```
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root",
"999999999999"
],
"CanonicalUser": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"
}
```
## IAM role principals
You can specify IAM role principal ARNs in the `Principal` element of a resource-based policy or in condition keys that support principals. IAM roles are identities. In IAM, identities are resources to which you can assign permissions. Roles trust another authenticated identity to assume that role. This includes a principal in AWS or a user from an external identity provider (IdP). When a principal or identity assumes a role, they receive temporary security credentials with the assumed role’s permissions. When they use those session credentials to perform operations in AWS, they become a *role session principal*.
When you specify a role principal in a resource-based policy, the effective permissions for the principal are limited by any policy types that limit permissions for the role. This includes session policies and permissions boundaries. For more information about how the effective permissions for a role session are evaluated, see [Policy evaluation logic](reference_policies_evaluation-logic.md).
To specify the role ARN in the `Principal` element, use the following format:
```
"Principal": { "AWS": "arn:aws:iam::AWS-account-ID:role/role-name" }
```
**Important**
If your `Principal` element in a role trust policy contains an ARN that points to a specific IAM role, then that ARN transforms to the role's unique principal ID when you save the policy. This helps mitigate the risk of someone escalating their privileges by removing and recreating the role. You don't normally see this ID in the console, because IAM uses a reverse transformation back to the role ARN when the trust policy is displayed. However, if you delete the role, then you break the relationship. The policy no longer applies, even if you recreate the role because the new role has a new principal ID that does not match the ID stored in the trust policy. When this happens, the principal ID appears in resource-based policies because AWS can no longer map it back to a valid ARN. The end result is that if you delete and recreate a role referenced in a trust policy's `Principal` element, you must edit the role in the policy to replace the principal ID with the correct ARN. The ARN once again transforms into the role's new principal ID when you save the policy. For more information, see [Understanding AWS's Handling of Deleted IAM roles in Policies](https://repost.aws/articles/ARSqFcxvd7R9u-gcFD9nmA5g/understanding-aws-s-handling-of-deleted-iam-roles-in-policies).
Alternatively, you can specify the role principal as the principal in a resource-based policy or [create a broad-permission policy](#principal-anonymous) that uses the `aws:PrincipalArn` condition key. When you use this key, the role session principal is granted the permissions based on the ARN of role that was assumed, and not the ARN of the resulting session. Because AWS does not convert condition key ARNs to IDs, permissions granted to the role ARN persist if you delete the role and then create a new role with the same name. Identity-based policy types, such as permissions boundaries or session policies, do not limit permissions granted using the `aws:PrincipalArn` condition key with a wildcard(\$1) in the `Principal` element, unless the identity-based policies contain an explicit deny.
## Role session principals
You can specify role sessions in the `Principal` element of a resource-based policy or in condition keys that support principals. When a principal or identity assumes a role, they receive temporary security credentials with the assumed role’s permissions. When they use those session credentials to perform operations in AWS, they become a *role session principal*.
The format that you use for a role session principal depends on the AWS STS operation that was used to assume the role.
**Important**
AWS recommends using [IAM role principals](#principal-roles) in your policies instead of role session principals wherever possible. Use `Condition` statements and condition keys to further scope down access when required.
To specify the role session principal ARN in the `Principal` element, use the following format:
```
"Principal": { "AWS": "arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name" }
```
Additionally, administrators can design a process to control how role sessions are issued. For example, they can provide a one-click solution for their users that creates a predictable session name. If your administrator does this, you can use role session principals in your policies or condition keys. Otherwise, you can specify the role ARN as a principal in the `aws:PrincipalArn` condition key. How you specify the role as a principal can change the effective permissions for the resulting session. For more information, see [IAM role principals](#principal-roles).
## OIDC federated principals
An OIDC federated principal is the principal used when calling AWS STS `AssumeRoleWithWebIdentity` API with a JSON web token (JWT) from an OIDC compliant IDP, also known as OpenID Provider (OP), to request temporary AWS credentials. An OIDC federated principal can represent an OIDC IDP in your AWS account, or the 4 built in identity providers: Login with Amazon, Google, Facebook, and [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html).
Users, workloads, or systems who’ve been issued a JWT from their OIDC IDP can call `AssumeRoleWithWebIdentity` using the JWT to request temporary AWS security credentials for an IAM role that is configured to trust the OIDC IDP that issued the JWT. The JWT can be an id token, access token, or a JWT token delivered by any other method as long as it meets the [requirements listed by AWS STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html#manage-oidc-provider-prerequisites). For more information, see [Common scenarios](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_federation_common_scenarios.html) and [Requesting credentials through an OIDC provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
Use this principal type in your role trust policy to allow or deny permissions to call `AssumeRoleWIthWebIdentity` using an OIDC IDP that exists in your AWS account, or one of the four built in IDPs. To specify the OIDC federated principal ARN in the `Principal` element of a role trust policy, use one of the following four formats for the built in OIDC IDPs:
```
"Principal": { "Federated": "cognito-identity.amazonaws.com" }
```
```
"Principal": { "Federated": "www.amazon.com" }
```
```
"Principal": { "Federated": "graph.facebook.com" }
```
```
"Principal": { "Federated": "accounts.google.com" }
```
When using a OIDC provider you add to your account, such as GitHub, you specify the provider's ARN in your role's trust policy. This configuration allows you to write IAM policies that control access specifically for users authenticated through your custom identity provider.
```
"Principal": { "Federated": "arn:aws:iam::AWS-account-ID:oidc-provider/full-OIDC-identity-provider-URL" }
```
For example, if GitHub was the trusted web identity provider, the OIDC role session ARN in the `Principal` element of a role trust policy uses the following format:
```
"Principal": { "Federated": "arn:aws:iam::AWS-account-ID:oidc-provider/tokens.actions.githubusercontent.com" }
```
See [Configuring OpenID Connect in Amazon Web Services](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) for more information.
OIDC federated principals are not supported in policy types other than role trust policies.
## SAML federated principals
A *SAML federated principal* is a principal that is used when calling AWS STS `AssumeRoleWithSAML` API to request temporary AWS credentials using a SAML assertion. You can use your SAML identity provider (IDP) to sign in, and then assume an IAM role using this operation. Similar to `AssumeRoleWithWebIdentity`, `AssumeRoleWithSAML` doesn't require AWS credentials for authentication. Instead, users first authenticate with their SAML identity provider, then make the `AssumeRoleWithSAML` API call using their SAML assertion, or are redirected to the AWS Sign-In/SAML page to sign into the AWS Management Console. For more information about which principals can assume a role using this operation, see [Compare AWS STS credentials](id_credentials_sts-comparison.md).
Use this principal type in your role trust policy to allow or deny permissions based on the trusted SAML identity provider. To specify the SAML identity role session ARN in the `Principal` element of a role trust policy, use the following format:
```
"Principal": { "Federated": "arn:aws:iam::AWS-account-ID:saml-provider/provider-name" }
```
## IAM user principals
You can specify IAM users in the `Principal` element of a resource-based policy or in condition keys that support principals.
**Note**
In a `Principal` element, the user name part of the [*Amazon Resource Name* (ARN)](reference_identifiers.md#identifiers-arns) is case sensitive.
```
"Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/user-name" }
```
```
"Principal": {
"AWS": [
"arn:aws:iam::AWS-account-ID:user/user-name-1",
"arn:aws:iam::AWS-account-ID:user/user-name-2"
]
}
```
When you specify users in a `Principal` element, you cannot use a wildcard (`*`) to mean "all users". Principals must always name specific users.
**Important**
If your `Principal` element in a role trust policy contains an ARN that points to a specific IAM user, then IAM transforms the ARN to the user's unique principal ID when you save the policy. This helps mitigate the risk of someone escalating their privileges by removing and recreating the user. You don't normally see this ID in the console, because there is also a reverse transformation back to the user's ARN when the trust policy is displayed. However, if you delete the user, then you break the relationship. The policy no longer applies, even if you recreate the user. That's because the new user has a new principal ID that does not match the ID stored in the trust policy. When this happens, the principal ID appears in resource-based policies because AWS can no longer map it back to a valid ARN. The result is that if you delete and recreate a user referenced in a trust policy `Principal` element, you must edit the role to replace the now incorrect principal ID with the correct ARN. IAM once again transforms ARN into the user's new principal ID when you save the policy.
## IAM Identity Center principals
In IAM Identity Center, the principal in a resource-based policy must be defined as the AWS account principal. To specify access, reference the role ARN of the permission set in the condition block. For details, see [Referencing permission sets in resource policies, Amazon EKS, and AWS KMS](https://docs.aws.amazon.com/singlesignon/latest/userguide/referencingpermissionsets.html) in the *IAM Identity Center User Guide*.
## AWS STS federated user principals
You can specify *federated user sessions* in the `Principal` element of a resource-based policy or in condition keys that support principals.
**Important**
AWS recommends that you limit the use of AWS STS federated user sessions. Instead, use [IAM roles](IAM/latest/UserGuide/tutorial_cross-account-with-roles.html).
An AWS STS federated user principal is created through the `GetFederationToken` operation called with long-lived IAM credentials. Federated user permissions are the intersection of the principal that called `GetFederationToken` and the session policies passed as parameters to the `GetFederationToken` API.
In AWS, IAM users or an AWS account root user can authenticate using long-term access keys. For more information about which principals can federate using this operation, see [Compare AWS STS credentials](id_credentials_sts-comparison.md).
+ **IAM federated user** – An IAM user federates using the `GetFederationToken` operation that results in a federated user session for that IAM user.
+ **Federated root user** – A root user federates using the `GetFederationToken` operation that results in a federated user session for that root user.
When an IAM user or root user requests temporary credentials from AWS STS using this operation, they begin a temporary federated user session. This session’s ARN is based on the original identity that was federated.
To specify the federated user session ARN in the `Principal` element, use the following format:
```
"Principal": { "AWS": "arn:aws:sts::AWS-account-ID:federated-user/user-name" }
```
## AWS service principals
You can specify AWS services in the `Principal` element of a resource-based policy or in condition keys that support principals. A *service principal* is an identifier for a service.
IAM roles that can be assumed by an AWS service are called *[service roles](id_roles.md#iam-term-service-role)*. Service roles must include a trust policy. *Trust policies* are resource-based policies attached to a role that defines which principals can assume the role. Some service roles have predefined trust policies. However, in some cases, you must specify the service principal in the trust policy. The service principal in an IAM policy can't be `"Service": "*"`.
**Important**
The identifier for a service principal includes the service name, and is usually in the following format:
`service-name.amazonaws.com`
The service principal is defined by the service. You can find the service principal for some services by opening [AWS services that work with IAM](reference_aws-services-that-work-with-iam.md), checking whether the service has **Yes **in the **Service-linked role** column, and opening the **Yes** link to view the service-linked role documentation for that service. Find the **Service-Linked Role Permissions** section for that service to view the service principal.
The following example shows a policy that can be attached to a service role. The policy enables two services, Amazon ECS and Elastic Load Balancing, to assume the role. The services can then perform any tasks granted by the permissions policy assigned to the role (not shown). To specify multiple service principals, you do not specify two `Service` elements; you can have only one. Instead, you use an array of multiple service principals as the value of a single `Service` element.
```
"Principal": {
"Service": [
"ecs.amazonaws.com",
"elasticloadbalancing.amazonaws.com"
]
}
```
## AWS service principals in opt-in Regions
You can launch resources in several AWS Regions and some of those Regions you must opt in to. For a complete list of Regions you must opt in to, see [Managing AWS Regions](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html) in the *AWS General Reference* guide.
When an AWS service in an opt-in Region makes a request within the same Region, the service principal name format is identified as the non-regionalized version of their service principal name:
`service-name.amazonaws.com`
When an AWS service in an opt-in Region makes a cross-region request to another Region, the service principal name format is identified as the regionalized version of their service principal name:
`service-name.{region}.amazonaws.com`
For example, you have an Amazon SNS topic located in Region `ap-southeast-1` and an Amazon S3 bucket located in opt-in Region `ap-east-1`. You want to configure S3 bucket notifications to publish messages to the SNS topic. To allow the S3 service to post messages to the SNS topic you must grant the S3 service principal `sns:Publish` permission via the resource-based access policy of the topic.
If you specify the non-regionalized version of the S3 service principal, `s3.amazonaws.com`, in the topic access policy, the `sns:Publish` request from the bucket to the topic will fail. The following example specifies the non-regionalized S3 service principal in the `Principal` policy element of the SNS topic access policy.
```
"Principal": { "Service": "s3.amazonaws.com" }
```
Since the bucket is located in an opt-in Region and the request is made outside of that same Region, the S3 service principal appears as the regionalized service principal name, `s3.ap-east-1.amazonaws.com`. You must use the regionalized service principal name when an AWS service in an opt-in Region makes a request to another Region. After you specify the regionalized service principal name, if the bucket makes an `sns:Publish` request to the SNS topic located in another Region, the request will be successful. The following example specifies the regionalized S3 service principal in the `Principal` policy element of the SNS topic access policy.
```
"Principal": { "Service": "s3.ap-east-1.amazonaws.com" }
```
Resource policies or service principal-based allow-lists for cross-Region requests from an opt-in Region to another Region will only be successful if you specify the regionalized service principal name.
**Note**
For IAM role trust policies, we recommend using the non-regionalized service principal name. IAM resources are global and therefore the same role can be used in any Region.
## All principals
You can use a wildcard (\$1) to specify all principals in the `Principal` element of a resource-based policy or in condition keys that support principals. [Resource-based policies](access_policies.md#policies_resource-based) *grant* permissions and [condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) are used to limit the conditions of a policy statement.
**Important**
We strongly recommend that you do not use a wildcard (\$1) in the `Principal` element of a resource-based policy with an `Allow` effect unless you intend to grant public or anonymous access. Otherwise, specify intended principals, services, or AWS accounts in the `Principal` element and then further restrict access in the `Condition` element. This is especially true for IAM role trust policies, because they allow other principals to become a principal in your account.
For resource-based policies, using a wildcard (\$1) with an `Allow` effect grants access to all users, including anonymous users (public access). For IAM users and role principals within your account, no other permissions are required. For principals in other accounts, they must also have identity-based permissions in their account that allow them to access your resource. This is called [cross-account access](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html).
For anonymous users, the following elements are equivalent:
```
"Principal": "*"
```
```
"Principal" : { "AWS" : "*" }
```
You cannot use a wildcard to match part of a principal name or ARN.
The following example shows a resource-based policy that can be used instead of [AWS JSON policy elements: NotPrincipal](reference_policies_elements_notprincipal.md) to explicitly deny all principals *except* for the ones specified in the `Condition` element. This policy should be [added to an Amazon S3 bucket](https://docs.aws.amazon.com//AmazonS3/latest/userguide/add-bucket-policy.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "UsePrincipalArnInsteadOfNotPrincipalWithDeny",
"Effect": "Deny",
"Action": "s3:*",
"Principal": "*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:s3:::amzn-s3-demo-bucket"
],
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::444455556666:user/user-name"
}
}
}
]
}
```
------
## More information
For more information, see the following:
+ [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) in the *Amazon Simple Storage Service User Guide*
+ [Example policies for Amazon SNS](https://docs.aws.amazon.com/sns/latest/dg/UsingIAMwithSNS.html#ExamplePolicies_SNS) in the *Amazon Simple Notification Service Developer Guide*
+ [Amazon SQS policy examples](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSExamples.html) in the *Amazon Simple Queue Service Developer Guide*
+ [Key policies](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the *AWS Key Management Service Developer Guide*
+ [Account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html) in the *AWS General Reference*
+ [OIDC federation](id_roles_providers_oidc.md)
# AWS JSON policy elements: NotPrincipal
The `NotPrincipal` element uses `"Effect":"Deny"` to deny access to all principals ***except*** the principal specified in the `NotPrincipal` element. A principal can be an IAM user, AWS STS federated user principal, IAM role, assumed role session, AWS account, AWS service, or other principal type. For more information about principals, see [AWS JSON policy elements: Principal](reference_policies_elements_principal.md).
`NotPrincipal` must be used with `"Effect":"Deny"`. Using it with `"Effect":"Allow"` is not supported.
**Important**
We do not recommend the use of `NotPrincipal` for new resource-based policies as part of your security and authorization strategy. When you use `NotPrincipal`, troubleshooting the effects of multiple policy types can be difficult. We recommend using the `aws:PrincipalArn` context key with ARN condition operators instead.
## Key points
+ The `NotPrincipal` element is supported in resource-based policies for some AWS services, including VPC endpoints. Resource-based policies are policies that you embed directly in a resource. You cannot use the `NotPrincipal` element in an IAM identity-based policy nor in an IAM role trust policy.
+ Don't use resource-based policy statements that include a `NotPrincipal` policy element with a `Deny` effect for IAM users or roles that have a permissions boundary policy attached. The `NotPrincipal` element with a `Deny` effect will always deny any IAM principal that has a permissions boundary policy attached, regardless of the values specified in the `NotPrincipal` element. This causes some IAM users or roles that would otherwise have access to the resource to lose access. We recommend changing your resource-based policy statements to use the condition operator [`ArnNotEquals`](reference_policies_elements_condition_operators.md#Conditions_ARN) with the [`aws:PrincipalArn`](reference_policies_condition-keys.md#condition-keys-principalarn) context key to limit access instead of the `NotPrincipal` element. For information about permissions boundaries, see [Permissions boundaries for IAM entities](access_policies_boundaries.md).
+ When you use `NotPrincipal`, you must also specify the account ARN of the not-denied principal. Otherwise, the policy might deny access to the entire account containing the principal. Depending on the service that you include in your policy, AWS might validate the account first and then the user. If an assumed-role user (someone who is using a role) is being evaluated, AWS might validate the account first, then the role, and then the assumed-role user. The assumed-role user is identified by the role session name that is specified when they assumed the role. Therefore, we strongly recommend that you explicitly include the ARN for a user's account, or include both the ARN for a role and the ARN for the account containing that role.
+ The `NotPrincipal` element isn’t supported in Service Control Policies (SCP) and Resource Control Policies (RCP).
## Alternatives to the `NotPrincipal` element
When managing access control in AWS, there may be scenarios where you need to explicitly deny all principals access to a resource, except for one or more principals you specify. AWS recommends using a Deny statement with global condition context keys for more precise control and easier troubleshooting. The following examples show alternative approaches using condition operators like `StringNotEquals` or `ArnNotEquals` to deny access to all principals except those specified in the Condition element.
## Example scenario using an IAM role
You can use a resource-based policy with a Deny statement to prevent all IAM roles, except those specified in the Condition element, from accessing or manipulating your resources. This approach follows the AWS security principle that an explicit deny always takes precedence over any allow statements and helps maintain the principle of least privilege across your AWS infrastructure.
Instead of using `NotPrincipal`, we recommend using a Deny statement with global condition context keys and the condition operator like [`ArnNotEquals`](reference_policies_elements_condition_operators.md#Conditions_ARN) to explicitly allow an IAM role access to your resources. The following example uses [aws:PrincipalArn](reference_policies_condition-keys.md#condition-keys-principalarn) to explicitly allow the role `read-only-role` to access Amazon S3 buckets in the `Bucket_Account_Audit` folder.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyCrossAuditAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::Bucket_Account_Audit",
"arn:aws:s3:::Bucket_Account_Audit/*"
],
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::444455556666:role/read-only-role"
}
}
}
]
}
```
------
## Example scenario using a service principal
You can use a Deny statement to prevent all service principals, except those specified in the `Condition` element, from accessing or manipulating your resources. This approach is particularly useful when you need to implement fine-grained access controls or establish security boundaries between different services and applications in your AWS environment.
Instead of using `NotPrincipal`, we recommend using a Deny statement with global condition context keys and the condition operator [`StringNotEquals`](reference_policies_elements_condition_operators.md#Conditions_String) to explicitly allow a service principal access to your resources. The following example uses `aws:PrincipalServiceName` to explicitly allow the AWS CodeBuild service principal to access Amazon S3 buckets in the `BUCKETNAME` folder.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyNotCodeBuildAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*"
],
"Condition": {
"StringNotEqualsIfExists": {
"aws:PrincipalServiceName": "codebuild.amazonaws.com"
}
}
}
]
}
```
------
# IAM JSON policy elements: Action
The `Action` element describes the specific action or actions that will be allowed or denied. Statements must include either an `Action` or `NotAction` element. Each AWS service has its own set of actions that describe tasks that you can perform with that service. For example, the list of actions for Amazon S3 can be found at [Specifying Permissions in a Policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html) in the *Amazon Simple Storage Service User Guide*, the list of actions for Amazon EC2 can be found in the [Amazon EC2 API Reference](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/query-apis.html), and the list of actions for AWS Identity and Access Management can be found in the [IAM API Reference](https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html). To find the list of actions for other services, consult the API reference [documentation](http://aws.amazon.com/documentation) for the service.
AWS also provides service reference information in JSON format to streamline the automation of policy management workflows. With the service reference information, you can access available actions, resources, and condition keys across AWS services from machine-readable files. For more information, see [Simplified AWS service information for programmatic access](https://docs.aws.amazon.com/service-authorization/latest/reference/service-reference.html) in the Service Authorization Reference.
You specify a value using a service namespace as an action prefix (`iam`, `ec2`, `sqs`, `sns`, `s3`, etc.) followed by the name of the action to allow or deny. The name must match an action that is supported by the service. The prefix and the action name are case insensitive. For example, `iam:ListAccessKeys` is the same as `IAM:listaccesskeys`. The following examples show `Action` elements for different services.
**Amazon SQS action**
```
"Action": "sqs:SendMessage"
```
**Amazon EC2 action**
```
"Action": "ec2:StartInstances"
```
**IAM action**
```
"Action": "iam:ChangePassword"
```
**Amazon S3 action**
```
"Action": "s3:GetObject"
```
You can specify multiple values for the `Action` element.
```
"Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "ec2:StartInstances", "iam:ChangePassword", "s3:GetObject" ]
```
You can use multi-character match wildcards (`*`) and single-character match wildcards (`?`) to give access to all the actions the specific AWS product offers. For example, the following `Action` element applies to all S3 actions.
```
"Action": "s3:*"
```
You can also use wildcards (`*` or `?`) as part of the action name. For example, the following `Action` element applies to all IAM actions that include the string `AccessKey`, including `CreateAccessKey`, `DeleteAccessKey`, `ListAccessKeys`, and `UpdateAccessKey`.
```
"Action": "iam:*AccessKey*"
```
Some services let you limit the actions that are available. For example, Amazon SQS lets you make available just a subset of all the possible Amazon SQS actions. In that case, the `*` wildcard doesn't allow complete control of the queue; it allows only the subset of actions that you've shared. For more information, see [Understanding Permissions](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/acp-overview.html#PermissionTypes) in the *Amazon Simple Queue Service Developer Guide*.
# IAM JSON policy elements: NotAction
`NotAction` is an advanced policy element that explicitly matches everything *except* the specified list of actions. Using `NotAction` can result in a shorter policy by listing only a few actions that should not match, rather than including a long list of actions that will match. Actions specified in `NotAction` are not impacted by the `Allow` or `Deny` effect in a policy statement. This, in turn, means that all of the applicable actions or services that are not listed are allowed if you use the `Allow` effect. In addition, such unlisted actions or services are denied if you use the `Deny` effect. When you use `NotAction` with the `Resource` element, you provide scope for the policy. This is how AWS determines which actions or services are applicable. For more information, see the following example policy.
**NotAction with Allow**
You can use the `NotAction` element in a statement with `"Effect": "Allow"` to provide access to all of the actions in an AWS service, except for the actions specified in `NotAction`. You can use it with the `Resource` element to provide scope for the policy, limiting the allowed actions to the actions that can be performed on the specified resource.
The following example allows users to access all of the Amazon S3 actions that can be performed on any S3 resource *except* for deleting a bucket. This policy also does not allow actions in other services, because other service actions are not applicable to the S3 resources.
```
"Effect": "Allow",
"NotAction": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::*",
```
Sometimes, you might want to allow access to a large number of actions. By using the `NotAction` element you effectively reverse the statement, resulting in a shorter list of actions. For example, because AWS has so many services, you might want to create a policy that allows the user to do everything except access IAM actions.
The following example allows users to access every action in every AWS service except for IAM.
```
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
```
Be careful using the `NotAction` element and `"Effect": "Allow"` in the same statement or in a different statement within a policy. `NotAction` matches all services and actions that are not explicitly listed or applicable to the specified resource, and could result in granting users more permissions than you intended.
**NotAction with Deny**
You can use the `NotAction` element in a statement with `"Effect": "Deny"` to deny access to all of the listed resources except for the actions specified in the `NotAction` element. This combination does not allow the listed items, but instead explicitly denies the actions not listed. You must still allow actions that you want to allow.
The following conditional example denies access to non-IAM actions if the user is not signed in using MFA. If the user is signed in with MFA, then the `"Condition"` test fails and the final `"Deny"` statement has no effect. Note, however, that this would not grant the user access to any actions; it would only explicitly deny all other actions except IAM actions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "DenyAllUsersNotUsingMFA",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}}
}]
}
```
------
For an example policy that denies access to actions outside of specific Regions, except for actions from specific services, see [AWS: Denies access to AWS based on the requested Region](reference_policies_examples_aws_deny-requested-region.md).
# IAM JSON policy elements: Resource
The `Resource` element in an IAM policy statement defines the object or objects that the statement applies to. Statements must include either a `Resource` or a `NotResource` element.
You specify a resource using an Amazon Resource Name (ARN). The format of the ARN depends on the AWS service and the specific resource you're referring to. Although the ARN format varies you always use an ARN to identify a resource. For more information about the format of ARNs, see [IAM ARNs](reference_identifiers.md#identifiers-arns). For information about how to specify a resource, refer to the documentation for the service you want to write a statement.
**Note**
Some AWS services do not allow you to specify actions for individual resources. In these cases, any actions that you list in the `Action` or `NotAction` element apply to all resources in that service. When this is the case, you use the wildcard character (`*`) in the `Resource` element.
The following example refers to a specific Amazon SQS queue.
```
"Resource": "arn:aws:sqs:us-east-2:account-ID-without-hyphens:queue1"
```
The following example refers to the IAM user named `Bob` in an AWS account.
**Note**
In the `Resource` element, the IAM user name is case sensitive.
```
"Resource": "arn:aws:iam::account-ID-without-hyphens:user/Bob"
```
## Using wildcards in resource ARNs
You can use wildcard characters (`*` and `?`) within the individual segments of an ARN (the parts separated by colons) to represent:
+ Any combination of characters (`*`)
+ Any single character (`?`)
You can use multiple `*` or `?` characters in each segment. If the `*` wildcard is the last character of a resource ARN segment, it can expand to match beyond the colon boundaries. We recommend you use wildcards (`*` and `?`) within ARN segments separated by a colon.
**Note**
You can't use a wildcard in the service segment that identifies the AWS product. For more information about ARN segments, see [Identify AWS resources with Amazon Resource Names (ARNs)](reference-arns.md)
The following example refers to all IAM users whose path is `/accounting`.
```
"Resource": "arn:aws:iam::account-ID-without-hyphens:user/accounting/*"
```
The following example refers to all items within a specific Amazon S3 bucket.
```
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"
```
The asterisk (`*`) character can expand to replace everything within a segment, including characters like a forward slash (`/`) that may otherwise appear to be a delimiter within a given service namespace. For example, consider the following Amazon S3 ARN as the same wildcard expansion logic applies to all services.
```
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*/test/*"
```
The wildcards in the ARN apply to all of the following objects in the bucket, not only the first object listed.
```
amzn-s3-demo-bucket/1/test/object.jpg
amzn-s3-demo-bucket/1/2/test/object.jpg
amzn-s3-demo-bucket/1/2/test/3/object.jpg
amzn-s3-demo-bucket/1/2/3/test/4/object.jpg
amzn-s3-demo-bucket/1///test///object.jpg
amzn-s3-demo-bucket/1/test/.jpg
amzn-s3-demo-bucket//test/object.jpg
amzn-s3-demo-bucket/1/test/
```
Consider the last two objects in the previous list. An Amazon S3 object name can begin or end with the conventional delimiter forward slash (`/`) character. While `/` works as a delimiter, there is no specific significance when this character is used within a resource ARN. It is treated the same as any other valid character. The ARN would not match the following objects:
```
amzn-s3-demo-bucket/1-test/object.jpg
amzn-s3-demo-bucket/test/object.jpg
amzn-s3-demo-bucket/1/2/test.jpg
```
## Specifying multiple resources
You can specify multiple resources in the `Resource` element by using an array of ARNs. The following example refers to two DynamoDB tables.
```
"Resource": [
"arn:aws:dynamodb:us-east-2:account-ID-without-hyphens:table/books_table",
"arn:aws:dynamodb:us-east-2:account-ID-without-hyphens:table/magazines_table"
]
```
## Using policy variables in resource ARNs
In the `Resource` element, you can use JSON [policy variables](reference_policies_variables.md) in the part of the ARN that identifies the specific resource (that is, in the trailing part of the ARN). For example, you can use the key `{aws:username}` as part of a resource ARN to indicate that the current user's name should be included as part of the resource's name. The following example shows how you can use the `{aws:username}` key in a `Resource` element. The policy allows access to a Amazon DynamoDB table that matches the current user's name.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us-east-2:111122223333:table/${aws:username}"
}
}
```
------
For more information about JSON policy variables, see [IAM policy elements: Variables and tags](reference_policies_variables.md).
# IAM JSON policy elements: NotResource
`NotResource` is an advanced policy element that explicitly matches every resource except those specified. Using `NotResource` can result in a shorter policy by listing only a few resources that should not match, rather than including a long list of resources that will match. This is particularly useful for policies that apply within a single AWS service.
For example, imagine you have a group named `HRPayroll`. Members of `HRPayroll` should not be allowed to access any Amazon S3 resources except the `Payroll` folder in the `HRBucket` bucket. The following policy explicitly denies access to all Amazon S3 resources other than the listed resources. Note, however, that this policy does not grant the user access to any resources.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "s3:*",
"NotResource": [
"arn:aws:s3:::HRBucket/Payroll",
"arn:aws:s3:::HRBucket/Payroll/*"
]
}
}
```
------
Normally, to explicitly deny access to a resource you would write a policy that uses `"Effect":"Deny"` and that includes a `Resource` element that lists each folder individually. However, in that case, each time you add a folder to `HRBucket`, or add a resource to Amazon S3 that should not be accessed, you must add its name to the list in the `Resource` element. If you use a `NotResource` element instead, users are automatically denied access to new folders unless you add the folder names to the `NotResource` element.
When using `NotResource`, you should keep in mind that resources specified in this element are the *only* resources that are not limited. This, in turn, limits all of the resources that would apply to the action. In the example above, the policy affects only Amazon S3 actions, and therefore only Amazon S3 resources. If the `Action` element also included Amazon EC2 actions, then the policy would deny access to any EC2 resources not specified in the `NotResource` element. To learn which actions in a service allow specifying the ARN of a resource, see [Actions, Resources, and Condition Keys for AWS Services](reference_policies_actions-resources-contextkeys.html).
## NotResource with other elements
You should **never** use the `"Effect": "Allow"`, `"Action": "*"`, and `"NotResource": "arn:aws:s3:::HRBucket"` elements together. This statement is very dangerous, because it allows all actions in AWS on all resources except the `HRBucket` S3 bucket. This would even allow the user to add a policy to themselves that allows them to access `HRBucket`. Do not do this.
Be careful using the `NotResource` element and `"Effect": "Allow"` in the same statement or in a different statement within a policy. `NotResource` allows all services and resources that are not explicitly listed, and could result in granting users more permissions than you intended. Using the `NotResource` element and `"Effect": "Deny"` in the same statement denies services and resources that are not explicitly listed.
# IAM JSON policy elements: Condition
The `Condition` element (or `Condition` *block*) lets you specify conditions for when a policy is in effect. The `Condition` element is optional. In the `Condition` element, you build expressions in which you use [condition operators](reference_policies_elements_condition_operators.md) (equal, less than, and others) to match the context keys and values in the policy against keys and values in the request context. To learn more about the request context, see [Components of a request](intro-structure.md#intro-structure-request).
```
"Condition" : { "{condition-operator}" : { "{condition-key}" : "{condition-value}" }}
```
The context key that you specify in a policy condition can be a [global condition context key](reference_policies_condition-keys.md) or a service-specific context key. Global condition context keys have the `aws:` prefix. Service-specific context keys have the service's prefix. For example, Amazon EC2 lets you write a condition using the `ec2:InstanceType` context key, which is unique to that service. To view service-specific IAM context keys with the `iam:` prefix, see [IAM and AWS STS condition context keys](reference_policies_iam-condition-keys.md).
Context key *names* are not case-sensitive. For example, including the `aws:SourceIP` context key is equivalent to testing for `AWS:SourceIp`. Case-sensitivity of context key *values* depends on the [condition operator](reference_policies_elements_condition_operators.md) that you use. For example, the following condition includes the `StringEquals` operator to make sure that only requests made by `john` match. Users named `John` are denied access.
```
"Condition" : { "StringEquals" : { "aws:username" : "john" }}
```
The following condition uses the [`StringEqualsIgnoreCase`](reference_policies_elements_condition_operators.md#Conditions_String) operator to match users named `john` or `John`.
```
"Condition" : { "StringEqualsIgnoreCase" : { "aws:username" : "john" }}
```
Some context keys support key–value pairs that allow you to specify part of the key name. Examples include the [`aws:RequestTag/tag-key`](reference_policies_condition-keys.md#condition-keys-requesttag) context key, the AWS KMS [https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context](https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context), and the [`ResourceTag/tag-key`](reference_policies_condition-keys.md#condition-keys-resourcetag) context key supported by multiple services.
+ If you use the `ResourceTag/tag-key` context key for a service such as [Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html#amazon-ec2-keys), then you must specify a key name for the `tag-key`.
+ **Key names are not case-sensitive.** This means that if you specify `"aws:ResourceTag/TagKey1": "Value1"` in the condition element of your policy, then the condition matches a resource tag key named either `TagKey1` or `tagkey1`, but not both.
+ AWS services that support these attributes might allow you to create multiple key names that differ only by case. For example, you might tag an Amazon EC2 instance with `ec2=test1` and `EC2=test2`. When you use a condition such as `"aws:ResourceTag/EC2": "test1"` to allow access to that resource, the key name matches both tags, but only one value matches. This can result in unexpected condition failures.
**Important**
As a best practice, make sure that members of your account follow a consistent naming convention when naming key–value pair attributes. Examples include tags or AWS KMS encryption contexts. You can enforce this using the [`aws:TagKeys`](reference_policies_condition-keys.md#condition-keys-tagkeys) context key for tagging, or the [https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context-keys](https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context-keys) for the AWS KMS encryption context.
+ For a list of all of the condition operators and a description of how they work, see [Condition operators](reference_policies_elements_condition_operators.md).
+ Unless otherwise specified, all context keys can have multiple values. For a description of how to handle context keys that have multiple values, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
+ For a list of all of the globally available context keys, see [AWS global condition context keys](reference_policies_condition-keys.md).
+ For condition context keys that are defined by each service, see [Actions, Resources, and Condition Keys for AWS Services](reference_policies_actions-resources-contextkeys.html).
## The request context
When a [principal](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html?icmpid=docs_homepage_addtlrcs#principal) makes a [request](intro-structure.md#intro-structure-request) to AWS, AWS gathers the request information into a request context. The request context includes information about the principal, resources, actions, and other environmental properties. Policy evaluation matches the properties in the policy against the properties sent in the request to evaluate and authorize actions you can perform in AWS.
You can use the `Condition` element of a JSON policy to test specific context keys against the request context. For example, you can create a policy that uses the [aws:CurrentTime](reference_policies_condition-keys.md#condition-keys-currenttime) context key to [allow a user to perform actions within only a specific range of dates](reference_policies_examples_aws-dates.md).
The following example shows a representation of the request context when Martha Rivera sends a request to deactivate her MFA device.
```
Principal: AROA123456789EXAMPLE
Action: iam:DeactivateMFADevice
Resource: arn:aws:iam::user/martha
Context:
– aws:UserId=AROA123456789EXAMPLE:martha
– aws:PrincipalAccount=1123456789012
– aws:PrincipalOrgId=o-example
– aws:PrincipalARN=arn:aws:iam::1123456789012:assumed-role/TestAR
– aws:MultiFactorAuthPresent=true
– aws:MultiFactorAuthAge=2800
– aws:CurrentTime=...
– aws:EpochTime=...
– aws:SourceIp=...
```
The request context is matched against a policy that allows users to remove their own multi-factor authentication (MFA) device, but only if they have signed in using MFA in the last hour (3,600 seconds).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Sid": "AllowRemoveMfaOnlyIfRecentMfa",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
"Condition": {
"NumericLessThanEquals": {"aws:MultiFactorAuthAge": "3600"}
}
}
}
```
------
In this example, the policy matches the request context: the action is the same, the resource matches the “\$1” wildcard, and the value for `aws:MultiFactorAuthAge` is 2800, which is less than 3600, so the policy allows this authorization request.
AWS evaluates each context key in the policy and returns a value of *true* or *false*. A context key that is not present in the request is considered a mismatch.
The request context can return the following values:
+ **True** – If the requester signed in using MFA in the last one hour or less, then the condition returns *true*.
+ **False** – If the requester signed in using MFA more than one hour ago, then the condition returns *false*.
+ **Not present** – If the requester made a request using their IAM user access keys in the AWS CLI or AWS API, the key is not present. In this case, the key is not present, and it won't match.
**Note**
In some cases, when the condition key value is not present, the condition can still return true. For example, if you add the `ForAllValues` qualifier, the request returns true if the context key is not in the request. To prevent missing context keys or context keys with empty values from evaluating to true, you can include the [Null condition operator](reference_policies_elements_condition_operators.md#Conditions_Null) in your policy with a `false` value to check if the context key exists and its value is not null.
## The condition block
The following example shows the basic format of a `Condition` element:
```
"Condition": {"StringLike": {"s3:prefix": ["jane/*"]}}
```
A value from the request is represented by a context key, in this case `s3:prefix`. The context key value is compared to a value that you specify as a literal value, such as `jane/*`. The type of comparison to make is specified by the [condition operator](reference_policies_elements_condition_operators.md) (here, `StringLike`). You can create conditions that compare strings, dates, numbers, and more using typical Boolean comparisons such as equals, greater than, and less than. When you use [string operators](reference_policies_elements_condition_operators.md#Conditions_String) or [ARN operators](reference_policies_elements_condition_operators.md#Conditions_ARN), you can also use a [policy variable](reference_policies_variables.md) in the context key value. The following example includes the `aws:username` variable.
```
"Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
```
Under some circumstances, context keys can contain multiple values. For example, a request to Amazon DynamoDB might ask to return or update multiple attributes from a table. A policy for access to DynamoDB tables can include the `dynamodb:Attributes` context key, which contains all the attributes listed in the request. You can test the multiple attributes in the request against a list of allowed attributes in a policy by using set operators in the `Condition` element. For more information, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
When the policy is evaluated during a request, AWS replaces the key with the corresponding value from the request. (In this example, AWS would use the date and time of the request.) The condition is evaluated to return true or false, which is then factored into whether the policy as a whole allows or denies the request.
### Multiple values in a condition
A `Condition` element can contain multiple condition operators, and each condition operator can contain multiple context key-value pairs. The following figure illustrates this.
![\[two condition operator block diagrams. The first block includes two context key placeholders, each with multiple values. The second condition block includes one context key with multiple values.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/AccessPolicyLanguage_Condition_Block.diagram.png)
For more information, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
# IAM JSON policy elements: Condition operators
Use condition operators in the `Condition` element to match the condition key and value in the policy against values in the request context. For more information about the `Condition` element, see [IAM JSON policy elements: Condition](reference_policies_elements_condition.md).
The condition operator that you can use in a policy depends on the condition key you choose. You can choose a global condition key or a service-specific condition key. To learn which condition operator you can use for a global condition key, see [AWS global condition context keys](reference_policies_condition-keys.md). To learn which condition operator you can use for a service-specific condition key, see [Actions, Resources, and Condition Keys for AWS Services](reference_policies_actions-resources-contextkeys.html) and choose the service that you want to view.
**Important**
If the key that you specify in a policy condition is not present in the request context, the values do not match and the condition is *false*. If the policy condition requires that the key is *not* matched, such as `StringNotLike` or `ArnNotLike`, and the right key is not present, the condition is *true*. This logic applies to all condition operators except [...IfExists](#Conditions_IfExists) and [Null check](#Conditions_Null). These operators test whether the key is present (exists) in the request context.
The condition operators can be grouped into the following categories:
+ [String](#Conditions_String)
+ [Numeric](#Conditions_Numeric)
+ [Date and time](#Conditions_Date)
+ [Boolean](#Conditions_Boolean)
+ [Binary](#Conditions_BinaryEquals)
+ [IP address](#Conditions_IPAddress)
+ [Amazon Resource Name (ARN)](#Conditions_ARN) (available for only some services.)
+ [...IfExists](#Conditions_IfExists) (checks if the key value exists as part of another check)
+ [Null check](#Conditions_Null) (checks if the key value exists as a standalone check)
## String condition operators
String condition operators let you construct `Condition` elements that restrict access based on comparing a key to a string value.
+ **Policy variables** – [Supported](reference_policies_variables.md)
+ **Wildcards** – [Supported](#Conditions_String-wildcard)
****
| Condition operator | Description |
| --- | --- |
| `StringEquals` | Exact matching, case sensitive |
| `StringNotEquals` | Negated matching |
| `StringEqualsIgnoreCase` | Exact matching, ignoring case |
| `StringNotEqualsIgnoreCase` | Negated matching, ignoring case |
| `StringLike` | Case-sensitive matching. The values can include multi-character match wildcards (\$1) and single-character match wildcards (?) anywhere in the string. You must specify wildcards to achieve partial string matches. If a key contains multiple values, `StringLike` can be qualified with set operators—`ForAllValues:StringLike` and `ForAnyValue:StringLike`. For more information, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys). |
| `StringNotLike` | Negated case-sensitive matching. The values can include multi-character match wildcards (\$1) or single-character match wildcards (?) anywhere in the string. |
**Example string condition operator**
For example, the following statement contains a `Condition` element that uses [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principaltag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principaltag) key to specify that the principal making the request must be tagged with the `iamuser-admin` job category.
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "iam:*AccessKey*",
"Resource": "arn:aws:iam::111122223333:user/*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/job-category": "iamuser-admin"
}
}
}
}
```
If the key that you specify in a policy condition is not present in the request context, the values do not match. In this example, the `aws:PrincipalTag/job-category` key is present in the request context if the principal is using an IAM user with attached tags. It is also included for a principal using an IAM role with attached tags or session tags. If a user without the tag attempts to view or edit an access key, the condition returns `false` and the request is implicitly denied by this statement.
The following table shows how AWS evaluates this policy based on the condition key values in your request.
| Policy Condition | Request Context | Result |
| --- | --- | --- |
| "StringEquals": {
"aws:PrincipalTag/job-category": "iamuser-admin"
} | aws:PrincipalTag/job-category:
– iamuser-admin
| Match |
| "StringEquals": {
"aws:PrincipalTag/job-category": "iamuser-admin"
} | aws:PrincipalTag/job-category:
– dev-ops
| No match |
| "StringEquals": {
"aws:PrincipalTag/job-category": "iamuser-admin"
} | No `aws:PrincipalTag/job-category` in the request context. | No match |
**Example using a policy variable with a string condition operator**
The following example uses the `StringLike` condition operator to perform string matching with a [policy variable](reference_policies_variables.md) to create a policy that lets an IAM user use the Amazon S3 console to manage his or her own "home directory" in an Amazon S3 bucket. The policy allows the specified actions on an S3 bucket as long as the `s3:prefix` matches any one of the specified patterns.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"home/",
"home/${aws:username}/"
]
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/home/${aws:username}",
"arn:aws:s3:::amzn-s3-demo-bucket/home/${aws:username}/*"
]
}
]
}
```
The following table shows how AWS evaluates this policy for different users based on the [aws:username](reference_policies_condition-keys.md#condition-keys-username) value in the request context.
| Policy condition | Request context | Result |
| --- | --- | --- |
| "StringLike": {
"s3:prefix": [
"home/",
"home/${aws:username}/"
]
} | aws:username:
– martha_rivera
| "StringLike": {
"s3:prefix": [
"home/",
"home/martha_rivera/"
]
} |
| "StringLike": {
"s3:prefix": [
"home/",
"home/${aws:username}/"
]
} | aws:username:
– nikki_wolf
| "StringLike": {
"s3:prefix": [
"home/",
"home/nikki_wolf/"
]
} |
| "StringLike": {
"s3:prefix": [
"home/",
"home/${aws:username}/"
]
} | No `aws:username` in the request context. | No match |
For an example of a policy that shows how to use the `Condition` element to restrict access to resources based on an application ID and a user ID for OIDC federation, see [Amazon S3: Allows Amazon Cognito users to access objects in their bucket](reference_policies_examples_s3_cognito-bucket.md).
### Multivalued string condition operators
If a key in the request contains multiple values, string operators can be qualified with set operators `ForAllValues` and `ForAnyValue`. For more information on the evaluation logic of multiple context keys or values, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
| Condition operator | Description |
| --- | --- |
| `ForAllValues:StringEquals` `ForAllValues:StringEqualsIgnoreCase` | All of the values for the condition key in the request must match at least one of the values in your policy. |
| `ForAnyValue:StringEquals` `ForAnyValue:StringEqualsIgnoreCase` | At least one condition key value in the request must match one of the values in your policy. |
| `ForAllValues:StringNotEquals` `ForAllValues:StringNotEqualsIgnoreCase` | Negated matching. None of the values of the context key in the request can match any of the context key values in your policy. |
| `ForAnyValue:StringNotEquals` `ForAnyValue:StringNotEqualsIgnoreCase` | Negated matching. At least one context key value in the request must NOT match any of values in the context key in your policy. |
| `ForAllValues:StringLike` | All of the values for the condition key in the request must match at least one of the values in your policy. |
| `ForAnyValue:StringLike` | At least one condition key value in the request must match one of the values in your policy. |
| `ForAllValues:StringNotLike` | Negated matching. None of the values of the context key in the request can match any of the context key values in your policy. |
| `ForAnyValue:StringNotLike` | Negated matching. At least one context key value in the request must NOT match any of values in the context key in your policy. |
**Example using `ForAnyValue` with a string condition operator**
This example shows how you might create an identity-based policy that allows using the Amazon EC2 `CreateTags` action to attach tags to an instance. When you use `StringEqualsIgnoreCase`, you can attach tags only if the tag contains the `environment` key with the `preprod` or `storage` values. When you append `IgnoreCase` to the operator, you allow any existing tag value capitalization, such as `preprod`, `Preprod`, and `PreProd`, to resolve to true.
When you add the `ForAnyValue` modifier with the [aws:TagKeys](reference_policies_condition-keys.md#condition-keys-tagkeys) condition key, at least one tag key value in the request must match the value `environment`. `ForAnyValue` comparison is case sensitive, which stops users from using the incorrect case for the tag key, such as using `Environment` instead of `environment`.
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEqualsIgnoreCase": {
"aws:RequestTag/environment": [
"preprod",
"storage"
]
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": "environment"
}
}
}
}
```
The following table shows how AWS evaluates this policy based on the condition key values in your request.
| Policy condition | Request context | Result |
| --- | --- | --- |
| "StringEqualsIgnoreCase": {
"aws:RequestTag/environment": [
"preprod",
"storage"
]
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": "environment"
} | aws:TagKeys:
– environment
aws:RequestTag/environment:
– preprod
| Match |
| "StringEqualsIgnoreCase": {
"aws:RequestTag/environment": [
"preprod",
"storage"
]
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": "environment"
} | aws:TagKeys:
– environment
– costcenter
aws:RequestTag/environment:
– PreProd
| Match |
| "StringEqualsIgnoreCase": {
"aws:RequestTag/environment": [
"preprod",
"storage"
]
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": "environment"
} | aws:TagKeys:
– Environment
aws:RequestTag/Environment:
– preprod
| No match |
| "StringEqualsIgnoreCase": {
"aws:RequestTag/environment": [
"preprod",
"storage"
]
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": "environment"
} | aws:TagKeys:
– costcenter
aws:RequestTag/environment:
– preprod
| No match |
| "StringEqualsIgnoreCase": {
"aws:RequestTag/environment": [
"preprod",
"storage"
]
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": "environment"
} | No `aws:TagKeys` in the request context. aws:RequestTag/environment:
– storage
| No match |
| "StringEqualsIgnoreCase": {
"aws:RequestTag/environment": [
"preprod",
"storage"
]
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": "environment"
} | aws:TagKeys:
– environment
No `aws:RequestTag/environment` in the request context. | No match |
| "StringEqualsIgnoreCase": {
"aws:RequestTag/environment": [
"preprod",
"storage"
]
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": "environment"
} | No `aws:TagKeys` in the request context. No `aws:RequestTag/environment` in the request context. | No match |
### Wildcard matching
String condition operators perform a patternless matching that does not enforce a predefined format. ARN and Date condition operators are a subset of string operators that enforce a structure on the condition key value.
We recommend you use condition operators that correspond to the values you're comparing keys to. For example, you should use [String condition operators](#Conditions_String) when comparing keys to string values. Similarly, you should use [Amazon Resource Name (ARN) condition operators](#Conditions_ARN) when comparing keys to ARN values.
**Example**
This example shows how you might create a boundary around resources in your organization. The condition in this policy denies access to Amazon S3 actions unless the resource being accessed is in a specific set of organizational units (OUs) in AWS Organizations. An AWS Organizations path is a text representation of the structure of an organization's entity.
The condition requires that `aws:ResourceOrgPaths` contains any of the listed OU paths. Because `aws:ResourceOrgPaths` is a multi-value condition, the policy uses the `ForAllValues:StringNotLike` operator to compare the values of `aws:ResourceOrgPaths` to the list of OUs in the policy.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyS3AccessOutsideMyBoundary",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": "*",
"Condition": {
"ForAllValues:StringNotLike": {
"aws:ResourceOrgPaths": [
"o-acorg/r-acroot/ou-acroot-mediaou/",
"o-acorg/r-acroot/ou-acroot-sportsou/*"
]
}
}
}
]
}
```
The following table shows how AWS evaluates this policy based on the condition key values in your request.
| Policy condition | Request context | Result |
| --- | --- | --- |
| "ForAllValues:StringNotLike": {
"aws:ResourceOrgPaths": [
"o-acorg/r-acroot/ou-acroot-mediaou/",
"o-acorg/r-acroot/ou-acroot-sportsou/*"
]
} | aws:ResourceOrgPaths:
– o-acorg/r-acroot/ou-acroot-sportsou/costcenter/
| Match |
| "ForAllValues:StringNotLike": {
"aws:ResourceOrgPaths": [
"o-acorg/r-acroot/ou-acroot-mediaou/",
"o-acorg/r-acroot/ou-acroot-sportsou/*"
]
} | aws:ResourceOrgPaths:
– o-acorg/r-acroot/ou-acroot-mediaou/costcenter/
| No match |
| "ForAllValues:StringNotLike": {
"aws:ResourceOrgPaths": [
"o-acorg/r-acroot/ou-acroot-mediaou/",
"o-acorg/r-acroot/ou-acroot-sportsou/*"
]
} | No `aws:ResourceOrgPaths:` in the request. | No match |
## Numeric condition operators
Numeric condition operators let you construct `Condition` elements that restrict access based on comparing a key to an integer or decimal value.
+ **Policy variables** – Not supported
+ **Wildcards** – Not supported
****
| Condition operator | Description |
| --- | --- |
| `NumericEquals` | Matching |
| `NumericNotEquals` | Negated matching |
| `NumericLessThan` | "Less than" matching |
| `NumericLessThanEquals` | "Less than or equals" matching |
| `NumericGreaterThan` | "Greater than" matching |
| `NumericGreaterThanEquals` | "Greater than or equals" matching |
For example, the following statement contains a `Condition` element that uses the `NumericLessThanEquals` condition operator with the `s3:max-keys` key to specify that the requester can list *up to* 10 objects in `amzn-s3-demo-bucket` at a time.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {"NumericLessThanEquals": {"s3:max-keys": "10"}}
}
}
```
------
If the key that you specify in a policy condition is not present in the request context, the values do not match. In this example, the `s3:max-keys` key is always present in the request when you perform the `ListBucket` operation. If this policy allowed all Amazon S3 operations, then only the operations that include the `max-keys` context key with a value of less than or equal to 10 would be allowed.
## Date condition operators
Date condition operators let you construct `Condition` elements that restrict access based on comparing a key to a date/time value. You use these condition operators with [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-currenttime](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-currenttime) key or [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-epochtime](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-epochtime) key. You must specify date/time values with one of the [W3C implementations of the ISO 8601 date formats](http://www.w3.org/TR/NOTE-datetime) or in epoch (UNIX) time.
+ **Policy variables** – Not supported
+ **Wildcards** – Not supported
****
| Condition operator | Description |
| --- | --- |
| `DateEquals` | Matching a specific date |
| `DateNotEquals` | Negated matching |
| `DateLessThan` | Matching before a specific date and time |
| `DateLessThanEquals` | Matching at or before a specific date and time |
| `DateGreaterThan` | Matching after a specific a date and time |
| `DateGreaterThanEquals` | Matching at or after a specific date and time |
For example, the following statement contains a `Condition` element that uses the `DateGreaterThan` condition operator with the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tokenissuetime](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tokenissuetime) key. This condition specifies that the temporary security credentials used to make the request were issued in 2020. This policy can be updated programmatically every day to ensure that account members use fresh credentials.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "iam:*AccessKey*",
"Resource": "arn:aws:iam::111122223333:user/*",
"Condition": {
"DateGreaterThan": {
"aws:TokenIssueTime": "2020-01-01T00:00:01Z"
}
}
}
}
```
------
If the key that you specify in a policy condition is not present in the request context, the values do not match. The `aws:TokenIssueTime` key is present in the request context only when the principal uses temporary credentials to make the request. The key is not present in AWS CLI, AWS API, or AWS SDK requests that are made using access keys. In this example, if an IAM user attempts to view or edit an access key, the request is denied.
## Boolean condition operators
Boolean conditions let you construct `Condition` elements that restrict access based on comparing a key to `true` or `false`.
If a key contains multiple values, boolean operators can be qualified with set operators `ForAllValues` and `ForAnyValue`. For more information on the evaluation logic of multiple context keys or values, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
+ **Policy variables** – [Supported](reference_policies_variables.md)
+ **Wildcards** – Not supported
****
| Condition operator | Description |
| --- | --- |
| `Bool` | Boolean matching |
| `ForAllValues:Bool` | Use with the Array of Bool data type. All of the booleans in the context key values must match the boolean values in your policy. To prevent `ForAllValues` operators from evaluating missing context keys or context keys with empty values as Allowed, you can include the [Null condition operator](#Conditions_Null) in your policy. |
| `ForAnyValue:Bool` | Use with the Array of Bool data type. At least one of the booleans in the context key values must match the boolean values in your policy. |
**Example boolean condition operator**
The following identity-based policy uses the `Bool` condition operator with the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-securetransport](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-securetransport) key to deny replicating objects and object tags to the destination bucket and its contents if the request is not over SSL.
This policy does not allow any actions. Use this policy in combination with other policies that allow specific actions.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "BooleanExample",
"Action": "s3:ReplicateObject",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
```
The following table shows how AWS evaluates this policy based on the condition key values in your request.
| Policy condition | Request context | Result |
| --- | --- | --- |
| "Bool": {
"aws:SecureTransport": "false"
} | aws:SecureTransport:
– false
| Match |
| "Bool": {
"aws:SecureTransport": "false"
} | aws:SecureTransport:
– true
| No match |
| "Bool": {
"aws:SecureTransport": "false"
} | No `aws:SecureTransport` in the request context. | No match |
## Binary condition operators
The `BinaryEquals` condition operator lets you construct `Condition` elements that test key values that are in binary format. It compares the value of the specified key byte for byte against a [base-64](https://en.wikipedia.org/wiki/Base64) encoded representation of the binary value in the policy. If the key that you specify in a policy condition is not present in the request context, the values do not match.
+ **Policy variables** – Not supported
+ **Wildcards** – Not supported
```
"Condition" : {
"BinaryEquals": {
"key" : "QmluYXJ5VmFsdWVJbkJhc2U2NA=="
}
}
```
| Policy condition | Request context | Result |
| --- | --- | --- |
| "BinaryEquals": {
"key" : "QmluYXJ5VmFsdWVJbkJhc2U2NA=="
} | key:
– QmluYXJ5VmFsdWVJbkJhc2U2NA==
| Match |
| "BinaryEquals": {
"key" : "QmluYXJ5VmFsdWVJbkJhc2U2NA=="
} | key:
– ASIAIOSFODNN7EXAMPLE
| No match |
| "BinaryEquals": {
"key" : "QmluYXJ5VmFsdWVJbkJhc2U2NA=="
} | No `key` in the request context. | No match |
## IP address condition operators
IP address condition operators let you construct `Condition` elements that restrict access based on comparing a key to an IPv4 or IPv6 address or range of IP addresses. You use these with the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip) key. The value must be in the standard CIDR format (for example, 203.0.113.0/24 or 2001:DB8:1234:5678::/64). If you specify an IP address without the associated routing prefix, IAM uses the default prefix value of `/32`.
Some AWS services support IPv6, using :: to represent a range of 0s. To learn whether a service supports IPv6, see the documentation for that service.
+ **Policy variables** – Not supported
+ **Wildcards** – Not supported
****
| Condition operator | Description |
| --- | --- |
| `IpAddress` | The specified IP address or range |
| `NotIpAddress` | All IP addresses except the specified IP address or range |
**Example IP address condition operator**
The following statement uses the `IpAddress` condition operator with the `aws:SourceIp` key to specify that the request must come from the IP range 203.0.113.0 to 203.0.113.255.
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "iam:*AccessKey*",
"Resource": "arn:aws:iam::111122223333:user/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
}
```
The `aws:SourceIp` condition key resolves to the IP address that the request originates from. If the requests originates from an Amazon EC2 instance, `aws:SourceIp` evaluates to the instance's public IP address.
If the key that you specify in a policy condition is not present in the request context, the values do not match. The `aws:SourceIp` key is always present in the request context, except when the requester uses a VPC endpoint to make the request. In this case, the condition returns `false` and the request is implicitly denied by this statement.
The following table shows how AWS evaluates this policy based on the condition key values in your request.
| Policy condition | Request context | Result |
| --- | --- | --- |
| "IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
} | aws:SourceIp:
– 203.0.113.1
| Match |
| "IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
} | aws:SourceIp:
– 198.51.100.1
| No match |
The following example shows how to mix IPv4 and IPv6 addresses to cover all of your organization's valid IP addresses. We recommend that you update your organization's policies with your IPv6 address ranges in addition to IPv4 ranges you already have to ensure the policies continue to work as you make the transition to IPv6.
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "someservice:*",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"203.0.113.0/24",
"2001:DB8:1234:5678::/64"
]
}
}
}
}
```
The `aws:SourceIp` condition key works only in a JSON policy if you are calling the tested API directly as a user. If you instead use a service to call the target service on your behalf, the target service sees the IP address of the calling service rather than the IP address of the originating user. This can happen, for example, if you use AWS CloudFormation to call Amazon EC2 to construct instances for you. There is currently no way to pass the originating IP address through a calling service to the target service for evaluation in a JSON policy. For these types of service API calls, do not use the `aws:SourceIp` condition key.
## Amazon Resource Name (ARN) condition operators
Amazon Resource Name (ARN) condition operators let you construct `Condition` elements that restrict access based on comparing a key to an ARN. The ARN is considered a string.
+ **Policy variables** – [Supported](reference_policies_variables.md)
+ **Wildcards** – [Supported](reference_policies_elements_resource.md#reference_policies_elements_resource_wildcards)
****
| Condition operator | Description |
| --- | --- |
| `ArnEquals`, `ArnLike` | Case-sensitive matching of the ARN. Each of the six colon-delimited components of the ARN is checked separately and each can include multi-character match wildcards (\$1) or single-character match wildcards (?). The `ArnEquals` and `ArnLike` condition operators behave identically. |
| `ArnNotEquals`, `ArnNotLike` | Negated matching for ARN. The `ArnNotEquals` and `ArnNotLike` condition operators behave identically. |
**Example ARN condition operator**
The following resource-based policy example shows a policy attached to an Amazon SQS queue to which you want to send SNS messages. It gives Amazon SNS permission to send messages to the queue (or queues) of your choice, but only if the service is sending the messages on behalf of a particular Amazon SNS topic (or topics). You specify the queue in the `Resource` field, and the Amazon SNS topic as the value for the `SourceArn` key.
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:123456789012:QUEUE-ID",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:sns:us-east-1:123456789012:TOPIC-ID"
}
}
}
}
```
The [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) key is present in the request context only if a resource triggers a service to call another service on behalf of the resource owner. If an IAM user attempts to perform this operation directly, the condition returns `false` and the request is implicitly denied by this statement.
The following table shows how AWS evaluates this policy based on the condition key values in your request.
| Policy condition | Request context | Result |
| --- | --- | --- |
| "ArnEquals": {
"aws:SourceArn": "arn:aws:sns:us-west-2:123456789012:TOPIC-ID"
} | aws:SourceArn:
– arn:aws:sns:us-west-2:123456789012:TOPIC-ID
| Match |
| "ArnEquals": {
"aws:SourceArn": "arn:aws:sns:us-west-2:123456789012:TOPIC-ID"
} | aws:SourceArn:
– arn:aws:sns:us-west-2:777788889999:TOPIC-ID
| No match |
| "ArnEquals": {
"aws:SourceArn": "arn:aws:sns:us-west-2:123456789012:TOPIC-ID"
} | No `aws:SourceArn` in the request context. | No match |
### Multivalued ARN condition operators
If a key in the request contains multiple values, ARN operators can be qualified with set operators `ForAllValues` and `ForAnyValue`. For more information on the evaluation logic of multiple context keys or values, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
| Condition operator | Description |
| --- | --- |
| `ForAllValues:ArnEquals` `ForAllValues:ArnLike` | All of the ARNs in the request context must match at least one of the ARN patterns in your policy. |
| `ForAnyValue:ArnEquals` `ForAnyValue:ArnLike` | At least one ARN in the request context must match one of the ARN patterns in your policy. |
| `ForAllValues:ArnNotEquals` `ForAllValues:ArnNotLike` | Negated matching. None of the ARNs in the request context can match any string ARN patterns in your policy. |
| `ForAnyValue:ArnNotEquals` `ForAnyValue:ArnNotLike` | Negated matching. At least one ARN in the request context must NOT match any of ARN patterns in your policy. |
**Example using `ForAllValues` with an ARN condition operator**
The following example uses `ForAllValues:ArnLike` to create or update a logical delivery source for Amazon CloudWatch Logs logs. The condition block includes the condition key [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html#amazoncloudwatchlogs-policy-keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html#amazoncloudwatchlogs-policy-keys) to filter the log generating resource ARNs passed in the request. Using this condition operator, all of the ARNs in the request must match at least one ARN in the policy.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "logs:PutDeliverySource",
"Resource": "arn:aws:logs:us-east-1:123456789012:delivery-source:*",
"Condition": {
"ForAllValues:ArnLike": {
"logs:LogGeneratingResourceArns": [
"arn:aws:cloudfront::123456789012:distribution/*",
"arn:aws:cloudfront::123456789012:distribution/support*"
]
}
}
}
]
}
```
The following table shows how AWS evaluates this policy based on the condition key values in your request.
| Policy condition | Request context | Result |
| --- | --- | --- |
| "ForAllValues:ArnLike": {
"logs:LogGeneratingResourceArns": [
"arn:aws::cloudfront:123456789012:distribution/*",
"arn:aws::cloudfront:123456789012:distribution/support*"
]
} | logs:LogGeneratingResourceArns:
– arn:aws::cloudfront:123456789012:distribution/costcenter
| Match |
| "ForAllValues:ArnLike": {
"logs:LogGeneratingResourceArns": [
"arn:aws::cloudfront:123456789012:distribution/*",
"arn:aws::cloudfront:123456789012:distribution/support*"
]
} | logs:LogGeneratingResourceArns:
– arn:aws::cloudfront:123456789012:distribution/costcenter
– arn:aws::cloudfront:123456789012:distribution/support2025
| Match |
| "ForAllValues:ArnLike": {
"logs:LogGeneratingResourceArns": [
"arn:aws::cloudfront:123456789012:distribution/*",
"arn:aws::cloudfront:123456789012:distribution/support*"
]
} | logs:LogGeneratingResourceArns:
– arn:aws::cloudfront:123456789012:distribution/costcenter
– arn:aws::cloudfront:123456789012:distribution/admin
| No match |
| "ForAllValues:ArnLike": {
"logs:LogGeneratingResourceArns": [
"arn:aws::cloudfront:123456789012:distribution/*",
"arn:aws::cloudfront:123456789012:distribution/support*"
]
} | logs:LogGeneratingResourceArns:
– arn:aws::cloudfront:777788889999:distribution/costcenter
| No match |
| "ForAllValues:ArnLike": {
"logs:LogGeneratingResourceArns": [
"arn:aws::cloudfront:123456789012:distribution/*",
"arn:aws::cloudfront:123456789012:distribution/support*"
]
} | No `logs:LogGeneratingResourceArns` in the request context. | Match |
The `ForAllValues` qualifier returns true if there are no context keys in the request or if the context key value resolves to a null dataset, such as an empty string. To prevent missing context keys or context keys with empty values from evaluating to true, you can include the [Null condition operator](#Conditions_Null) in your policy with a `false` value to check if the context key exists and its value is not null.
## ...IfExists condition operators
You can add `IfExists` to the end of any condition operator name except the `Null` condition—for example, `StringLikeIfExists`. You do this to say "If the condition key is present in the context of the request, process the key as specified in the policy. If the key is not present, evaluate the condition element as true." Other condition elements in the statement can still result in a nonmatch, but not a missing key when checked with `...IfExists`. If you are using an `"Effect": "Deny"` element with a negated condition operator like `StringNotEqualsIfExists`, the request is still denied even if the condition key is not present.
**Example using `IfExists`**
Many condition keys describe information about a certain type of resource and only exist when accessing that type of resource. These condition keys are not present on other types of resources. This doesn't cause an issue when the policy statement applies to only one type of resource. However, there are cases where a single statement can apply to multiple types of resources, such as when the policy statement references actions from multiple services or when a given action within a service accesses several different resource types within the same service. In such cases, including a condition key that applies to only one of the resources in the policy statement can cause the `Condition` element in the policy statement to fail such that the statement's `"Effect"` does not apply.
For example, consider the following policy example:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Sid": "THISPOLICYDOESNOTWORK",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {"StringLike": {"ec2:InstanceType": [
"t1.*",
"t2.*",
"m3.*"
]}}
}
}
```
------
The *intent* of the preceding policy is to enable the user to launch any instance that is type `t1`, `t2` or `m3`. However, launching an instance requires accessing many resources in addition to the instance itself; for example, images, key pairs, security groups, and more. The entire statement is evaluated against every resource that is required to launch the instance. These additional resources do not have the `ec2:InstanceType` condition key, so the `StringLike` check fails, and the user is not granted the ability to launch *any* instance type.
To address this, use the `StringLikeIfExists` condition operator instead. This way, the test only happens if the condition key exists. You could read the following policy as: "If the resource being checked has an "`ec2:InstanceType`" condition key, then allow the action only if the key value begins with `t1.`, `t2.`, or `m3.`. If the resource being checked does not have that condition key, then don't worry about it." The asterisk (\$1) in the condition key values, when used with the `StringLikeIfExists` condition operator, is interpreted as a wildcard to achieve partial string matches. The `DescribeActions` statement includes the actions required to view the instance in the console.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "RunInstance",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"ec2:InstanceType": [
"t1.*",
"t2.*",
"m3.*"
]
}
}
},
{
"Sid": "DescribeActions",
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeVpcs",
"ec2:DescribeKeyPairs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
}
]
}
```
------
The following table shows how AWS evaluates this policy based on the condition key values in your request.
| Policy condition | Request context | Result |
| --- | --- | --- |
| "StringLikeIfExists": {
"ec2:InstanceType": [
"t1.*",
"t2.*",
"m3.*"
]
} | ec2:InstanceType:
– t1.micro
| Match |
| "StringLikeIfExists": {
"ec2:InstanceType": [
"t1.*",
"t2.*",
"m3.*"
]
} | ec2:InstanceType:
– m2.micro
| No match |
| "StringLikeIfExists": {
"ec2:InstanceType": [
"t1.*",
"t2.*",
"m3.*"
]
} | No `ec2:InstanceType` in the request context. | Match |
## Condition operator to check existence of condition keys
Use a `Null` condition operator to check if a condition key is absent at the time of authorization. In the policy statement, use either `true` (the key doesn't exist — it is null) or `false` (the key exists and its value is not null).
You can not use a [policy variable](reference_policies_variables.md) with the `Null` condition operator.
For example, you can use this condition operator to determine whether a user is using temporary credentials or their own credentials to make a request. If the user is using temporary credentials, then the key `aws:TokenIssueTime` exists and has a value. The following example shows a condition that states that the user must be using temporary credentials (the key cannot be absent) for the user to use the Amazon EC2 API.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":{
"Action":"ec2:*",
"Effect":"Allow",
"Resource":"*",
"Condition":{"Null":{"aws:TokenIssueTime":"false"}}
}
}
```
------
# Conditions with multiple context keys or values
You can use the `Condition` element of a policy to test multiple context keys or multiple values for a single context key in a request. When you make a request to AWS, either programmatically or through the AWS Management Console, your request includes information about your principal, operation, tags, and more. You can use context keys to test the values of the matching context keys in the request, with the context keys specified in the policy condition. To learn about information and data included in a request, see [The request context](reference_policies_elements_condition.md#AccessPolicyLanguage_RequestContext).
**Topics**
+ [Evaluation logic for multiple context keys or values](#reference_policies_multiple-conditions-eval)
+ [Evaluation logic for negated matching condition operators](#reference_policies_multiple-conditions-negated-matching-eval)
## Evaluation logic for multiple context keys or values
A `Condition` element can contain multiple condition operators, and each condition operator can contain multiple context key-value pairs. Most context keys support using multiple values, unless otherwise specified.
+ If your policy statement has multiple [condition operators](reference_policies_elements_condition_operators.md), the condition operators are evaluated using a logical `AND`.
+ If your policy statement has multiple context keys attached to a single condition operator, the context keys are evaluated using a logical `AND`.
+ If a single condition operator includes multiple values for a context key, those values are evaluated using a logical `OR`.
+ If a single negated matching condition operator includes multiple values for a context key, those values are evaluated using a logical `NOR`.
All context keys in a condition element block must resolve to true to invoke the desired `Allow` or `Deny` effect. The following figure illustrates the evaluation logic for a condition with multiple condition operators and context key-value pairs.
![\[Condition block showing how AND and OR are applied to multiple context keys and values\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/AccessPolicyLanguage_Condition_Block_AND_2.diagram.png)
For example, the following S3 bucket policy illustrates how the previous figure is represented in a policy. The condition block includes condition operators `StringEquals` and `ArnLike`, and context keys `aws:PrincipalTag` and `aws:PrincipalArn`. To invoke the desired `Allow` or `Deny` effect, all context keys in the condition block must resolve to true. The user making the request must have both principal tag keys, *department* and *role*, that include one of the tag key values specified in the policy. Also, the principal ARN of the user making the request must match one of the `aws:PrincipalArn` values specified in the policy to be evaluated as true.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ExamplePolicy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222222222:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/department": [
"finance",
"hr",
"legal"
],
"aws:PrincipalTag/role": [
"audit",
"security"
]
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::222222222222:user/Ana",
"arn:aws:iam::222222222222:user/Mary"
]
}
}
}
]
}
```
------
The following table shows how AWS evaluates this policy based on the condition key values in your request.
| Policy Condition | Request Context | Result |
| --- | --- | --- |
| "StringEquals": {
"aws:PrincipalTag/department": [
"finance",
"hr",
"legal"
],
"aws:PrincipalTag/role": [
"audit",
"security"
]
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::222222222222:user/Ana",
"arn:aws:iam::222222222222:user/Mary"
]
} | aws:PrincipalTag/department: legal
aws:PrincipalTag/role: audit
aws:PrincipalArn:
arn:aws:iam::222222222222:user/Mary
| **Match** |
| "StringEquals": {
"aws:PrincipalTag/department": [
"finance",
"hr",
"legal"
],
"aws:PrincipalTag/role": [
"audit",
"security"
]
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::222222222222:user/Ana",
"arn:aws:iam::222222222222:user/Mary"
]
} | aws:PrincipalTag/department: hr
aws:PrincipalTag/role: audit
aws:PrincipalArn:
arn:aws:iam::222222222222:user/Nikki
| **No match** |
| "StringEquals": {
"aws:PrincipalTag/department": [
"finance",
"hr",
"legal"
],
"aws:PrincipalTag/role": [
"audit",
"security"
]
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::222222222222:user/Ana",
"arn:aws:iam::222222222222:user/Mary"
]
} | aws:PrincipalTag/department: hr
aws:PrincipalTag/role: payroll
aws:PrincipalArn:
arn:aws:iam::222222222222:user/Mary
| **No match** |
| "StringEquals": {
"aws:PrincipalTag/department": [
"finance",
"hr",
"legal"
],
"aws:PrincipalTag/role": [
"audit",
"security"
]
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::222222222222:user/Ana",
"arn:aws:iam::222222222222:user/Mary"
]
} | No `aws:PrincipalTag/role` in the request context. aws:PrincipalTag/department: hr
aws:PrincipalArn:
arn:aws:iam::222222222222:user/Mary
| **No match** |
| "StringEquals": {
"aws:PrincipalTag/department": [
"finance",
"hr",
"legal"
],
"aws:PrincipalTag/role": [
"audit",
"security"
]
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::222222222222:user/Ana",
"arn:aws:iam::222222222222:user/Mary"
]
} | No `aws:PrincipalTag` in the request context. aws:PrincipalArn:
arn:aws:iam::222222222222:user/Mary
| **No match** |
## Evaluation logic for negated matching condition operators
Some [condition operators,](reference_policies_elements_condition_operators.md) such as `StringNotEquals` or `ArnNotLike`, use negated matching to compare the context key-value pairs in your policy against the context key-value pairs in a request. When multiple values are specified for a single context key in a policy with negated matching condition operators, the effective permissions work like a logical `NOR`. In negated matching, a logical `NOR` or `NOT OR` returns true only if all values evaluate to false.
The following figure illustrates the evaluation logic for a condition with multiple condition operators and context key-value pairs. The figure includes a negated matching condition operator for context key 3.
![\[Condition block showing how AND and OR are applied to multiple context keys and values when a negated matching condition operator is used\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/AccessPolicyLanguage_Condition_Block_AND_Negated_NOR_2.diagram.png)
For example, the following S3 bucket policy illustrates how the previous figure is represented in a policy. The condition block includes condition operators `StringEquals` and `ArnNotLike`, and context keys `aws:PrincipalTag` and `aws:PrincipalArn`. To invoke the desired `Allow` or `Deny` effect, all context keys in the condition block must resolve to true. The user making the request must have both principal tag keys, *department* and *role*, that include one of the tag key values specified in the policy. Since the `ArnNotLike` condition operator uses negated matching, the principal ARN of the user making the request must not match any of the `aws:PrincipalArn` values specified in the policy to be evaluated as true.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ExamplePolicy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222222222:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/department": [
"finance",
"hr",
"legal"
],
"aws:PrincipalTag/role": [
"audit",
"security"
]
},
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::222222222222:user/Ana",
"arn:aws:iam::222222222222:user/Mary"
]
}
}
}
]
}
```
------
The following table shows how AWS evaluates this policy based on the condition key values in your request.
| Policy Condition | Request Context | Result |
| --- | --- | --- |
| "StringEquals": {
"aws:PrincipalTag/department": [
"finance",
"hr",
"legal"
],
"aws:PrincipalTag/role": [
"audit",
"security"
]
},
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::222222222222:user/Ana",
"arn:aws:iam::222222222222:user/Mary"
]
} | aws:PrincipalTag/department: legal
aws:PrincipalTag/role: audit
aws:PrincipalArn:
arn:aws:iam::222222222222:user/Nikki
| **Match** |
| "StringEquals": {
"aws:PrincipalTag/department": [
"finance",
"hr",
"legal"
],
"aws:PrincipalTag/role": [
"audit",
"security"
]
},
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::222222222222:user/Ana",
"arn:aws:iam::222222222222:user/Mary"
]
} | aws:PrincipalTag/department: hr
aws:PrincipalTag/role: audit
aws:PrincipalArn:
arn:aws:iam::222222222222:user/Mary
| **No match** |
| "StringEquals": {
"aws:PrincipalTag/department": [
"finance",
"hr",
"legal"
],
"aws:PrincipalTag/role": [
"audit",
"security"
]
},
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::222222222222:user/Ana",
"arn:aws:iam::222222222222:user/Mary"
]
} | aws:PrincipalTag/department: hr
aws:PrincipalTag/role: payroll
aws:PrincipalArn:
arn:aws:iam::222222222222:user/Nikki
| **No match** |
| "StringEquals": {
"aws:PrincipalTag/department": [
"finance",
"hr",
"legal"
],
"aws:PrincipalTag/role": [
"audit",
"security"
]
},
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::222222222222:user/Ana",
"arn:aws:iam::222222222222:user/Mary"
]
} | >No `aws:PrincipalTag/role` in the request context. aws:PrincipalTag/department: hr
aws:PrincipalArn:
arn:aws:iam::222222222222:user/Nikki
| **No match** |
| "StringEquals": {
"aws:PrincipalTag/department": [
"finance",
"hr",
"legal"
],
"aws:PrincipalTag/role": [
"audit",
"security"
]
},
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::222222222222:user/Ana",
"arn:aws:iam::222222222222:user/Mary"
]
} | No `aws:PrincipalTag` in the request context. aws:PrincipalArn:
arn:aws:iam::222222222222:user/Nikki
| **No match** |
# Single-valued vs. multivalued context keys
The difference between single-valued and multivalued context keys lies in the number of values in the [request context](intro-structure.md#intro-structure-request), not the number of values in the policy condition.
+ *Single-valued* condition context keys have at most one value in the request context. For example, when you tag resources in AWS, each resource tag is stored as a key-value pair. Since a resource tag key can have only a single tag value, [aws:ResourceTag/*tag-key*](reference_policies_condition-keys.md#condition-keys-resourcetag) is a single-valued context key. Do not use a condition set operator with a single-valued context key.
+ *Multivalued* condition context keys can have multiple values in the request context. For example, when you tag resources in AWS, you can include multiple tag key-value pairs in a single request. Therefore, [aws:TagKeys](reference_policies_condition-keys.md#condition-keys-tagkeys) is a multivalued context key. Multivalued context keys require a condition set operator.
For example, a request can originate from at most one VPC endpoint, so [aws:SourceVpce](reference_policies_condition-keys.md#condition-keys-sourcevpce) is a single-valued context key. Since a service can have more than one service principal name that belongs to the service, [aws:PrincipalServiceNamesList](reference_policies_condition-keys.md#condition-keys-principalservicenameslist) is a multivalued context key.
**Important**
The difference between single-valued and multivalued context keys depends on the number of values in the request context, not the number of values in the policy condition.
## Key points
+ The *Single-valued* and *Multivalued* classifications are included in the description of each condition context key as *Value type* in the [AWS global condition context keys](reference_policies_condition-keys.md) topic.
+ Multivalued context keys in the [Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) use an `ArrayOf` prefix followed by the condition operator category type, such as `ArrayOfString` or `ArrayOfARN`, indicating that the request may include multiple values for a condition context key.
+ You can use any available single-valued context key as a policy variable, but you cannot use a multivalued context key as a policy variable. For more information about policy variables, see [IAM policy elements: Variables and tags](reference_policies_variables.md).
+ When using context keys that include key-value pairs, it's important to note that even though there can be multiple tag-key values, each `tag-key` can have only one value.
+ [aws:PrincipalTag/*tag-key*](reference_policies_condition-keys.md#condition-keys-principaltag), [aws:RequestTag/*tag-key*](reference_policies_condition-keys.md#condition-keys-requesttag) and [aws:ResourceTag/*tag-key*](reference_policies_condition-keys.md#condition-keys-resourcetag) are single-valued context keys.
+ [aws:TagKeys](reference_policies_condition-keys.md#condition-keys-tagkeys) defines what tag-keys are allowed in a request but does not include the tag-key values. Because you can include multiple tag key-value pairs in a request, `aws:TagKeys` is a multivalued context key.
+ Multivalued context keys require a condition set operator. Do not use condition set operators `ForAllValues` or `ForAnyValue` with single-valued context keys. Using condition set operators with single-valued context keys can lead to overly permissive policies.
## Set operators for multivalued context keys
To compare your condition context key against a [request context](intro-structure.md#intro-structure-request) key with multiple values, you must use the `ForAllValues` or `ForAnyValue` set operators. These set operators are used to compare two sets of values, such as the set of tags in a request and the set of tags in a policy condition.
The `ForAllValues` and `ForAnyValue` qualifiers add set-operation functionality to the condition operator, allowing you to test request context keys with multiple values against multiple context key values in a policy condition. Additionally, if you include a multivalued string context key in your policy with a wildcard or a variable, you must also use the `StringLike` [condition operator](reference_policies_elements_condition_operators.md#Conditions_String). Multiple condition key values must be enclosed in brackets like an [array](reference_policies_grammar.md#policies-grammar-json), for example, `"Key2":["Value2A", "Value2B"]`.
### ForAllValues
The `ForAllValues` qualifier tests whether the value of every member of the request context matches the condition operator that follows the qualifier. The condition returns `true` if every context key value in the request matches a context key value in the policy. It also returns `true` if there are no context keys in the request.
**Important**
Use caution if you use `ForAllValues` with an `Allow` effect, as it can be overly permissive if the presence of missing context keys in the request context is unexpected. You should always include the [`Null`](reference_policies_elements_condition_operators.md#Conditions_Null) condition operator in your policy with a `false` value to check if the context key exists and its value is not null. For an example, see [Controlling access based on tag keys](access_tags.md#access_tags_control-tag-keys).
#### Example ForAllValues set operator
In the following example, ForAllValues is used with aws:TagKeys to allow users to delete specific tags assigned to an EC2 instance. This policy allows users to delete only the `environment` and `cost-center` tags. You can delete them separately or together. The tag-keys in the request must match exactly the specified keys in the policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DeleteTags",
"Resource": "arn:aws:ec2:us-east-1:111122223333:instance/*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"environment",
"cost-center"
]
},
"Null": {
"aws:TagKeys": "false"
}
}
}
]
}
```
------
The following table shows how AWS evaluates this policy based on the condition key values in your request.
| Policy Condition | Request Context | Result |
| --- | --- | --- |
| "ForAllValues:StringEquals": {
"aws:TagKeys": [
"environment",
"cost-center"
]
},
"Null": {
"aws:TagKeys": "false"
} | aws:TagKeys:
– environment
| **Match** |
| "ForAllValues:StringEquals": {
"aws:TagKeys": [
"environment",
"cost-center"
]
},
"Null": {
"aws:TagKeys": "false"
} | aws:TagKeys:
– cost-center
| **Match** |
| "ForAllValues:StringEquals": {
"aws:TagKeys": [
"environment",
"cost-center"
]
},
"Null": {
"aws:TagKeys": "false"
} | aws:TagKeys:
– environment
– cost-center
| **Match** |
| "ForAllValues:StringEquals": {
"aws:TagKeys": [
"environment",
"cost-center"
]
},
"Null": {
"aws:TagKeys": "false"
} | aws:TagKeys:
– environment
– dept
| **No match** |
| "ForAllValues:StringEquals": {
"aws:TagKeys": [
"environment",
"cost-center"
]
},
"Null": {
"aws:TagKeys": "false"
} | No `aws:TagKeys` in the request context. | **No match** |
Note that in the last example, the result is "No Match" because the Null condition check prevents matching when the context key is missing. This is a best practice to avoid overly permissive policies.
### ForAnyValue
The `ForAnyValue` qualifier tests whether at least one member of the set of request context key values matches at least one member of the set of context key values in your policy condition. The condition returns `true` if any one of the context key values in the request matches any one of the context key values in the policy. For no matching context key or if the key does not exist, the condition returns `false`.
**Important**
When using `ForAnyValue` with a `Deny` effect, if the context key is not present in the request, the policy evaluates as **No match**. For consistent behavior, add an explicit [`Null`](reference_policies_elements_condition_operators.md#Conditions_Null) condition check in your policy to verify whether the context key exists. For details, see [Condition operator to check existence of condition keys](reference_policies_elements_condition_operators.md#Conditions_Null).
#### Example ForAnyValue set operator
In the following example, ForAnyValue is used with aws:TagKeys to allow users to delete specific tags assigned to an EC2 instance. This policy allows users to delete tags for an instance if the tag keys specified in the request include `environment` or `cost-center`. The request can include additional tag keys beyond those specified in the policy, but must include at least one of the specified keys to match the condition.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DeleteTags",
"Resource": "arn:aws:ec2:us-east-1:111122223333:instance/*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"environment",
"cost-center"
]
}
}
}
]
}
```
------
The following table shows how AWS evaluates this policy based on the condition key values in your request.
| Policy Condition | Request Context | Result |
| --- | --- | --- |
| "ForAnyValue:StringEquals": {
"aws:TagKeys": [
"environment",
"cost-center"
]
} | aws:TagKeys:
– environment
| **Match** |
| "ForAnyValue:StringEquals": {
"aws:TagKeys": [
"environment",
"cost-center"
]
} | aws:TagKeys:
– cost-center
| **Match** |
| "ForAnyValue:StringEquals": {
"aws:TagKeys": [
"environment",
"cost-center"
]
} | aws:TagKeys:
– environment
– cost-center
| **Match** |
| "ForAnyValue:StringEquals": {
"aws:TagKeys": [
"environment",
"cost-center"
]
} | aws:TagKeys:
– environment
– dept
| **Match** |
| "ForAnyValue:StringEquals": {
"aws:TagKeys": [
"environment",
"cost-center"
]
} | aws:TagKeys:
– dept
| **No match** |
| "ForAnyValue:StringEquals": {
"aws:TagKeys": [
"environment",
"cost-center"
]
} | No `aws:TagKeys` in the request context. | **No match** |
# Condition policy examples
In IAM policies, you can specify multiple values for both single-valued and multivalued context keys for comparison against the request context. The following set of policy examples demonstrates policy conditions with multiple context keys and values.
**Note**
If you would like to submit a policy to be included in this reference guide, use the **Feedback** button at the bottom of this page. For IAM identity-based policy examples, see [Example IAM identity-based policies](access_policies_examples.md).
## Condition policy examples: Single-valued context keys
+ Multiple condition blocks with single-valued context keys. ([View this example](reference_policies_condition_examples-single-valued-context-keys.md#reference_policies_condition_examples-single-valued-context-keys-1).)
+ One condition block with multiple single-valued context keys and values. ([View this example](reference_policies_condition_examples-single-valued-context-keys.md#reference_policies_condition_examples-single-valued-context-keys-2).)
## Condition policy examples: Multivalued context keys
+ Deny policy with condition set operator `ForAllValues`. ([View this example](reference_policies_condition_examples-multi-valued-context-keys.md#reference_policies_condition_examples-multi-valued-context-keys-1).)
+ Deny policy with condition set operator `ForAnyValue`. ([View this example](reference_policies_condition_examples-multi-valued-context-keys.md#reference_policies_condition_examples-multi-valued-context-keys-2).)
# Multivalued context key examples
The following set of policy examples demonstrate how to create policy conditions with multivalued context keys.
## Example: Deny policy with condition set operator ForAllValues
The following examples show how to use an identity-based policy to deny the use of IAM tagging actions when specific tag key prefixes are included in the request. The values for [`aws:TagKeys`](reference_policies_condition-keys.md#condition-keys-tagkeys) include a wildcard (\$1) for partial string matching. The policy includes the `ForAllValues` set operator with context key `aws:TagKeys` because the request context key can include multiple values. In order for context key `aws:TagKeys` to match, every value in the request context must match at least one value in the policy.
The `ForAllValues` set operator also returns true if there are no context keys in the request.
You can prevent missing context keys or context keys with empty values from evaluating to true by including a `Null` condition operator in your policy with a value of `false` to check if the context key in the request exists and its value is not null. For more information, see [Condition operator to check existence of condition keys](reference_policies_elements_condition_operators.md#Conditions_Null).
**Important**
This policy does not allow any actions. Use this policy in combination with other policies that allow specific actions.
**Example Deny a single policy condition value for a multivalued context key**
In the following example, the policy denies requests where the values for `aws:TagKeys` in the request do not include the prefix **key1**. The request context can have multiple values, but because of the `ForAllValues` condition set operator, all the tag key values in the request context must start with the prefix **key1**.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyRestrictedTags",
"Effect": "Deny",
"Action": [
"iam:Tag*",
"iam:UnTag*"
],
"Resource": [
"*"
],
"Condition": {
"ForAllValues:StringNotLike": {
"aws:TagKeys": "key1*"
}
}
}
]
}
```
The following table shows how AWS evaluates this policy based on the condition key values in your request. For a Deny statement, Match is Denied and No match is Not denied, so it may be allowed by another statement.
| Policy Condition | Request Context | Result |
| --- | --- | --- |
| "ForAllValues:StringNotLike": {
"aws:TagKeys": "key1*"
} | aws:TagKeys:
– key1:legal
| **No match** May be allowed by another statement. |
| "ForAllValues:StringNotLike": {
"aws:TagKeys": "key1*"
} | aws:TagKeys:
– key1:hr
– key1:personnel
| **No match** May be allowed by another statement. |
| "ForAllValues:StringNotLike": {
"aws:TagKeys": "key1*"
} | aws:TagKeys:
– key2:audit
| **Match** |
| "ForAllValues:StringNotLike": {
"aws:TagKeys": "key1*"
} | No `aws:TagKeys` in the request context. | **Match** |
**Example Deny multiple policy condition values for a multivalued context key**
In the following example, the policy denies requests where the values for `aws:TagKeys` in the request do not include the prefix **key1** or **key2**. The request context can have multiple values, but because of the `ForAllValues` condition set operator, all the tag key values in the request context must start with the prefix **key1** or **key2**.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyRestrictedTags",
"Effect": "Deny",
"Action": [
"iam:Tag*",
"iam:UnTag*"
],
"Resource": [
"*"
],
"Condition": {
"ForAllValues:StringNotLike": {
"aws:TagKeys": [
"key1*",
"key2*"
]
}
}
}
]
}
```
The following table shows how AWS evaluates this policy based on the condition key values in your request. For a Deny statement, Match is Denied and No match is Not denied, so it may be allowed by another statement.
| Policy Condition | Request Context | Result |
| --- | --- | --- |
| "ForAllValues:StringNotLike": {
"aws:TagKeys": [
"key1*",
"key2*"
]
} | aws:TagKeys:
– key1:legal
| **No match** May be allowed by another statement. |
| "ForAllValues:StringNotLike": {
"aws:TagKeys": [
"key1*",
"key2*"
]
} | aws:TagKeys:
– key1:hr
– key1:personnel
| **No match** May be allowed by another statement. |
| "ForAllValues:StringNotLike": {
"aws:TagKeys": [
"key1*",
"key2*"
]
} | aws:TagKeys:
– key1:hr
– key2:audit
| **No match** May be allowed by another statement. |
| "ForAllValues:StringNotLike": {
"aws:TagKeys": [
"key1*",
"key2*"
]
} | aws:TagKeys:
– key3:legal
| **Match** |
| "ForAllValues:StringNotLike": {
"aws:TagKeys": [
"key1*",
"key2*"
]
} | No `aws:TagKeys` in the request context. | **Match** |
## Example: Deny policy with condition set operator ForAnyValue
The following identity-based policy example denies creating snapshots of EC2 instance volumes if any snapshots are tagged with one of the tag keys specified in the policy, `environment` or `webserver`. The policy includes the `ForAnyValue` set operator with context key `aws:TagKeys` because the request context key can include multiple values. If your tagging request includes any one of the tag key values specified in the policy, the `aws:TagKeys` context key returns true invoking the deny policy effect.
**Important**
This policy does not allow any actions. Use this policy in combination with other policies that allow specific actions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:CreateSnapshot",
"ec2:CreateSnapshots"
],
"Resource": "arn:aws:ec2:us-west-2::snapshot/*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": "webserver"
}
}
}
]
}
```
------
The following table shows how AWS evaluates this policy based on the condition key values in your request. For a Deny statement, Match is Denied and No match is Not denied, so it may be allowed by another statement.
| Policy Condition | Request Context | Result |
| --- | --- | --- |
| "ForAnyValue:StringEquals": {
"aws:TagKeys": "webserver"
} | aws:TagKeys:
– webserver
| **Match** |
| "ForAnyValue:StringEquals": {
"aws:TagKeys": "webserver"
} | aws:TagKeys:
– environment
– webserver
– test
| **Match** |
| "ForAnyValue:StringEquals": {
"aws:TagKeys": "webserver"
} | aws:TagKeys:
– environment
– test
| **No match** May be allowed by another statement. |
| "ForAnyValue:StringEquals": {
"aws:TagKeys": "webserver"
} | No `aws:TagKeys` in the request context. | **No match** May be allowed by another statement. |
# Single-valued context key policy examples
The following set of policy examples demonstrate how to create policy conditions with single-valued context keys.
## Example: Multiple condition blocks with single-valued context keys
When a condition block has multiple conditions, each with a single context key, all context keys must resolve to true for the desired `Allow` or `Deny` effect to be invoked. When you use negated matching condition operators, the evaluation logic of the condition value is reversed.
The following example lets users create EC2 volumes and apply tags to the volumes during volume creation. The request context must include a value for context key `aws:RequestTag/project`, and the value for context key `aws:ResourceTag/environment` can be anything except production.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:CreateVolume",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:us-east-1:123456789012:volume/*",
"Condition": {
"StringLike": {
"aws:RequestTag/project": "*"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:us-east-1:123456789012:*/*",
"Condition": {
"StringNotEquals": {
"aws:ResourceTag/environment": "production"
}
}
}
]
}
```
------
The request context must include a project tag-value and cannot be created for a production resource to invoke the `Allow` effect. The following EC2 volume is successfully created because the project name is `Feature3` with a `QA` resource tag.
```
aws ec2 create-volume \
--availability-zone us-east-1a \
--volume-type gp2 \
--size 80 \
--tag-specifications 'ResourceType=volume,Tags=[{Key=project,Value=Feature3},{Key=environment,Value=QA}]'
```
## Example: One condition block with multiple single-valued context keys and values
When a condition block contains multiple context keys and each context key has multiple values, each context key must resolve to true for at least one key value for the desired `Allow` or `Deny` effect to be invoked. When you use negated matching condition operators, the evaluation logic of the context key value is reversed.
The following example allows users to start and run tasks on Amazon Elastic Container Service clusters.
+ The request context must include `production` **OR** `prod-backup` for the `aws:RequestTag/environment` context key **AND**.
+ The `ecs:cluster` context key makes sure that tasks are run on either the `default1` **OR** `default2` ARN ECS clusters.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask",
"ecs:StartTask"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/environment": [
"production",
"prod-backup"
]
},
"ArnEquals": {
"ecs:cluster": [
"arn:aws:ecs:us-east-1:111122223333:cluster/default1",
"arn:aws:ecs:us-east-1:111122223333:cluster/default2"
]
}
}
}
]
}
```
------
The following table shows how AWS evaluates this policy based on the condition key values in your request.
| Policy condition | Request context | Result |
| --- | --- | --- |
| "StringEquals": {
"aws:RequestTag/environment": [
"production",
"prod-backup"
]
},
"ArnEquals": {
"ecs:cluster": [
"arn:aws:ecs:us-east-1:111122223333:cluster/default1",
"arn:aws:ecs:us-east-1:111122223333:cluster/default2"
]
} | aws:RequestTag: environment:production
ecs:cluster:
arn:aws:ecs:us-east-1:111122223333:cluster/default1
| Match |
| "StringEquals": {
"aws:RequestTag/environment": [
"production",
"prod-backup"
]
},
"ArnEquals": {
"ecs:cluster": [
"arn:aws:ecs:us-east-1:111122223333:cluster/default1",
"arn:aws:ecs:us-east-1:111122223333:cluster/default2"
]
} | aws:RequestTag: environment:prod-backup
ecs:cluster:
arn:aws:ecs:us-east-1:111122223333:cluster/default2
| Match |
| "StringEquals": {
"aws:RequestTag/environment": [
"production",
"prod-backup"
]
},
"ArnEquals": {
"ecs:cluster": [
"arn:aws:ecs:us-east-1:111122223333:cluster/default1",
"arn:aws:ecs:us-east-1:111122223333:cluster/default2"
]
} | aws:RequestTag: webserver:production
ecs:cluster:
arn:aws:ecs:us-east-1:111122223333:cluster/default2
| No match |
| "StringEquals": {
"aws:RequestTag/environment": [
"production",
"prod-backup"
]
},
"ArnEquals": {
"ecs:cluster": [
"arn:aws:ecs:us-east-1:111122223333:cluster/default1",
"arn:aws:ecs:us-east-1:111122223333:cluster/default2"
]
} | No `aws:RequestTag` in the request context. ecs:cluster
arn:aws:ecs:us-east-1:111122223333:cluster/default2
| No match |
# IAM policy elements: Variables and tags
Use AWS Identity and Access Management (IAM) policy variables as placeholders when you don't know the exact value of a resource or condition key when you write the policy.
**Note**
If AWS cannot resolve a variable this might cause the entire statement to be invalid. For example, if you use the `aws:TokenIssueTime` variable, the variable resolves to a value only when the requester authenticated using temporary credentials (an IAM role). To prevent variables from causing invalid statements, use the [...IfExists condition operator.](reference_policies_elements_condition_operators.md#Conditions_IfExists)
**Topics**
+ [Introduction](#policy-vars-intro)
+ [Using variables in policies](#policy-vars-using-variables)
+ [Tags as policy variables](#policy-vars-tags)
+ [Where you can use policy variables](#policy-vars-wheretouse)
+ [Policy variables with no value](#policy-vars-no-value)
+ [Request information that you can use for policy variables](#policy-vars-infotouse)
+ [Specifying default values](#policy-vars-default-values)
+ [For more information](#policy-vars-formoreinfo)
## Introduction
In IAM policies, many actions allow you to provide a name for the specific resources that you want to control access to. For example, the following policy allows users to list, read, and write objects in the S3 bucket `amzn-s3-demo-bucket` for `marketing` projects.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::amzn-s3-demo-bucket"],
"Condition": {"StringLike": {"s3:prefix": ["marketing/*"]}}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": ["arn:aws:s3:::amzn-s3-demo-bucket/marketing/*"]
}
]
}
```
------
In some cases, you might not know the exact name of the resource when you write the policy. You might want to generalize the policy so it works for many users without having to make a unique copy of the policy for each user. Instead of creating a separate policy for each user, we recommend you create a single group policy that works for any user in that group.
## Using variables in policies
You can define dynamic values inside policies by using *policy variables* that set placeholders in a policy.
Variables are marked using a **`$`** prefix followed by a pair of curly braces (**`{ }`**) that include the variable name of the value from the request.
When the policy is evaluated, the policy variables are replaced with values that come from the conditional context keys passed in the request. Variables can be used in [identity-based policies, resource policies, service control policies, session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html), and [VPC endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html). Identity-based policies used as permissions boundaries also support policy variables.
Global condition context keys can be used as variables in requests across AWS services. Service specific condition keys can also be used as variables when interacting with AWS resources, but are only available when requests are made against resources which support them. For a list of context keys available for each AWS service and resource, see the [https://docs.aws.amazon.com/service-authorization/latest/reference/reference.html](https://docs.aws.amazon.com/service-authorization/latest/reference/reference.html). Under certain circumstances, you can’t populate global condition context keys with a value. To learn more about each key, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).
**Important**
Key names are case-insensitive. For example, `aws:CurrentTime` is equivalent to `AWS:currenttime`.
You can use any single-valued condition key as a variable. You can't use a multivalued condition key as a variable.
The following example shows a policy for an IAM role or user that replaces a specific resource name with a policy variable. You can reuse this policy by taking advantage of the `aws:PrincipalTag` condition key. When this policy is evaluated, `${aws:PrincipalTag/team}` allows the actions only if the bucket name ends with a team name from the `team` principal tag.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::amzn-s3-demo-bucket"],
"Condition": {"StringLike": {"s3:prefix": ["${aws:PrincipalTag/team}/*"]}}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": ["arn:aws:s3:::amzn-s3-demo-bucket/${aws:PrincipalTag/team}/*"]
}
]
}
```
------
The variable is marked using a `$` prefix followed by a pair of curly braces (`{ }`). Inside the `${ }` characters, you can include the name of the value from the request that you want to use in the policy. The values you can use are discussed later on this page.
For details about this global condition key, see [aws:PrincipalTag/*tag-key*](reference_policies_condition-keys.md#condition-keys-principaltag) in the list of global condition keys.
**Note**
In order to use policy variables, you must include the `Version` element in a statement, and the version must be set to a version that supports policy variables. Variables were introduced in version `2012-10-17`. Earlier versions of the policy language don't support policy variables. If you don't include the `Version` element and set it to an appropriate version date, variables like `${aws:username}` are treated as literal strings in the policy.
A `Version` policy element is different from a policy version. The `Version` policy element is used within a policy and defines the version of the policy language. A policy version, on the other hand, is created when you change a customer managed policy in IAM. The changed policy doesn't overwrite the existing policy. Instead, IAM creates a new version of the managed policy. To learn more about the `Version` policy element see [IAM JSON policy elements: Version](reference_policies_elements_version.md). To learn more about policy versions, see [Versioning IAM policies](access_policies_managed-versioning.md).
A policy that allows a principal to get objects from the /David path of an S3 bucket looks like this:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/David/*"
]
}
]
}
```
------
If this policy is attached to user `David`, that user get objects from his own S3 bucket, but you would have to create a separate policy for each user that includes the user's name. You would then attach each policy to the individual users.
By using a policy variable, you can create policies that can be reused. The following policy allows a user to get objects from an Amazon S3 bucket if the tag-key value for `aws:PrincipalTag` matches the tag-key `owner` value passed in the request.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "AllowUnlessOwnedBySomeoneElse",
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["*"],
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/owner": "${aws:PrincipalTag/owner}"
}
}
}
]
}
```
------
When you use a policy variable in place of a user like this, you don't have to have a separate policy for each individual user. In the following example, the policy is attached to an IAM role that is assumed by Product Managers using temporary security credentials. When a user makes a request to add an Amazon S3 object, IAM substitutes the `dept` tag value from the current request for the `${aws:PrincipalTag}` variable and evaluates the policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowOnlyDeptS3Prefix",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/${aws:PrincipalTag/dept}/*"
]
}
]
}
```
------
## Tags as policy variables
In some AWS services you can attach your own custom attributes to resources that are created by those services. For example, you can apply tags to Amazon S3 buckets or to IAM users. These tags are key-value pairs. You define the tag key name and the value that is associated with that key name. For example, you might create a tag with a **department** key and a **Human Resources** value. For more information about tagging IAM entities, see [Tags for AWS Identity and Access Management resources](id_tags.md). For information about tagging resources created by other AWS services, see the documentation for that service. For information about using Tag Editor, see [Working with Tag Editor](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html) in the *AWS Management Console User Guide*.
You can tag IAM resources to simplify discovering, organizing, and tracking your IAM resources. You can also tag IAM identities to control access to resources or to tagging itself. To learn more about using tags to control access, see [Controlling access to and for IAM users and roles using tags](access_iam-tags.md).
## Where you can use policy variables
You can use policy variables in the `Resource` element and in string comparisons in the `Condition` element.
### Resource element
You can use a policy variable in the `Resource` element, but only in the resource portion of the ARN. This portion of the ARN appears after the fifth colon (:). You can't use a variable to replace parts of the ARN before the fifth colon, such as the service or account. For more information about the ARN format, see [IAM ARNs](reference_identifiers.md#identifiers-arns).
To replace part of an ARN with a tag value, surround the prefix and key name with `${ }`. For example, the following Resource element refers to only a bucket that is named the same as the value in the requesting user's department tag.
`"Resource": ["arn:aws::s3:::amzn-s3-demo-bucket/${aws:PrincipalTag/department}"]`
Many AWS resources use ARNs that contain a user-created name. The following IAM policy ensures that only intended users with matching access-project, access-application, and access-environment tag values can modify their resources. In addition, using [\$1 wildcard matches](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html), they are able to allow for custom resource name suffixes.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccessBasedOnArnMatching",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:DeleteTopic"],
"Resource": ["arn:aws:sns:*:*:${aws:PrincipalTag/access-project}-${aws:PrincipalTag/access-application}-${aws:PrincipalTag/access-environment}-*"
]
}
]
}
```
------
### Condition element
You can use a policy variable for `Condition` values in any condition that involves the string operators or the ARN operators. String operators include `StringEquals`, `StringLike`, and `StringNotLike`. ARN operators include `ArnEquals` and `ArnLike`. You can't use a policy variable with other operators, such as `Numeric`, `Date`, `Boolean`, `Binary`, `IP Address`, or `Null` operators. For more information about condition operators, see [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md).
When referencing a tag in a `Condition` element expression, use the relevant prefix and key name as the condition key. Then use the value that you want to test in the condition value.
For example, the following policy example allows full access to users, but only if the tag `costCenter` is attached to the user. The tag must also have a value of either `12345` or `67890`. If the tag has no value, or has any other value, then the request fails.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*user*"
],
"Resource": "*",
"Condition": {
"StringLike": {
"iam:ResourceTag/costCenter": [ "12345", "67890" ]
}
}
}
]
}
```
------
## Policy variables with no value
When policy variables reference a condition context key that has no value or is not present in an authorization context for a request, the value is effectively null. There is no equal or like value. Condition context keys may not be present in the authorization context when:
+ You are using service specific condition context keys in requests to resources that do not support that condition key.
+ Tags on IAM principals, sessions, resources, or requests are not present.
+ Other circumstances as listed for each global condition context key in [AWS global condition context keys](reference_policies_condition-keys.md).
When you use a variable with no value in the condition element of an IAM policy, [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md) like `StringEquals` or `StringLike` do not match, and the policy statement does not take effect.
Inverted condition operators like `StringNotEquals` or `StringNotLike` do match against a null value, as the value of the condition key they are testing against is not equal to or like the effectively null value.
In the following example, `aws:principaltag/Team` must be equal to `s3:ExistingObjectTag/Team` to allow access. Access is explicitly denied when `aws:principaltag/Team` is not set. If a variable that has no value in the authorization context is used as part of the `Resource` or `NotResource` element of a policy, the resource that includes a policy variable with no value will not match any resource.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:ExistingObjectTag/Team": "${aws:PrincipalTag/Team}"
}
}
}
]
}
```
------
## Request information that you can use for policy variables
You can use the `Condition` element of a JSON policy to compare keys in the [request context](reference_policies_evaluation-logic_policy-eval-reqcontext.md) with key values that you specify in your policy. When you use a policy variable, AWS substitutes a value from the request context key in place of the variable in your policy.
### Principal key values
The values for `aws:username`, `aws:userid`, and `aws:PrincipalType` depend on what type of principal initiated the request. For example, the request could be made using the credentials of an IAM user, an IAM role, or the AWS account root user. The following table shows values for these keys for different types of principals.
****
| Principal | `aws:username` | `aws:userid` | `aws:PrincipalType` |
| --- | --- | --- | --- |
| AWS account root user | (not present) | AWS account ID | Account |
| IAM user | IAM-user-name | [unique ID](reference_identifiers.md#identifiers-unique-ids) | User |
| AWS STS federated user principal | (not present) | account:caller-specified-name | FederatedUser |
| OIDC federated principal For information about policy keys that are available when you use web identity federation, see [Available keys for AWS OIDC federation](reference_policies_iam-condition-keys.md#condition-keys-wif). | (not present) | *role-id*:*caller-specified-role-name* where `role-id` is the [unique id of the role](reference_identifiers.md#identifiers-unique-ids) and the caller-specified-role-name is specified by the [RoleSessionName parameter](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AssumeRole.html#API_AssumeRoleWithWebIdentity_RequestParameters) passed to the AssumeRoleWithWebIdentity request. | AssumedRole |
| SAML federated principal For information about policy keys that are available when you use SAML federation, see [Uniquely identifying users in SAML-based federation](id_roles_providers_saml.md#CreatingSAML-userid). | (not present) | *role-id*:*caller-specified-role-name* where `role-id` is the [unique id of the role](reference_identifiers.md#identifiers-unique-ids) and the caller-specified-role-name is specified by the Attribute element with the [Name attribute](id_roles_providers_create_saml_assertions.md) set to https://aws.amazon.com/SAML/attributes/RoleSessionName. | AssumedRole |
| Assumed role | (not present) | *role-id*:*caller-specified-role-name* where `role-id` is the [unique id of the role](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) and the caller-specified-role-name is specified by the [RoleSessionName parameter](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_RequestParameters) passed to the AssumeRole request. | AssumedRole |
| Role assigned to an Amazon EC2 instance | (not present) | *role-id*:*ec2-instance-id* where `role-id` is [the unique id of the role](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) and the ec2-instance-id is the [unique identifier of the EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html). | AssumedRole |
| Anonymous caller (Amazon SQS, Amazon SNS, and Amazon S3 only) | (not present) | anonymous | Anonymous |
For the items in this table, note the following:
+ *not present* means that the value is not in the current request information, and any attempt to match it fails and causes the statement to be invalid.
+ *role-id* is a unique identifier assigned to each role at creation. You can display the role ID with the AWS CLI command: `aws iam get-role --role-name rolename`
+ *caller-specified-name* and *caller-specified-role-name* are names that are passed by the calling process (such as an application or service) when it makes a call to get temporary credentials.
+ *ec2-instance-id* is a value assigned to the instance when it is launched and appears on the **Instances** page of the Amazon EC2 console. You can also display the instance ID by running the AWS CLI command: `aws ec2 describe-instances`
### Information available in requests for federated principals
Federated principals are users who are authenticated using a system other than IAM. For example, a company might have an application for use in-house that makes calls to AWS. It might be impractical to give an IAM identity to every corporate user who uses the application. Instead, the company might use a proxy (middle-tier) application that has a single IAM identity, or the company might use a SAML identity provider (IdP). The proxy application or SAML IdP authenticates individual users using the corporate network. A proxy application can then use its IAM identity to get temporary security credentials for individual users. A SAML IdP can in effect exchange identity information for AWS temporary security credentials. The temporary credentials can then be used to access AWS resources.
Similarly, you might create an app for a mobile device in which the app needs to access AWS resources. In that case, you might use *OIDC federation*, where the app authenticates the user using a well-known identity provider like Login with Amazon, Amazon Cognito, Facebook, or Google. The app can then use the user's authentication information from these providers to get temporary security credentials for accessing AWS resources.
The recommended way to use OIDC federation is by taking advantage of Amazon Cognito and the AWS mobile SDKs. For more information, see the following:
+ [Amazon Cognito User Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html)
+ [Common scenarios for temporary credentials](id_credentials_temp.md#sts-introduction)
### Special characters
There are a few special predefined policy variables that have fixed values that enable you to represent characters that otherwise have special meaning. If these special characters are part of the string, you are trying to match and you inserted them literally they would be misinterpreted. For example, inserting an \$1 asterisk in the string would be interpreted as a wildcard, matching any characters, instead of as a literal \$1. In these cases, you can use the following predefined policy variables:
+ **\$1\$1\$1\$1** - use where you need an \$1 (asterisk) character.
+ **\$1\$1?\$1** - use where you need a ? (question mark) character.
+ **\$1\$1\$1\$1** - use where you need a \$1 (dollar sign) character.
These predefined policy variables can be used in any string where you can use regular policy variables.
## Specifying default values
To add a default value to a variable, surround the default value with single quotes (`' '`), and separate the variable text and the default value with a comma and space (`, `).
For example, if a principal is tagged with `team=yellow`, they can access `ExampleCorp's` Amazon S3 bucket named `amzn-s3-demo-bucket-yellow`. A policy with this resource allows team members to access their team bucket, but not those of other teams. For users without team tags, it sets a default value of `company-wide` for the bucket name. These users can access only the `amzn-s3-demo-bucket-company-wide` bucket where they can view broad information, such as instructions for joining a team.
```
"Resource":"arn:aws:s3:::amzn-s3-demo-bucket-${aws:PrincipalTag/team, 'company-wide'}"
```
## For more information
For more information about policies, see the following:
+ [Policies and permissions in AWS Identity and Access Management](access_policies.md)
+ [Example IAM identity-based policies](access_policies_examples.md)
+ [IAM JSON policy element reference](reference_policies_elements.md)
+ [Policy evaluation logic](reference_policies_evaluation-logic.md)
+ [OIDC federation](id_roles_providers_oidc.md)
# IAM JSON policy elements: Supported data types
This section lists the data types that are supported when you specify values in JSON policies. The policy language doesn't support all types for each policy element; for information about each element, see the preceding sections.
+ Strings
+ Numbers (Ints and Floats)
+ Boolean
+ Null
+ Lists
+ Maps
+ Structs (which are just nested Maps)
The following table maps each data type to the serialization. Note that all policies must be in UTF-8. For information about the JSON data types, go to [RFC 4627](https://datatracker.ietf.org/doc/html/rfc4627).
****
| Type | JSON |
| --- | --- |
| String | String |
| Integer | Number |
| Float | Number |
| Boolean | true false |
| Null | null |
| Date | String adhering to the [W3C Profile of ISO 8601](http://www.w3.org/TR/NOTE-datetime) |
| IpAddress | String adhering to [RFC 4632](https://datatracker.ietf.org/doc/html/rfc4632) |
| List | Array |
| Object | Object |
# Policy evaluation logic
When a principal tries to use the AWS Management Console, the AWS API, or the AWS CLI, that principal sends a *request* to AWS. When an AWS service receives the request, AWS completes several steps to determine whether to allow or deny the request.
1. **Authentication** – AWS first authenticates the principal that makes the request, if necessary. This step is not necessary for a few services, such as Amazon S3, that allow some requests from anonymous users.
1. **[Processing the request context](reference_policies_evaluation-logic_policy-eval-reqcontext.md)** – AWS processes the information gathered in the request to determine which policies apply to the request.
1. **[How AWS enforcement code logic evaluates requests to allow or deny access](reference_policies_evaluation-logic_policy-eval-denyallow.md)** – AWS evaluates all of the policy types and the order of the policies affects how they are evaluated. AWS then processes the policies against the request context to determine whether the request is allowed or denied.
## Evaluating identity-based policies with resource-based policies
Identity-based policies and resource-based policies grant permissions to the identities or resources to which they are attached. When an IAM entity (user or role) requests access to a resource within the same account, AWS evaluates all the permissions granted by the identity-based and resource-based policies. The resulting permissions are the union of the permissions of the two types. If an action is allowed by an identity-based policy, a resource-based policy, or both, then AWS allows the action. An explicit deny in either of these policies overrides the allow.
![\[Evaluation of identity-based policies and resource-based policies\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/permissions_policies_effective.png)
## Evaluating identity-based policies with permissions boundaries
When AWS evaluates the identity-based policies and permissions boundary for a user, the resulting permissions are the intersection of the two categories. That means that when you add a permissions boundary to a user with existing identity-based policies, you might reduce the actions that the user can perform. Alternatively, when you remove a permissions boundary from a user, you might increase the actions they can perform. An explicit deny in either of these policies overrides the allow. To view information about how other policy types are evaluated with permissions boundaries, see [Evaluating effective permissions with boundaries](access_policies_boundaries.md#access_policies_boundaries-eval-logic).
![\[Evaluation of identity-based policies and permissions boundaries\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/permissions_boundary.png)
## Evaluating identity-based policies with AWS Organizations SCPs or RCPs
When a user belongs to an account that is a member of an organization and accesses a resource that doesn't have a resource-based policy configured, the resulting permissions are the intersection of the user's policies, service control policies (SCPs), and resource control policy (RCP). This means that an action must be allowed by all three policy types. An explicit deny in the identity-based policy, an SCP, or an RCP overrides the allow.
![\[Evaluation of identity-based policies and SCPs or RCPs\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/permissions_scp-idp.png)
You can learn [whether your account is a member of an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_details.html#orgs_view_account) in AWS Organizations. Organization members might be affected by an SCP or RCP. To view this data using the AWS CLI command or AWS API operation, you must have permissions for the `organizations:DescribeOrganization` action for your AWS Organizations entity. You must have additional permissions to perform the operation in the AWS Organizations console. To learn whether an SCP or RCP is denying access to a specific request, or to change your effective permissions, contact your AWS Organizations administrator.
# Processing the request context
When AWS evaluates and authorizes a request, it assembles the request information into a *request context*. The request context contains any information that can be used in policy evaluation.
+ **Principal** – The user, role, or federated user principal that sent the request. Information about the principal includes the policies that are associated with that principal.
+ **Actions** – One or more actions that the principal wants to perform.
+ **Resources** – One or more AWS resource objects upon which the actions or operations are performed.
+ **Resource data** – Data related to the resource that is being requested. This can include information such as a DynamoDB table name or a tag on an Amazon EC2 instance.
+ **Environment data** – Information about the IP address, user agent, SSL enabled status, or the time of day.
This information is compared against applicable policies to determine whether to allow or deny the request. You can organize this property information using the **Principal**, **Action**, **Resource**, and **Condition** (PARC) model to better understand how AWS policies are evaluated.
## Understanding the PARC model
The PARC model represents the request context based on the four JSON elements in the policy language:
+ [Principal](reference_policies_elements_principal.md) – The entity making the request. A principal represents a human user or programmatic workload that can be authenticated and then authorized to perform actions in AWS accounts.
+ [Action](reference_policies_elements_action.md) – The operation being performed. Often the action will map to an API action.
+ [Resource](reference_policies_elements_resource.md) – The AWS resource on which the action is being performed.
+ [Condition](reference_policies_elements_condition.md) – Additional constraints that must be met for the request to be allowed.
The following shows an example of how the PARC model might represent a request context:
```
Principal: AIDA123456789EXAMPLE
Action: s3:CreateBucket
Resource: arn:aws:s3:::amzn-s3-demo-bucket1
Context:
- aws:UserId=AIDA123456789EXAMPLE:BobsSession
- aws:PrincipalAccount=123456789012
- aws:PrincipalOrgId=o-example
- aws:PrincipalARN=arn:aws:iam::AIDA123456789EXAMPLE:role/HR
- aws:MultiFactorAuthPresent=true
- aws:CurrentTime=...
- aws:EpochTime=...
- aws:SourceIp=...
- aws:PrincipalTag/dept=123
- aws:PrincipalTag/project=blue
- aws:RequestTag/dept=123
```
## Importance of the request context
Understanding the request context and how it interacts with policy evaluation is crucial for:
+ Troubleshooting access issues
+ Designing effective and secure policies
+ Understanding the full scope of permissions granted by a policy
+ Predicting the outcome of policy evaluations in different scenarios
By visualizing the request context using the PARC model, you can more easily understand how AWS makes authorization decisions and design your policies more effectively.
## How AWS uses the request context
When evaluating policies, AWS compares the information in the request context with the information specified in all applicable policies. This includes identity-based policies, resource-based policies, IAM permissions boundaries, Organizations SCPs, Organizations RCPs, and session policies.
For each policy type, AWS uses the request context to check:
+ Whether the policy applies to the request based on the principal.
+ Whether the requested action is allowed on the specified resource.
+ Whether any conditions specified in the policy are met by the request context.
How AWS evaluates policies depends on the types of policies that apply to the request context. These policy types are available for use within a single AWS account. For more information about these policy types, see [Policies and permissions in AWS Identity and Access Management](access_policies.md). To learn how AWS evaluates policies for cross-account access, see [Cross-account policy evaluation logic](reference_policies_evaluation-logic-cross-account.md).
+ **AWS Organizations resource control policies (RCPs)** – AWS Organizations RCPs specify the maximum available permissions for resources within accounts in an organization or organizational unit (OU). RCPs apply to resources in member accounts and impact the effective permissions for principals, including the AWS account root user, regardless of whether the principals belong to your organization. RCPs don't apply to resources in the organization management account and to calls made by service-linked roles. If an RCP is present, permissions granted by identity-based and resource-based policies to resources in your member accounts are only effective if the RCP allows the action.
+ **AWS Organizations service control policies (SCPs)** – AWS Organizations SCPs specify the maximum available permissions for principals within accounts in an organization or organizational unit (OU). SCPs apply to principals in member accounts, including each AWS account root user. If an SCP is present, permissions granted by identity-based and resource-based policies to principals in your member accounts are only effective if the SCP allows the action. The only exceptions are principals in the organization management account and service-linked roles.
+ **Resource-based policies** – Resource-based policies grant permissions for principals specified in the policy. The permissions define what the principal can do with the resource to which the policy is attached.
+ **Permissions boundaries** – Permissions boundaries are a feature that sets the maximum permissions that an identity-based policy can grant to an IAM entity (user or role). When you set a permissions boundary for an entity, the entity can perform only the actions that are allowed by both its identity-based policies and its permissions boundary. In some cases, an implicit deny in a permissions boundary can limit the permissions granted by a resource-based policy. For more information, see [How AWS enforcement code logic evaluates requests to allow or deny access](reference_policies_evaluation-logic_policy-eval-denyallow.md).
+ **Identity-based policies** – Identity-based policies are attached to an IAM identity (user, group of users, or role) and grant permissions to IAM entities (users and roles). If only identity-based policies apply to a request, then AWS checks all of those policies for at least one `Allow`.
+ **Session policies** – Session policies are policies that you pass as parameters when you programmatically create a temporary session for a role or federated user session. To create a role session programmatically, use one of the `AssumeRole*` API operations. When you do this and pass session policies, the resulting session's permissions are the intersection of the IAM entity's identity-based policy and the session policies. To create a federated user session, you use the IAM user access keys to programmatically call the `GetFederationToken` API operation. For more information, see [Session policies](access_policies.md#policies_session).
Remember, an explicit deny in any of these policies overrides the allow.
**Note**
**AWS Organizations declarative policies** allow you to centrally declare and enforce your desired configuration for a given AWS service at scale across an organization. Since declarative policies are applied directly at the service level, they don't directly impact policy evaluation requests and aren't included with the request context. For more information, see [Declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html) in the AWS Organizations User Guide.
## Example policy evaluation using the PARC model
To illustrate how the request context interacts with policy evaluation, let's consider an example policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:CreateBucket",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket1",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/dept": "123"
}
}
}
]
}
```
------
In this example, the policy would allow the `CreateBucket` action only when the request context includes an `aws:PrincipalTag/dept` value of "123" and the resource matches the `amzn-s3-demo-bucket1` bucket name. The following table shows how AWS uses the request context to evaluate this policy and make authorization decisions.
| Policy | Request context | Evaluation result |
| --- | --- | --- |
| "StringEquals": {
"aws:PrincipalTag/dept": "123"
} | Principal: AIDA123456789EXAMPLE
Action: s3:CreateBucket
Resource: arn:aws:s3:::amzn-s3-demo-bucket1
Context:
- aws:PrincipalTag/dept=123
| **Match** |
| "StringEquals": {
"aws:PrincipalTag/dept": "123"
} | Principal: AIDA123456789EXAMPLE
Action: s3:DeleteBucket
Resource: arn:aws:s3:::amzn-s3-demo-bucket1
Context:
- aws:PrincipalTag/dept=123
| **No match** |
| "StringEquals": {
"aws:PrincipalTag/dept": "123"
} | Principal: AIDA123456789EXAMPLE
Action: s3:CreateBucket
Resource: arn:aws:s3:::amzn-s3-demo-bucket1
Context:
- aws:PrincipalTag/dept=321
| **No match** |
| "StringEquals": {
"aws:PrincipalTag/dept": "123"
} | Principal: AIDA123456789EXAMPLE
Action: s3:CreateBucket
Resource: arn:aws:s3:::amzn-s3-demo-bucket1
Context:
No `aws:PrincipalTag` in the request. | **No match** |
# How AWS enforcement code logic evaluates requests to allow or deny access
The AWS enforcement code decides whether a request sent to AWS should be allowed or denied. AWS evaluates all policies that are applicable to the request context. The following is a summary of the AWS policy evaluation logic.
+ By default, all requests are implicitly denied with the exception of the AWS account root user, which has full access.
+ Requests must be explicitly allowed by a policy or set of policies following the evaluation logic below to be allowed.
+ An explicit deny overrides an explicit allow.
Policy evaluation can differ depending on whether the request is within a single account or a cross-account request. For details about how a policy evaluation decision is made for an IAM role or user within a single account, see [Policy evaluation for requests within a single account](reference_policies_evaluation-logic_policy-eval-basics.md). For details about how a policy evaluation decision is made for cross-account requests, see [Cross-account policy evaluation logic](reference_policies_evaluation-logic-cross-account.md).
+ **Deny evaluation** – By default, all requests are denied. This is called an [implicit deny](reference_policies_evaluation-logic_AccessPolicyLanguage_Interplay.md). The AWS enforcement code evaluates all policies within the account that apply to the request. These include AWS Organizations SCPs and RCPs, resource-based policies, identity-based policies, IAM permissions boundaries, and session policies. In all those policies, the enforcement code looks for a `Deny` statement that applies to the request. This is called an [explicit deny](reference_policies_evaluation-logic_AccessPolicyLanguage_Interplay.md). If the enforcement code finds even one explicit deny that applies, the enforcement code returns a final decision of **Deny**. If there is no explicit deny, the enforcement code evaluation continues.
+ **AWS Organizations RCPs** – The enforcement code evaluates AWS Organizations resource control policies (RCPs) that apply to the request. RCPs apply to resources of the account where the RCPs are attached. If the enforcement code does not find any applicable `Allow` statements in the RCPs, the enforcement code returns a final decision of **Deny**. Note that an AWS managed policy called `RCPFullAWSAccess` is automatically created and attached to every entity in your organization including the root, each OU, and AWS account when RCPs are enabled. `RCPFullAWSAccess` can't be detached, so there will always be an `Allow` statement. If there is no RCP, or if the RCP allows the requested action, the enforcement code evaluation continues.
+ **AWS Organizations SCPs** – The enforcement code evaluates AWS Organizations service control policies (SCPs) that apply to the request. SCPs apply to principals of the account where the SCPs are attached. If the enforcement code does not find any applicable `Allow` statements in the SCPs, the enforcement code returns a final decision of **Deny**. If there is no SCP, or if the SCP allows the requested action, the enforcement code evaluation continues.
+ **Resource-based policies** – Within the same account, resource-based policies impact policy evaluation differently depending on the type of principal accessing the resource, and the principal that is allowed in the resource-based policy. Depending on the type of principal, an `Allow` in a resource-based policy can result in a final decision of `Allow`, even if an implicit deny in an identity-based policy, permissions boundary, or session policy is present.
For most resources, you only need an explicit `Allow` for the principal in either an identity-based policy or a resource-based policy to grant access. [IAM role trust policies](access_policies-cross-account-resource-access.md#access_policies-cross-account-delegating-resource-based-policies) and [KMS key policies](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) are exceptions to this logic, because they must explicitly allow access for [principals](reference_policies_elements_principal.md). Resource-based policies for services other than IAM and AWS KMS may also require an explicit `Allow` statement within the same account to grant access. For more information, see the documentation for the specific service you're working with.
For single account policy evaluation requests, resource-based policy logic differs from other policy types if the specified principal is an IAM user, an IAM role, or a session principal. Session principals include [IAM role sessions](reference_policies_elements_principal.md#principal-role-session) or an [AWS STS federated user principals](reference_policies_elements_principal.md#sts-session-principals). If a resource-based policy grants permission directly to the IAM user or the session principal that is making the request, then an implicit deny in an identity-based policy, a permissions boundary, or a session policy does not impact the final decision.
+ **IAM role** – Resource-based policies that grant permissions to an IAM role ARN are limited by an implicit deny in a permissions boundary or session policy. You can specify the role ARN in the Principal element or the `aws:PrincipalArn` condition key. In both cases, the principal that makes the request is the **IAM role session**.
Permissions boundaries and session policies do not limit permissions granted using the `aws:PrincipalArn` condition key with a wildcard(\$1) in the Principal element, unless the identity-based policies contain an explicit deny. For more information, see [IAM role principals](reference_policies_elements_principal.md#principal-roles).
**Example role ARN**
```
arn:aws:iam::111122223333:role/examplerole
```
+ **IAM role session** – Within the same account, resource-based policies that grant permissions to an IAM role session ARN grant permissions directly to the assumed role session. Permissions granted directly to a session are not limited by an implicit deny in an identity-based policy, a permissions boundary, or session policy. When you assume a role and make a request, the principal making the request is the IAM role session ARN and not the ARN of the role itself. For more information, see [Role session principals](reference_policies_elements_principal.md#principal-role-session).
**Example role session ARN**
```
arn:aws:sts::111122223333:assumed-role/examplerole/examplerolesessionname
```
+ **IAM user** – Within the same account, resource-based policies that grant permissions to an IAM user ARN (that is not a federated user session) are not limited by an implicit deny in an identity-based policy or permissions boundary.
**Example IAM user ARN**
```
arn:aws:iam::111122223333:user/exampleuser
```
+ **AWS STS federated user principal** – A federated user session is a session created by calling [`GetFederationToken`](id_credentials_temp_request.md#api_getfederationtoken). When a federated user makes a request, the principal making the request is the federated user ARN and not the ARN of the IAM user who federated. Within the same account, resource-based policies that grant permissions to a federated user ARN grant permissions directly to the session. Permissions granted directly to a session are not limited by an implicit deny in an identity-based policy, a permissions boundary, or session policy.
However, if a resource-based policy grants permission to the ARN of the IAM user who federated, then requests made by the federated user during the session are limited by an implicit deny in a permission boundary or session policy.
**Example federated user session ARN**
```
arn:aws:sts::111122223333:federated-user/exampleuser
```
+ **Identity-based policies** – The enforcement code checks the identity-based policies for the principal. For an IAM user, these include user policies and policies from groups to which the user belongs. If there are no identity-based policies or no statements in identity-based policies that allow the requested action, then the request is implicitly denied and the enforcement code returns a final decision of **Deny**. If any statement in any applicable identity-based policies allows the requested action, the code evaluation continues.
+ **IAM permissions boundaries** – The enforcement code checks whether the IAM entity that is used by the principal has a permissions boundary. If the policy that is used to set the permissions boundary does not allow the requested action, then the request is implicitly denied. The enforcement code returns a final decision of **Deny**. If there is no permissions boundary, or if the permissions boundary allows the requested action, the code evaluation continues.
+ **Session policies** – The enforcement code checks whether the principal is a session principal. Session principals include an IAM role session or an AWS STS federated user session. If the principal is not a session principal, the enforcement code returns a final decision of **Allow**.
For session principals, the enforcement code checks whether a session policy was passed in the request. You can pass a session policy while using the AWS CLI or AWS API to get temporary credentials for a role or an AWS STS federated user principal. If you didn't pass a session policy, a default session policy is created and the enforcement code returns a final decision of **Allow**.
+ If a session policy is present and does not allow the requested action, then the request is implicitly denied. The enforcement code returns a final decision of **Deny**.
+ The enforcement code checks whether the principal is a role session. If the principal is a role session, then the request is **Allowed**. Otherwise, the request is implicitly denied and the enforcement code returns a final decision of **Deny**.
+ If a session policy is present and allows the requested action, then the enforcement code returns a final decision of **Allow**.
# Policy evaluation for requests within a single account
## Policy evaluation for an IAM role
The following flow chart provides details about how a policy evaluation decision is made for an IAM role within a single account.
![\[Evaluation flow chart for an IAM role within a single account\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/PolicyEvaluationSingleAccountRole.png)
## Policy evaluation for an IAM user
The following flow chart provides details about how a policy evaluation decision is made for an IAM user within a single account.
![\[Evaluation flow chart for an IAM user within a single account\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/PolicyevaluationSingleAccountUser.png)
## Example identity-based and resource-based policy evaluation
The most common types of policies are identity-based policies and resource-based policies. When access to a resource is requested, AWS evaluates all the permissions granted by the policies for **at least one Allow** within the same account. An explicit deny in any of the policies overrides the allow.
**Important**
If either the identity-based policy or the resource-based policy within the same account allows the request and the other doesn't, the request is still allowed.
Assume that Carlos has the user name `carlossalazar` and he tries to save a file to the `amzn-s3-demo-bucket-carlossalazar-logs` Amazon S3 bucket.
Also assume that the following policy is attached to the `carlossalazar` IAM user.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowS3ListRead",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetAccountPublicAccessBlock",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "AllowS3Self",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket-carlossalazar/*",
"arn:aws:s3:::amzn-s3-demo-bucket-carlossalazar"
]
},
{
"Sid": "DenyS3Logs",
"Effect": "Deny",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*log*"
}
]
}
```
------
The `AllowS3ListRead` statement in this policy allows Carlos to view a list of all of the buckets in the account. The `AllowS3Self` statement allows Carlos full access to the bucket with the same name as his user name. The `DenyS3Logs` statement denies Carlos access to any S3 bucket with `log` in its name.
Additionally, the following resource-based policy (called a bucket policy) is attached to the `amzn-s3-demo-bucket-carlossalazar` bucket.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/carlossalazar"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket-carlossalazar/*",
"arn:aws:s3:::amzn-s3-demo-bucket-carlossalazar"
]
}
]
}
```
------
This policy specifies that only the `carlossalazar` user can access the `amzn-s3-demo-bucket-carlossalazar` bucket.
When Carlos makes his request to save a file to the `amzn-s3-demo-bucket-carlossalazar-logs` bucket, AWS determines what policies apply to the request. In this case, only the identity-based policy and the resource-based policy apply. These are both permissions policies. Because no permissions boundaries apply, the evaluation logic is reduced to the following logic.
![\[Evaluation flow chart\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/EffectivePermissionsShort.png)
AWS first checks for a `Deny` statement that applies to the context of the request. It finds one, because the identity-based policy explicitly denies Carlos access to any S3 buckets used for logging. Carlos is denied access.
Assume that he then realizes his mistake and tries to save the file to the `amzn-s3-demo-bucket-carlossalazar` bucket. AWS checks for a `Deny` statement and does not find one. It then checks the permissions policies. Both the identity-based policy and the resource-based policy allow the request. Therefore, AWS allows the request. If either of them explicitly denied the statement, the request would have been denied. If one of the policy types allows the request and the other doesn't, the request is still allowed.
# Cross-account policy evaluation logic
You can allow a principal in one account to access resources in a second account. This is called cross-account access. When you allow cross-account access, the account where the principal exists is called the *trusted* account. The account where the resource exists is the *trusting* account.
To allow cross-account access, you attach a resource-based policy to the resource that you want to share. You must also attach an identity-based policy to the identity that acts as the principal in the request. The resource-based policy in the trusting account must specify the principal of the trusted account that will have access to the resource. You can specify the entire account or its IAM users, AWS STS federated user principals, IAM roles, or assumed-role sessions. You can also specify an AWS service as a principal. For more information, see [How to specify a principal](reference_policies_elements_principal.md#Principal_specifying).
The principal's identity-based policy must allow the requested access to the resource in the trusting service. You can do this by specifying the ARN of the resource.
In IAM, you can attach a resource-based policy to an IAM role to allow principals in other accounts to assume that role. The role's resource-based policy is called a role trust policy. After assuming that role, the allowed principals can use the resulting temporary credentials to access multiple resources in your account. This access is defined in the role's identity-based permissions policy. To learn how allowing cross-account access using roles is different from allowing cross-account access using other resource-based policies, see [Cross account resource access in IAM](access_policies-cross-account-resource-access.md).
**Important**
Other services can affect the policy evaluation logic. For example, AWS Organizations supports [service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) and [resource control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) that can be applied to principals and resources in one or more accounts. AWS Resource Access Manager supports [policy fragments](https://docs.aws.amazon.com/ram/latest/userguide/permissions.html) that control which actions that principals are allowed to perform on resources that are shared with them.
## Determining whether a cross-account request is allowed
For cross-account requests, the requester in the trusted `AccountA` must have an identity-based policy. That policy must allow them to make a request to the resource in the trusting `AccountB`. Additionally, the resource-based policy in `AccountB` must allow the requester in `AccountA` to access the resource.
When you make a cross-account request, AWS performs two evaluations. AWS evaluates the request in the trusting account and the trusted account. For more information about how a request is evaluated within a single account, see [How AWS enforcement code logic evaluates requests to allow or deny access](reference_policies_evaluation-logic_policy-eval-denyallow.md). The request is allowed only if both evaluations return a decision of `Allow`.
![\[Cross-account evaluation\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policy_cross-account-eval-simple.png)
1. When a principal in one account makes a request to access a resource in another account, this is a cross-account request.
1. The requesting principal exists in the trusted account (`AccountA`). When AWS evaluates this account, it checks the identity-based policy and any policies that can limit an identity-based policy. For more information, see [Evaluating identity-based policies with permissions boundaries](reference_policies_evaluation-logic.md#policy-eval-basics-id-bound).
1. The requested resource exists in the trusting account (`AccountB`). When AWS evaluates this account, it checks the resource-based policy that is attached to the requested resource and any policies that can limit a resource-based policy. For more information, see [Evaluating identity-based policies with resource-based policies](reference_policies_evaluation-logic.md#policy-eval-basics-id-rdp).
1. AWS allows the request only if both account policy evaluations allow the request.
The following flow chart provides a more detailed illustration of how a policy evaluation decision is made for a cross-account request. Again, AWS allows the request only if both account policy evaluations allow the request.
![\[Detailed cross-account policy evaluation\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/PolicyEvaluationCrossAccount.png)
## Example cross-account policy evaluation
The following example demonstrates a scenario where a role in one account is granted permissions by a resource-based policy in a second account.
Assume that Carlos is a developer with an IAM role named `Demo` in account 111111111111. He wants to save a file to the `amzn-s3-demo-bucket-production-logs` Amazon S3 bucket in account 222222222222.
Also assume that the following policy is attached to the `Demo` IAM role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowS3ListRead",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "AllowS3ProductionObjectActions",
"Effect": "Allow",
"Action": "s3:*Object*",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket-production/*"
},
{
"Sid": "DenyS3Logs",
"Effect": "Deny",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::*log*",
"arn:aws:s3:::*log*/*"
]
}
]
}
```
------
The `AllowS3ListRead` statement in this policy allows Carlos to view a list of all of the buckets in Amazon S3. The `AllowS3ProductionObjectActions` statement allows Carlos full access to objects in the `amzn-s3-demo-bucket-production` bucket.
Additionally, the following resource-based policy (called a bucket policy) is attached to the `amzn-s3-demo-bucket-production` bucket in account 222222222222.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:PutObject*",
"s3:ReplicateObject",
"s3:RestoreObject"
],
"Principal": { "AWS": "arn:aws:iam::111111111111:role/Demo" },
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket-production/*"
}
]
}
```
------
This policy allows the `Demo` role to access objects in the `amzn-s3-demo-bucket-production` bucket. The role can create and edit, but not delete the objects in the bucket. The role can't manage the bucket itself.
When Carlos makes his request to save a file to the `amzn-s3-demo-bucket-production-logs` bucket, AWS determines what policies apply to the request. In this case, the identity-based policy attached to the `Demo` role is the only policy that applies in account `111111111111`. In account `222222222222`, there is no resource-based policy attached to the `amzn-s3-demo-bucket-production-logs` bucket. When AWS evaluates account `111111111111`, it returns a decision of `Deny`. This is because the `DenyS3Logs` statement in the identity-based policy explicitly denies access to any log buckets. For more information about how a request is evaluated within a single account, see [How AWS enforcement code logic evaluates requests to allow or deny access](reference_policies_evaluation-logic_policy-eval-denyallow.md).
Because the request is explicitly denied within one of the accounts, the final decision is to deny the request.
![\[Request to amzn-s3-demo-bucket-production-logs bucket\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policy_cross-account-eval-example.png)
Assume that Carlos then realizes his mistake and tries to save the file to the `Production` bucket. AWS first checks account `111111111111` to determine if the request is allowed. Only the identity-based policy applies, and it allows the request. AWS then checks account `222222222222`. Only the resource-based policy attached to the `Production` bucket applies, and it allows the request. Because both accounts allow the request, the final decision is to allow the request.
![\[Request to Production bucket\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policy_cross-account-eval-example-correct.png)
# The difference between explicit and implicit denies
A request results in an explicit deny if an applicable policy includes a `Deny` statement. If policies that apply to a request include an `Allow` statement and a `Deny` statement, the `Deny` statement trumps the `Allow` statement. The request is explicitly denied.
An implicit denial occurs when there is no applicable `Deny` statement but also no applicable `Allow` statement. Because an IAM principal is denied access by default, they must be explicitly allowed to perform an action. Otherwise, they are implicitly denied access.
When you design your authorization strategy, you must create policies with `Allow` statements to allow your principals to successfully make requests. However, you can choose any combination of explicit and implicit denies.
For example, you can create the following policy that includes allowed actions, implicitly denied actions, and explicitly denied actions. The `AllowGetList` statement **allows** read-only access to IAM actions that begin with the prefixes `Get` and `List`. All other actions in IAM, such as `iam:CreatePolicy` are **implicitly denied**. The `DenyReports` statement **explicitly denies** access to IAM reports by denying access to actions that include the `Report` suffix, such as `iam:GetOrganizationsAccessReport`. If someone adds another policy to this principal to grant them access to IAM reports, such as `iam:GenerateCredentialReport`, report-related requests are still denied because of this explicit deny.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowGetList",
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*"
],
"Resource": "*"
},
{
"Sid": "DenyReports",
"Effect": "Deny",
"Action": "iam:*Report",
"Resource": "*"
}
]
}
```
------
# Grammar of the IAM JSON policy language
This page presents a formal grammar for the language used to create JSON policies in IAM. We present this grammar so that you can understand how to construct and validate policies.
For examples of policies, see the following topics:
+ [Policies and permissions in AWS Identity and Access Management](access_policies.md)
+ [Example IAM identity-based policies](access_policies_examples.md)
+ [Example Policies for Working in the Amazon EC2 Console](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-ec2-console.html) and [Example Policies for Working With the AWS CLI, the Amazon EC2 CLI, or an AWS SDK](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html) in the *Amazon EC2 User Guide*.
+ [Bucket Policy Examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) and [User Policy Examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-policies-s3.html) in the *Amazon Simple Storage Service User Guide*.
For examples of policies used in other AWS services, go to the documentation for those services.
**Topics**
+ [The policy language and JSON](#policies-grammar-json)
+ [Conventions used in this grammar](#policies-grammar-conventions)
+ [Grammar](#policies-grammar-bnf)
+ [Policy grammar notes](#policies-grammar-notes)
## The policy language and JSON
Policies are expressed in JSON. When you create or edit a JSON policy, IAM can perform policy validation to help you create an effective policy. IAM identifies JSON syntax errors, while IAM Access Analyzer provides additional policy checks with recommendations to help you further refine your policies. To learn more about policy validation, see [IAM policy validation](access_policies_policy-validator.md). To learn more about IAM Access Analyzer policy checks and actionable recommendations, see [ IAM Access Analyzer policy validation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html).
In this document, we do not provide a complete description of what constitutes valid JSON. However, here are some basic JSON rules:
+ White space between individual entities is allowed.
+ Values are enclosed in quotation marks. Quotation marks are optional for numeric and Boolean values.
+ Many elements (for example, `action_string_list` and `resource_string_list`) can take a JSON array as a value. Arrays can take one or more values. If more than one value is included, the array is in square brackets (`[` and `]`) and comma-delimited, as in the following example:
`"Action" : ["ec2:Describe*","ec2:List*"]`
+ Basic JSON data types (Boolean, number, and string) are defined in [RFC 7159](https://datatracker.ietf.org/doc/html/rfc7159).
## Conventions used in this grammar
The following conventions are used in this grammar:
+ The following characters are JSON tokens and *are* included in policies:
`{ } [ ] " , :`
+ The following characters are special characters in the grammar and are *not* included in policies:
`= < > ( ) |`
+ If an element allows multiple values, it is indicated using repeated values, a comma delimiter, and an ellipsis (`...`). Examples:
`[, , ...]`
` = { , , ... }`
If multiple values are allowed, it is also valid to include only one value. For only one value, the trailing comma must be omitted. If the element takes an array (marked with [ and ]) but only one value is included, the brackets are optional. Examples:
`"Action": []`
`"Action": `
+ A question mark (`?`) following an element indicates that the element is optional. Example:
<`version_block?>`
However, be sure to refer to the notes that follow the grammar listing for details about optional elements.
+ A vertical line (`|`) between elements indicates alternatives. In the grammar, parentheses define the scope of the alternatives. Example:
`("Principal" | "NotPrincipal")`
+ Elements that must be literal strings are enclosed in double quotation marks (`"`). Example:
` = "Version" : ("2008-10-17" | "2012-10-17" )`
For additional notes, see [Policy grammar notes](#policies-grammar-notes) following the grammar listing.
## Grammar
The following listing describes the policy language grammar. For conventions used in the listing, see the preceding section. For additional information, see the notes that follow.
**Note**
This grammar describes policies marked with a version of `2008-10-17 ` and `2012-10-17 `. A `Version` policy element is different from a policy version. The `Version` policy element is used within a policy and defines the version of the policy language. A policy version, on the other hand, is created when you make changes to a customer managed policy in IAM. The changed policy doesn't overwrite the existing policy. Instead, IAM creates a new version of the managed policy. To learn more about the `Version` policy element see [IAM JSON policy elements: Version](reference_policies_elements_version.md). To learn more about policy versions, see [Versioning IAM policies](access_policies_managed-versioning.md).
```
policy = {
,
,
}
= "Version" : ("2008-10-17" | "2012-10-17" )
= "Id" :
= "Statement" : [ , , ... ]
= {
,
,
,
,
,
}
= "Sid" :
= "Effect" : ("Allow" | "Deny")
= ("Principal" | "NotPrincipal") : ("*" | )
= { , , ... }
= ("AWS" | "Federated" | "Service" | "CanonicalUser") :
[, , ...]
= ("Action" | "NotAction") :
("*" | | [, , ...])
= ("Resource" | "NotResource") :
: ("*" | | [, , ...])
= "Condition" : { }
= {
: { : },
: { : }, ...
}
= [, , ...]
= ( | | )
```
## Policy grammar notes
+ A single policy can contain an array of statements.
+ Policies have a maximum size between 2048 characters and 10,240 characters, depending on what entity the policy is attached to. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md). Policy size calculations do not include white space characters.
+ Individual elements must not contain multiple instances of the same key. For example, you cannot include the `Effect` block twice in the same statement.
+ Blocks can appear in any order. For example, `version_block` can follow `id_block` in a policy. Similarly, `effect_block`, `principal_block`, `action_block` can appear in any order within a statement.
+ The `id_block` is optional in resource-based policies. It must *not* be included in identity-based policies.
+ The `principal_block` element is required in resource-based policies (for example, in Amazon S3 bucket policies) and in trust policies for IAM roles. It must *not* be included in identity-based policies.
+ The `principal_map` element in Amazon S3 bucket policies can include the `CanonicalUser` ID. Most resource-based policies do not support this mapping. To learn more about using the canonical user ID in a bucket policy, see [Specifying a Principal in a Policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-bucket-user-policy-specifying-principal-intro.html) in the *Amazon Simple Storage Service User Guide*.
+ Each string value (`policy_id_string`, `sid_string`, `principal_id_string`, `action_string`, `resource_string`, `condition_type_string`, `condition_key_string`, and the string version of `condition_value`) can have its own minimum and maximum length restrictions, specific allowed values, or required internal format.
### Notes about string values
This section provides additional information about string values that are used in different elements in a policy.
**`action_string`**
Consists of a service namespace, a colon, and the name of an action. Action names can include wildcards. Examples:
```
"Action":"ec2:StartInstances"
"Action":[
"ec2:StartInstances",
"ec2:StopInstances"
]
"Action":"cloudformation:*"
"Action":"*"
"Action":[
"s3:Get*",
"s3:List*"
]
```
**`policy_id_string`**
Provides a way to include information about the policy as a whole. Some services, such as Amazon SQS and Amazon SNS, use the `Id` element in reserved ways. Unless otherwise restricted by an individual service, policy\$1id\$1string can include spaces. Some services require this value to be unique within an AWS account.
The `id_block` is allowed in resource-based policies, but not in identity-based policies.
There is no limit to the length, although this string contributes to the overall length of the policy, which is limited.
```
"Id":"Admin_Policy"
"Id":"cd3ad3d9-2776-4ef1-a904-4c229d1642ee"
```
**`sid_string`**
Provides a way to include information about an individual statement. For IAM policies, basic alphanumeric characters (A-Z,a-z,0-9) are the only allowed characters in the `Sid` value. Other AWS services that support resource policies may have other requirements for the `Sid` value. For example, some services require this value to be unique within an AWS account, and some services allow additional characters such as spaces in the `Sid` value.
```
"Sid":"1"
"Sid": "ThisStatementProvidesPermissionsForConsoleAccess"
```
**`principal_id_string`**
Provides a way to specify a principal using the [*Amazon Resource Name* (ARN)](reference_identifiers.md#identifiers-arns) of the AWS account, IAM user, IAM role, federated user, or assumed-role user. For an AWS account, you can also use the short form `AWS:accountnumber` instead of the full ARN. For all of the options including AWS services, assumed roles, and so on, see [How to specify a principal](reference_policies_elements_principal.md#Principal_specifying).
Note that you can use \$1 only to specify "everyone/anonymous." You cannot use it to specify part of a name or ARN.
**`resource_string`**
In most cases, consists of an [Amazon Resource Name](reference_identifiers.md#identifiers-arns) (ARN). You can use wildcards (\$1 and ?) in the resource portion of the ARN. For more information about using wildcards in ARNs, see [Using wildcards in paths](reference-arns.md#arns-paths-wildcards).
When you specify an incomplete ARN (one with fewer than the standard six fields) in an identity-based policy, AWS automatically completes the ARN by adding wildcard characters (\$1) to all missing fields. For example, specifying `arn:aws:sqs` is equivalent to `arn:aws:sqs:*:*:*`, which grants access to all Amazon Amazon SQS resources across all regions and accounts. However, session policies passed to AWS STS AssumeRole, AssumeRoleWithWebIdentity, and AssumeRoleWithSAML requests, do not support incomplete ARNs. Using an incomplete ARN in a session policy will result in a `MalformedPolicyDocumentException` error.
```
"Resource":"arn:aws:iam::123456789012:user/Bob"
"Resource":"arn:aws:s3:::amzn-s3-demo-bucket/*"
```
**`condition_type_string`**
Identifies the type of condition being tested, such as `StringEquals`, `StringLike`, `NumericLessThan`, `DateGreaterThanEquals`, `Bool`, `BinaryEquals`, `IpAddress`, `ArnEquals`, etc. For a complete list of condition types, see [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md).
```
"Condition": {
"NumericLessThanEquals": {
"s3:max-keys": "10"
}
}
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
"Condition": {
"StringEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
```
**`condition_key_string`**
Identifies the condition key whose value will be tested to determine whether the condition is met. AWS defines a set of condition keys that are available in all AWS services, including `aws:PrincipalType`, `aws:SecureTransport`, and `aws:userid`.
For a list of AWS condition keys, see [AWS global condition context keys](reference_policies_condition-keys.md). For condition keys that are specific to a service, see the documentation for that service such as the following:
+ [Specifying Conditions in a Policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html) in the *Amazon Simple Storage Service User Guide*
+ [IAM Policies for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html) in the *Amazon EC2 User Guide*.
```
"Condition":{
"Bool": {
"aws:SecureTransport": "true"
}
}
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
"Condition": {
"StringEquals": {
"aws:ResourceTag/purpose": "test"
}
}
```
**`condition_value_string`**
Identifies the value of the condition\$1key\$1string that determines whether the condition is met. For a complete list of valid values for a condition type, see [IAM JSON policy elements: Condition operators](reference_policies_elements_condition_operators.md).
```
"Condition":{
"ForAnyValue:StringEquals": {
"dynamodb:Attributes": [
"ID",
"PostDateTime"
]
}
}
```
# AWS managed policies for job functions
We recommend using policies that [grant least privilege](best-practices.md#grant-least-privilege), or granting only the permissions required to perform a task. The most secure way to grant least privilege is to write a custom policy with only the permissions needed by your team. You must create a process to allow your team to request more permissions when necessary. It takes time and expertise to [create IAM customer managed policies](access_policies_create-console.md) that provide your team with only the permissions they need.
To get started adding permissions to your IAM identities (users, groups of users, and roles), you can use [AWS managed policies](access_policies_managed-vs-inline.md#aws-managed-policies). AWS managed policies cover common use cases and are available in your AWS account. AWS managed policies don't grant least privilege permissions. You must consider the security risk of granting your principals more permissions than they need to do their job.
You can attach AWS managed policies, including job functions, to any IAM identity. To switch to least privilege permissions, you can run AWS Identity and Access Management and Access Analyzer to monitor principals with AWS managed policies. After learning which permissions they are using, then you can write a custom policy or generate a policy with only the required permissions for your team. This is less secure, but provides more flexibility as you learn how your team is using AWS.
AWS managed policies for job functions are designed to closely align to common job functions in the IT industry. You can use these policies to grant the permissions needed to carry out the tasks expected of someone in a specific job function. These policies consolidate permissions for many services into a single policy that's easier to work with than having permissions scattered across many policies.
**Use Roles to Combine Services**
Some of the policies use IAM service roles to help you take advantage of features found in other AWS services. These policies grant access to `iam:passrole`, which allows a user with the policy to pass a role to an AWS service. This role delegates IAM permissions to the AWS service to carry out actions on your behalf.
You must create the roles according to your needs. For example, the Network Administrator policy allows a user with the policy to pass a role named "flow-logs-vpc" to the Amazon CloudWatch service. CloudWatch uses that role to log and capture IP traffic for VPCs created by the user.
To follow security best practices, the policies for job functions include filters that limit the names of valid roles that can be passed. This helps avoid granting unnecessary permissions. If your users do require the optional service roles, you must create a role that follows the naming convention specified in the policy. You then grant permissions to the role. Once that is done, the user can configure the service to use the role, granting it whatever permissions the role provides.
In the following sections, each policy's name is a link to the policy details page in the AWS Management Console. There you can see the policy document and review the permissions it grants.
## Administrator job function
**AWS managed policy name:** [AdministratorAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AdministratorAccess)
**Use case:** This user has full access and can delegate permissions to every service and resource in AWS.
**Policy updates:** AWS maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the **Policy versions** tab. For more information about job function policy updates, see [Updates to AWS managed policies for job functions](#security-iam-awsmanpol-jobfunction-updates).
**Policy description:** This policy grants all actions for all AWS services and for all resources in the account. For more information about the managed policy, see [AdministratorAccess](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/AdministratorAccess.html) in *AWS Managed Policy Reference Guide*.
**Note**
Before an IAM user or role can access the AWS Billing and Cost Management console with the permissions in this policy, you must first activate IAM user and role access. To do this, follow the instructions in [Grant access to the billing console](getting-started-account-iam.md) to delegate access to the billing console.
## Billing job function
**AWS managed policy name:** [Billing](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/job-function/Billing)
**Use case:** This user needs to view billing information, set up payments, and authorize payments. The user can monitor the costs accumulated for the entire AWS service.
**Policy updates:** AWS maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the **Policy versions** tab. For more information about job function policy updates, see [Updates to AWS managed policies for job functions](#security-iam-awsmanpol-jobfunction-updates).
**Policy description:** This policy grants full permissions for managing billing, costs, payment methods, budgets, and reports. For additional cost management policy examples, see [AWS Billing policy examples](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-example-policies.html) in the *AWS Billing and Cost Management User Guide*. For more information about the managed policy, see [Billing](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/Billing.html) in *AWS Managed Policy Reference Guide*.
**Note**
Before an IAM user or role can access the AWS Billing and Cost Management console with the permissions in this policy, you must first activate IAM user and role access. To do this, follow the instructions in [Grant access to the billing console](getting-started-account-iam.md) to delegate access to the billing console.
## Database administrator job function
**AWS managed policy name:** [DatabaseAdministrator](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/job-function/DatabaseAdministrator)
**Use case:** This user sets up, configures, and maintains databases in the AWS Cloud.
**Policy updates:** AWS maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the **Policy versions** tab. For more information about job function policy updates, see [Updates to AWS managed policies for job functions](#security-iam-awsmanpol-jobfunction-updates).
**Policy description:** This policy grants permissions to create, configure, and maintain databases. It includes access to AWS database services, such as Amazon DynamoDB, Amazon Relational Database Service (RDS), and Amazon Redshift. View the policy for the full list of database services that this policy supports. For more information about the managed policy, see [DatabaseAdministrator](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/DatabaseAdministrator.html) in *AWS Managed Policy Reference Guide*.
This job function policy supports the ability to pass roles to AWS services. The policy allows the `iam:PassRole` action for only those roles named in the following table. For more information, see [Creating roles and attaching policies (console)](access_policies_job-functions_create-policies.md) later in this topic.
| Use case | Role name (\$1 is a wildcard) | Service role type to select | Select this AWS managed policy |
| --- | --- | --- | --- |
| Allow the user to monitor RDS databases | [rds-monitoring-role](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html) | Amazon RDS Role for Enhanced Monitoring | [AmazonRDSEnhancedMonitoringRole](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole) |
| Allow AWS Lambda to monitor your database and access external databases | [rdbms-lambda-access](https://aws.amazon.com/blogs/big-data/from-sql-to-microservices-integrating-aws-lambda-with-relational-databases) | Amazon EC2 | [AWSLambda\$1FullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSLambda_FullAccess) |
| Allow Lambda to upload files to Amazon S3 and to Amazon Redshift clusters with DynamoDB | [lambda\$1exec\$1role](https://aws.amazon.com/blogs/big-data/a-zero-administration-amazon-redshift-database-loader) | AWS Lambda | Create a new managed policy as defined in the [AWS Big Data Blog](https://aws.amazon.com/blogs/big-data/a-zero-administration-amazon-redshift-database-loader) |
| Allow Lambda functions to act as triggers for your DynamoDB tables | [lambda-dynamodb-\$1](https://docs.aws.amazon.com/lambda/latest/dg/with-ddb.html) | AWS Lambda | [AWSLambdaDynamoDBExecutionRole](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole) |
| Allow Lambda functions to access Amazon RDS in a VPC | [lambda-vpc-execution-role](https://docs.aws.amazon.com/lambda/latest/dg/vpc-rds.html) | Create a role with a trust policy as defined in the [AWS Lambda Developer Guide](https://docs.aws.amazon.com/lambda/latest/dg/vpc-rds.html) | [AWSLambdaVPCAccessExecutionRole](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole) |
| Allow AWS Data Pipeline to access your AWS resources | [DataPipelineDefaultRole](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-roles.html) | Create a role with a trust policy as defined in the [AWS Data Pipeline Developer Guide](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-roles.html) | The AWS Data Pipeline documentation lists the required permissions for this use case. See [IAM roles for AWS Data Pipeline](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-roles.html) |
| Allow your applications running on Amazon EC2 instances to access your AWS resources | [DataPipelineDefaultResourceRole](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-roles.html) | Create a role with a trust policy as defined in the [AWS Data Pipeline Developer Guide](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-roles.html) | [AmazonEC2RoleforDataPipelineRole](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforDataPipelineRole) |
## Data scientist job function
**AWS managed policy name:** [DataScientist](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/job-function/DataScientist)
**Use case:** This user runs Hadoop jobs and queries. The user also accesses and analyzes information for data analytics and business intelligence.
**Policy updates:** AWS maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the **Policy versions** tab. For more information about job function policy updates, see [Updates to AWS managed policies for job functions](#security-iam-awsmanpol-jobfunction-updates).
**Policy description:** This policy grants permissions to create, manage, and run queries on an Amazon EMR cluster and perform data analytics with tools such as Amazon QuickSight. The policy includes access to additional data scientist services, such as AWS Data Pipeline, Amazon EC2, Amazon Kinesis, Amazon Machine Learning, and SageMaker AI. View the policy for the full list of data scientist services that this policy supports. For more information about the managed policy, see [DataScientist](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/DataScientist.html) in *AWS Managed Policy Reference Guide*.
This job function policy supports the ability to pass roles to AWS services. One statement allows passing any role to SageMaker AI. Another statement allows the `iam:PassRole` action for only those roles named in the following table. For more information, see [Creating roles and attaching policies (console)](access_policies_job-functions_create-policies.md) later in this topic.
| Use case | Role name (\$1 is a wildcard) | Service role type to select | AWS managed policy to select |
| --- | --- | --- | --- |
| Allow Amazon EC2 instances access to services and resources suitable for clusters | [EMR-EC2\$1DefaultRole](https://docs.aws.amazon.com/emr/latest/DeveloperGuide/emr-iam-roles-defaultroles.html) | Amazon EMR for EC2 | [AmazonElasticMapReduceforEC2Role](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role) |
| Allow Amazon EMR access to access the Amazon EC2 service and resources for clusters | [EMR\$1DefaultRole](https://docs.aws.amazon.com/emr/latest/DeveloperGuide/emr-iam-roles-defaultroles.html) | Amazon EMR | [AmazonEMRServicePolicy\$1v2](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AmazonEMRServicePolicy_v2) |
| Allow Kinesis Managed Service for Apache Flink to access streaming data sources | [kinesis-\$1](https://aws.amazon.com/blogs/big-data/a-zero-administration-amazon-redshift-database-loader) | Create a role with a trust policy as defined in the [AWS Big Data Blog](https://aws.amazon.com/blogs/big-data/a-zero-administration-amazon-redshift-database-loader). | See the [AWS Big Data Blog](https://aws.amazon.com/blogs/big-data/a-zero-administration-amazon-redshift-database-loader), which outlines four possible options depending on your use case |
| Allow AWS Data Pipeline to access your AWS resources | [DataPipelineDefaultRole](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-roles.html) | Create a role with a trust policy as defined in the [AWS Data Pipeline Developer Guide](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-roles.html) | The AWS Data Pipeline documentation lists the required permissions for this use case. See [IAM roles for AWS Data Pipeline](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-roles.html) |
| Allow your applications running on Amazon EC2 instances to access your AWS resources | [DataPipelineDefaultResourceRole](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-roles.html) | Create a role with a trust policy as defined in the [AWS Data Pipeline Developer Guide](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-roles.html) | [AmazonEC2RoleforDataPipelineRole](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforDataPipelineRole) |
## Developer power user job function
**AWS managed policy name:** [PowerUserAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/PowerUserAccess)
**Use case:** This user performs application development tasks and can create and configure resources and services that support AWS aware application development.
**Policy updates:** AWS maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the **Policy versions** tab. For more information about job function policy updates, see [Updates to AWS managed policies for job functions](#security-iam-awsmanpol-jobfunction-updates).
**Policy description:** The first statement of this policy uses the [`NotAction`](reference_policies_elements_notaction.md) element to allow all actions for all AWS services and for all resources except AWS Identity and Access Management, AWS Organizations, and AWS Account Management. The second statement grants IAM permissions to create a service-linked role. This is required by some services that must access resources in another service, such as an Amazon S3 bucket. It also grants AWS Organizations permissions to view information about the user's organization, including the management account email and organization limitations. Although this policy limits IAM, AWS Organizations, it allows the user to perform all IAM Identity Center actions if IAM Identity Center is enabled. It also grants Account Management permissions to view which AWS Regions are enabled or disabled for the account.
## Network administrator job function
**AWS managed policy name:** [NetworkAdministrator](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/job-function/NetworkAdministrator)
**Use case:** This user is tasked with setting up and maintaining AWS network resources.
**Policy updates:** AWS maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the **Policy versions** tab. For more information about job function policy updates, see [Updates to AWS managed policies for job functions](#security-iam-awsmanpol-jobfunction-updates).
**Policy description:** This policy grants permissions to create and maintain network resources in Auto Scaling, Amazon EC2, AWS Direct Connect, Route 53, Amazon CloudFront, Elastic Load Balancing, AWS Elastic Beanstalk, Amazon SNS, CloudWatch, CloudWatch Logs, Amazon S3, IAM, and Amazon Virtual Private Cloud. For more information about the managed policy, see [NetworkAdministrator](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/NetworkAdministrator.html) in *AWS Managed Policy Reference Guide*.
This job function requires the ability to pass roles to AWS services. The policy grants `iam:GetRole` and `iam:PassRole` for only those roles named in the following table. For more information, see [Creating roles and attaching policies (console)](access_policies_job-functions_create-policies.md) later in this topic.
| Use case | Role name (\$1 is a wildcard) | Service role type to select | AWS managed policy to select |
| --- | --- | --- | --- |
| Allows Amazon VPC to create and manage logs in CloudWatch Logs on the user's behalf to monitor IP traffic going in and out of your VPC | [flow-logs-\$1](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-iam) | Create a role with a trust policy as defined in the [Amazon VPC User Guide](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-iam) | This use case does not have an existing AWS managed policy, but the documentation lists the required permissions. See [Amazon VPC User Guide](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-iam). |
## Read-only access
**AWS managed policy name:** [ReadOnlyAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/ReadOnlyAccess)
**Use case:** This user requires read-only access to every resource in an AWS account.
**Important**
This user will also have access to read data in storage services like Amazon S3 buckets and Amazon DynamoDB tables.
**Policy updates:** AWS maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the **Policy versions** tab. For more information about job function policy updates, see [Updates to AWS managed policies for job functions](#security-iam-awsmanpol-jobfunction-updates).
**Policy description:** This policy grants permissions to list, get, describe, and otherwise view resources and their attributes. It does not include mutating functions like create or delete. This policy does include read-only access to security-related AWS services, such as AWS Identity and Access Management and AWS Billing and Cost Management. View the policy for the full list of services and actions that this policy supports. For more information about the managed policy, see [ReadOnlyAccess](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/ReadOnlyAccess.html) in *AWS Managed Policy Reference Guide*. If you need a similar policy that does not grant access to read data in storage services, see [View-only user job function](#jf_view-only-user).
## MCP service actions full access
**AWS managed policy name:** [AWSMcpServiceActionsFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSMcpServiceActionsFullAccess)
**Use case:** This user requires access to AWS services using AWS MCP servers. This policy does not grant access to actions taken by an MCP service to other AWS services.
**Policy updates:** AWS maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the **Policy versions** tab. For more information about job function policy updates, see [Updates to AWS managed policies for job functions](#security-iam-awsmanpol-jobfunction-updates).
**Policy description:** This policy grants permissions to call any AWS MCP service action. You can use when you do not need to specify permissions per AWS MCP service. It does not grant permissions to actions taken by the MCP service to other AWS services, those permissions must always be granted separately and in addition to MCP service actions. For more information about the managed policy, see [AWSMcpServiceActionsFullAccess](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/AWSMcpServiceActionsFullAccess.html) in *AWS Managed Policy Reference Guide*.
## Security auditor job function
**AWS managed policy name:** [SecurityAudit](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/SecurityAudit)
**Use case:** This user monitors accounts for compliance with security requirements. This user can access logs and events to investigate potential security breaches or potential malicious activity.
**Policy updates:** AWS maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the **Policy versions** tab. For more information about job function policy updates, see [Updates to AWS managed policies for job functions](#security-iam-awsmanpol-jobfunction-updates).
**Policy description:** This policy grants permissions to view configuration data for many AWS services and to review their logs. For more information about the managed policy, see [SecurityAudit](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/SecurityAudit.html) in *AWS Managed Policy Reference Guide*.
## Support user job function
**AWS managed policy name:** [AWSSupportAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSSupportAccess)
**Use case:** This user contacts AWS Support, creates support cases, and views the status of existing cases.
**Policy updates:** AWS maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the **Policy versions** tab. For more information about job function policy updates, see [Updates to AWS managed policies for job functions](#security-iam-awsmanpol-jobfunction-updates).
**Policy description:** This policy grants permissions to create and update Support cases. For more information about the managed policy, see [AWSSupportAccess](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/AWSSupportAccess.html) in *AWS Managed Policy Reference Guide*.
## System administrator job function
**AWS managed policy name:** [SystemAdministrator](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/job-function/SystemAdministrator)
**Use case:** This user sets up and maintains resources for development operations.
**Policy updates:** AWS maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the **Policy versions** tab. For more information about job function policy updates, see [Updates to AWS managed policies for job functions](#security-iam-awsmanpol-jobfunction-updates).
**Policy description:** This policy grants permissions to create and maintain resources across a large variety of AWS services, including AWS CloudTrail, Amazon CloudWatch, AWS CodeCommit, AWS CodeDeploy, AWS Config, AWS Directory Service, Amazon EC2, AWS Identity and Access Management, AWS Key Management Service, AWS Lambda, Amazon RDS, Route 53, Amazon S3, Amazon SES, Amazon SQS, AWS Trusted Advisor, and Amazon VPC. For more information about the managed policy, see [SystemAdministrator](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/SystemAdministrator.html) in *AWS Managed Policy Reference Guide*.
This job function requires the ability to pass roles to AWS services. The policy grants `iam:GetRole` and `iam:PassRole` for only those roles named in the following table. For more information, see [Creating roles and attaching policies (console)](access_policies_job-functions_create-policies.md) later in this topic. For more information about job function policy updates, see [Updates to AWS managed policies for job functions](#security-iam-awsmanpol-jobfunction-updates).
| Use case | Role name (\$1 is a wildcard) | Service role type to select | AWS managed policy to select |
| --- | --- | --- | --- |
| Allow apps running in EC2 instances in an Amazon ECS cluster to access Amazon ECS | [ecr-sysadmin-\$1](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html) | Amazon EC2 Role for EC2 Container Service | [AmazonEC2ContainerServiceforEC2Role](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role) |
| Allow a user to monitor databases | [rds-monitoring-role](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html) | Amazon RDS Role for Enhanced Monitoring | [AmazonRDSEnhancedMonitoringRole](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole) |
| Allow apps running in EC2 instances to access AWS resources. | [ec2-sysadmin-\$1](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) | Amazon EC2 | Sample policy for role that grants access to an S3 bucket as shown in the [Amazon EC2 User Guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html); customize as needed |
| Allow Lambda to read DynamoDB streams and write to CloudWatch Logs | [lambda-sysadmin-\$1](https://docs.aws.amazon.com/lambda/latest/dg/with-ddb.html) | AWS Lambda | [AWSLambdaDynamoDBExecutionRole](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole) |
## View-only user job function
**AWS managed policy name:** [ViewOnlyAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/job-function/ViewOnlyAccess)
**Use case:** This user can view a list of AWS resources and basic metadata in the account across services. The user cannot read resource content or metadata that goes beyond the quota and list information for resources.
**Policy updates:** AWS maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the **Policy versions** tab. For more information about job function policy updates, see [Updates to AWS managed policies for job functions](#security-iam-awsmanpol-jobfunction-updates).
**Policy description:** This policy grants `List*`, `Describe*`, `Get*`, `View*`, and `Lookup*` access to resources for AWS services. To see what actions this policy includes for each service, see [ViewOnlyAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/job-function/ViewOnlyAccess). For more information about the managed policy, see [ViewOnlyAccess](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/ViewOnlyAccess.html) in *AWS Managed Policy Reference Guide*.
## Updates to AWS managed policies for job functions
These policies are all maintained by AWS and are kept up to date to include support for new services and new capabilities as they are added by AWS services. These policies cannot be modified by customers. You can make a copy of the policy and then modify the copy, but that copy is not automatically updated as AWS introduces new services and API operations.
For a job function policy, you can view the version history and the time and date of each update in the IAM console. To do this, use the links on this page to view the policy details. Then choose the **Policy versions** tab to view the versions. This page shows the last 25 versions of a policy. To view all of the versions for a policy, call the [get-policy-version](https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy-version.html) AWS CLI command or the [GetPolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicyVersion.html) API operation.
**Note**
You can have up to five versions of a customer managed policy, but AWS retains the full version history of AWS managed policies.
# Creating roles and attaching policies (console)
Several of the previously listed policies grant the ability to configure AWS services with roles that enable those services to perform operations on your behalf. The job function policies either specify exact role names that you must use or at least include a prefix that specifies the first part of the name that can be used. To create one of these roles, perform the steps in the following procedure.
**To create a role for an AWS service (IAM console)**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane of the IAM console, choose **Roles**, and then choose **Create role**.
1. For **Trusted entity type**, choose **AWS service**.
1. For **Service or use case**, choose a service, and then choose the use case. Use cases are defined by the service to include the trust policy that the service requires.
1. Choose **Next**.
1. For **Permissions policies**, the options depend on the use case that you selected:
+ If the service defines the permissions for the role, you can't select permissions policies.
+ Select from a limited set of permission polices.
+ Select from all permission policies.
+ Select no permissions policies, create the policies after the role is created, and then attach the policies to the role.
1. (Optional) Set a [permissions boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html). This is an advanced feature that is available for service roles, but not service-linked roles.
1. Open the **Set permissions boundary** section, and then choose **Use a permissions boundary to control the maximum role permissions**.
IAM includes a list of the AWS managed and customer-managed policies in your account.
1. Select the policy to use for the permissions boundary.
1. Choose **Next**.
1. For **Role name**, the options depend on the service:
+ If the service defines the role name, you can't edit the role name.
+ If the service defines a prefix for the role name, you can enter an optional suffix.
+ If the service doesn't define the role name, you can name the role.
**Important**
When you name a role, note the following:
Role names must be unique within your AWS account, and can't be made unique by case.
For example, don't create roles named both **PRODROLE** and **prodrole**. When a role name is used in a policy or as part of an ARN, the role name is case sensitive, however when a role name appears to customers in the console, such as during the sign-in process, the role name is case insensitive.
You can't edit the name of the role after it's created because other entities might reference the role.
1. (Optional) For **Description**, enter a description for the role.
1. (Optional) To edit the use cases and permissions for the role, in the **Step 1: Select trusted entities** or **Step 2: Add permissions** sections, choose **Edit**.
1. (Optional) To help identify, organize, or search for the role, add tags as key-value pairs. For more information about using tags in IAM, see [Tags for AWS Identity and Access Management resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.
1. Review the role, and then choose **Create role**.
## Example 1: Configuring a user as a database administrator (console)
This example shows the steps required to configure Alice, an IAM user, as a [Database Administrator](access_policies_job-functions.md#jf_database-administrator). You use the information in first row of the table in that section and allow the user to enable Amazon RDS monitoring. You attach the [DatabaseAdministrator](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/job-function/DatabaseAdministrator) policy to Alice's IAM user so that they can manage the Amazon database services. That policy also allows Alice to pass a role called `rds-monitoring-role` to the Amazon RDS service that allows the service to monitor the Amazon RDS databases on their behalf.
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Choose **Policies**, type **database** in the search box, and then press enter.
1. Select the radio button for the **DatabaseAdministrator** policy, choose **Actions**, and then choose **Attach**.
1. In the list of entities, select **Alice** and then choose **Attach policy**. Alice now can administer AWS databases. However, to allow Alice to monitor those databases, you must configure the service role.
1. In the navigation pane of the IAM console, choose **Roles**, and then choose **Create role**.
1. Choose the **AWS Service** role type, and then choose **Amazon RDS**.
1. Choose the **Amazon RDS Role for Enhanced Monitoring** use case.
1. Amazon RDS defines the permissions for your role. Choose **Next: Review** to continue.
1. The role name must be one of those specified by the DatabaseAdministrator policy that Alice now has. One of those is **rds-monitoring-role**. Enter that for the **Role name**.
1. (Optional) For **Role description**, enter a description for the new role.
1. After you review the details, choose **Create role**.
1. Alice can now enable **RDS Enhanced Monitoring** in the **Monitoring** section of the Amazon RDS console. For example, they might do this when they create a DB instance, create a read replica, or modify a DB instance. They must enter the role name they created (rds-monitoring-role) in the **Monitoring Role** box when they set **Enable Enhanced Monitoring** to **Yes**.
## Example 2: Configuring a user as a network administrator (console)
This example shows the steps required to configure Jorge, an IAM user, as a [Network Administrator](access_policies_job-functions.md#jf_network-administrator). It uses the information in the table in that section to allow Jorge to monitor IP traffic going to and from a VPC. It also allows Jorge to capture that information in the logs in CloudWatch Logs. You attach the [NetworkAdministrator](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/job-function/NetworkAdministrator) policy to Jorge's IAM user so that they can configure AWS network resources. That policy also allows Jorge to pass a role whose name begins with `flow-logs*` to Amazon EC2 when you create a flow log. In this scenario, unlike Example 1, there isn't a predefined service role type, so you must perform a few steps differently.
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies** and then enter **network** in the search box, and then press enter.
1. Select the radio button next to **NetworkAdministrator** policy, choose **Actions**, and then choose **Attach**.
1. In the list of users, select the checkbox next to **Jorge** and then choose **Attach policy**. Jorge can now administer AWS network resources. However, to enable monitoring of IP traffic in your VPC, you must configure the service role.
1. Because the service role you need to create doesn't have a predefined managed policy, you must first create it. In the navigation pane, choose **Policies**, then choose **Create policy**.
1. In the **Policy editor** section, choose the **JSON** option and copy the text from the following JSON policy document. Paste this text into the **JSON** text box.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
1. Resolve any security warnings, errors, or general warnings generated during [policy validation](access_policies_policy-validator.md), and then choose **Next**.
**Note**
You can switch between the **Visual** and **JSON** editor options any time. However, if you make changes or choose **Next** in the **Visual** editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](troubleshoot_policies.md#troubleshoot_viseditor-restructure).
1. On the **Review and create** page, type **vpc-flow-logs-policy-for-service-role** for the policy name. Review the **Permissions defined in this policy** to see the permissions granted by your policy, and then choose **Create policy** to save your work.
The new policy appears in the list of managed policies and is ready to attach.
1. In the navigation pane of the IAM console, choose **Roles**, and then choose **Create role**.
1. Choose the **AWS Service** role type, and then choose **Amazon EC2**.
1. Choose the **Amazon EC2** use case.
1. On the **Attach permissions policies** page, choose the policy you created earlier, **vpc-flow-logs-policy-for-service-role**, and then choose **Next: Review**.
1. The role name must be permitted by the NetworkAdministrator policy that Jorge now has. Any name that begins with `flow-logs-` is allowed. For this example, enter **flow-logs-for-jorge** for the **Role name**.
1. (Optional) For **Role description**, enter a description for the new role.
1. After you review the details, choose **Create role**.
1. Now you can configure the trust policy required for this scenario. On the **Roles** page, choose the **flow-logs-for-jorge** role (the name, not the checkbox). On the details page for your new role, choose the **Trust relationships** tab, and then choose **Edit trust relationship**.
1. Change the "Service" line to read as follows, replacing the entry for `ec2.amazonaws.com`:
```
"Service": "vpc-flow-logs.amazonaws.com"
```
1. Jorge can now create flow logs for a VPC or subnet in the Amazon EC2 console. When you create the flow log, specify the **flow-logs-for-jorge** role. That role has the permissions to create the log and write data to it.
# AWS global condition context keys
When a [principal](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html?icmpid=docs_homepage_addtlrcs#principal) makes a [request](intro-structure.md#intro-structure-request) to AWS, AWS gathers the request information into a [request context](intro-structure.md#intro-structure-request). You can use the `Condition` element of a JSON policy to compare keys in the request context with key values that you specify in your policy. Request information is provided by different sources, including the principal making the request, the resource the request is made against, and the metadata about the request itself.
**Global condition keys** can be used across all AWS services. While these condition keys can be used in all policies, the key is not available in every request context. For example, the `aws:SourceAccount` condition key is only available when the call to your resource is made directly by an [AWS service principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services). To learn more about the circumstances under which a global key is included in the request context, see the **Availability** information for each key.
Some individual services create their own condition keys that are available in the request context for other services. **Cross-service condition keys** are a type of global condition key that include a prefix matching the name of the service, such as `ec2:` or `lambda:`, but are available across other services.
**Service-specific condition keys** are defined for use with an individual AWS service. For example, Amazon S3 lets you write a policy with the `s3:VersionId` condition key to limit access to a specific version of an Amazon S3 object. This condition key is unique to the service, meaning it only works with requests to the Amazon S3 service. For condition keys that are service-specific, see [Actions, Resources, and Condition Keys for AWS Services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) and choose the service whose keys you want to view.
**Note**
If you use condition keys that are available only in some circumstances, you can use the [IfExists](reference_policies_elements_condition_operators.md#Conditions_IfExists) versions of the condition operators. If the condition keys are missing from a request context, the policy can fail the evaluation. For example, use the following condition block with `...IfExists` operators to match when a request comes from a specific IP range or from a specific VPC. If either or both keys are not included in the request context, the condition still returns `true`. The values are only checked if the specified key is included in the request context. For more information about how a policy is evaluated when a key is not present for other operators, see [ Condition operators](reference_policies_elements_condition_operators.md).
```
"Condition": {
"IpAddressIfExists": {"aws:SourceIp" : ["xxx"] },
"StringEqualsIfExists" : {"aws:SourceVpc" : ["yyy"]}
}
```
**Important**
To compare your condition against a request context with multiple key values, you must use the `ForAllValues` or `ForAnyValue` set operators. Use set operators only with multivalued condition keys. Do not use set operators with single-valued condition keys. For more information, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
| Properties of the principal | Properties of a role session | Properties of the network | Properties of the resource | Properties of the request |
| --- | --- | --- | --- | --- |
| `aws:PrincipalArn` `aws:PrincipalAccount` `aws:PrincipalOrgPaths` `aws:PrincipalOrgID` `aws:PrincipalTag/*tag-key*` `aws:PrincipalIsAWSService` `aws:PrincipalServiceName` `aws:PrincipalServiceNamesList` `aws:PrincipalType` `aws:userid` `aws:username` | `aws:AssumedRoot` `aws:FederatedProvider` `aws:TokenIssueTime` `aws:MultiFactorAuthAge` `aws:MultiFactorAuthPresent` `aws:ChatbotSourceArn` `aws:Ec2InstanceSourceVpc` `aws:Ec2InstanceSourcePrivateIPv4` `aws:SourceIdentity` `ec2:RoleDelivery` `ec2:SourceInstanceArn` `glue:RoleAssumedBy` `glue:CredentialIssuingService` `codebuild:BuildArn` `codebuild:ProjectArn` `lambda:SourceFunctionArn` `ssm:SourceInstanceArn` `identitystore:UserId` | `aws:SourceIp` `aws:SourceVpc` `aws:SourceVpcArn` `aws:SourceVpce` `aws:VpceAccount` `aws:VpceOrgID` `aws:VpceOrgPaths` `aws:VpcSourceIp` | `aws:ResourceAccount` `aws:ResourceOrgID` `aws:ResourceOrgPaths` `aws:ResourceTag/*tag-key*` | `aws:CalledVia` `aws:CalledViaFirst` `aws:CalledViaLast` `aws:CalledViaAWSMCP` `aws:ViaAWSService` `aws:ViaAWSMCPService` `aws:CurrentTime` `aws:EpochTime` `aws:referer` `aws:RequestedRegion` `aws:RequestTag/*tag-key*` `aws:TagKeys` `aws:SecureTransport` `aws:SourceAccount` `aws:SourceArn` `aws:SourceOrgID` `aws:SourceOrgPaths` `aws:UserAgent` `aws:IsMcpServiceAction` |
## Sensitive condition keys
The following condition keys are considered sensitive. The use of wildcards in these condition keys does not have any valid use cases, even with a substring of the key value with a wildcard. This is because the wildcard may match the condition key to any value, which could pose a security risk.
+ `aws:PrincipalAccount`
+ `aws:PrincipalOrgID`
+ `aws:ResourceAccount`
+ `aws:ResourceOrgID`
+ `aws:SourceAccount`
+ `aws:SourceOrgID`
+ `aws:SourceVpc`
+ `aws:SourceVpce`
+ `aws:VpceAccount`
+ `aws:VpceOrgID`
## Properties of the principal
Use the following condition keys to compare details about the principal making the request with the principal properties that you specify in the policy. For a list of principals that can make requests, see [How to specify a principal](reference_policies_elements_principal.md#Principal_specifying).
### aws:PrincipalArn
Use this key to compare the [Amazon Resource Name](reference_identifiers.md#identifiers-arns) (ARN) of the principal that made the request with the ARN that you specify in the policy. For IAM roles, the request context returns the ARN of the role, not the ARN of the user that assumed the role.
+ **Availability** – This key is included in the request context for all signed requests. Anonymous requests do not include this key. You can specify the following types of principals in this condition key:
+ IAM role
+ IAM user
+ AWS STS federated user principal
+ AWS account root user
+ **Data type** – ARN
AWS recommends that you use [ARN operators](reference_policies_elements_condition_operators.md#Conditions_ARN) instead of [string operators](reference_policies_elements_condition_operators.md#Conditions_String) when comparing ARNs.
+ **Value type** – Single-valued
+ **Example values** The following list shows the request context value returned for different types of principals that you can specify in the `aws:PrincipalArn` condition key:
+ **IAM role** – The request context contains the following value for condition key `aws:PrincipalArn`. Do not specify the assumed role session ARN as a value for this condition key. For more information about the assumed role session principal, see [Role session principals](reference_policies_elements_principal.md#principal-role-session).
```
arn:aws:iam::123456789012:role/role-name
```
+ **IAM user** – The request context contains the following value for condition key `aws:PrincipalArn`.
```
arn:aws:iam::123456789012:user/user-name
```
+ **AWS STS federated user principals** – The request context contains the following value for condition key `aws:PrincipalArn`.
```
arn:aws:sts::123456789012:federated-user/user-name
```
+ **AWS account root user** – The request context contains the following value for condition key `aws:PrincipalArn`. When you specify the root user ARN as the value for the `aws:PrincipalArn` condition key, it limits permissions only for the root user of the AWS account. This is different from specifying the root user ARN in the principal element of a resource-based policy, which delegates authority to the AWS account. For more information about specifying the root user ARN in the principal element of a resource-based policy, see [AWS account principals](reference_policies_elements_principal.md#principal-accounts).
```
arn:aws:iam::123456789012:root
```
You can specify the root user ARN as a value for condition key `aws:PrincipalArn` in AWS Organizations service control policies (SCPs). SCPs are a type of organization policy used to manage permissions in your organization and affect only member accounts in the organization. An SCP restricts permissions for IAM users and roles in member accounts, including the member account's root user. For more information about the effect of SCPs on permissions, see [SCP effects on permissions](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#scp-effects-on-permissions) in the *AWS Organizations User Guide*.
### aws:PrincipalAccount
Use this key to compare the account to which the requesting principal belongs with the account identifier that you specify in the policy. For anonymous requests, the request context returns `anonymous`.
+ **Availability** – This key is included in the request context for all requests, including anonymous requests.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
In the following example, access is denied except to principals with the account number `123456789012`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyAccessFromPrincipalNotInSpecificAccount",
"Action": "service:*",
"Effect": "Deny",
"Resource": [
"arn:aws:service:us-east-1:111122223333:resource"
],
"Condition": {
"StringNotEquals": {
"aws:PrincipalAccount": [
"123456789012"
]
}
}
}
]
}
```
------
### aws:PrincipalOrgPaths
Use this key to compare the AWS Organizations path for the principal who is making the request to the path in the policy. That principal can be an IAM user, IAM role, AWS STS federated user principal, or AWS account root user. In a policy, this condition key ensures that the requester is an account member within the specified organization root or organizational units (OUs) in AWS Organizations. An AWS Organizations path is a text representation of the structure of an AWS Organizations entity. For more information about using and understanding paths, see [Understand the AWS Organizations entity path](access_policies_last-accessed-view-data-orgs.md#access_policies_last-accessed-viewing-orgs-entity-path).
+ **Availability** – This key is included in the request context only if the principal is a member of an organization. Anonymous requests do not include this key.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String) (list)
+ **Value type** – Multivalued
**Note**
Organization IDs are globally unique but OU IDs and root IDs are unique only within an organization. This means that no two organizations share the same organization ID. However, another organization might have an OU or root with the same ID as yours. We recommend that you always include the organization ID when you specify an OU or root.
For example, the following condition returns `true` for principals in accounts that are attached directly to the `ou-ab12-22222222` OU, but not in its child OUs.
```
"Condition" : { "ForAnyValue:StringEquals" : {
"aws:PrincipalOrgPaths":["o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/"]
}}
```
The following condition returns `true` for principals in an account that is attached directly to the OU or any of its child OUs. When you include a wildcard, you must use the `StringLike` condition operator.
```
"Condition" : { "ForAnyValue:StringLike" : {
"aws:PrincipalOrgPaths":["o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/*"]
}}
```
The following condition returns `true` for principals in an account that is attached directly to any of the child OUs, but not directly to the parent OU. The previous condition is for the OU or any children. The following condition is for only the children (and any children of those children).
```
"Condition" : { "ForAnyValue:StringLike" : {
"aws:PrincipalOrgPaths":["o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/ou-*"]
}}
```
The following condition allows access for every principal in the `o-a1b2c3d4e5` organization, regardless of their parent OU.
```
"Condition" : { "ForAnyValue:StringLike" : {
"aws:PrincipalOrgPaths":["o-a1b2c3d4e5/*"]
}}
```
`aws:PrincipalOrgPaths` is a multivalued condition key. Multivalued keys can have multiple values in the request context. When you use multiple values with the `ForAnyValue` condition operator, the principal's path must match one of the paths listed in the policy. For more information about multivalued condition keys, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
```
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalOrgPaths": [
"o-a1b2c3d4e5/r-ab12/ou-ab12-33333333/*",
"o-a1b2c3d4e5/r-ab12/ou-ab12-22222222/*"
]
}
}
```
### aws:PrincipalOrgID
Use this key to compare the identifier of the organization in AWS Organizations to which the requesting principal belongs with the identifier specified in the policy.
+ **Availability** – This key is included in the request context only if the principal is a member of an organization. Anonymous requests do not include this key.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
This global key provides an alternative to listing all the account IDs for all AWS accounts in an organization. You can use this condition key to simplify specifying the `Principal` element in a [resource-based policy](access_policies_identity-vs-resource.md). You can specify the [organization ID](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_details.html) in the condition element. When you add and remove accounts, policies that include the `aws:PrincipalOrgID` key automatically include the correct accounts and don't require manual updating.
For example, the following Amazon S3 bucket policy allows members of any account in the `o-xxxxxxxxxxx` organization to add an object into the `amzn-s3-demo-bucket` bucket.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Sid": "AllowPutObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
"Condition": {"StringEquals":
{"aws:PrincipalOrgID":"o-xxxxxxxxxxx"}
}
}
}
```
------
**Note**
This global condition also applies to the management account of an AWS organization. This policy prevents all principals outside of the specified organization from accessing the Amazon S3 bucket. This includes any AWS services that interact with your internal resources, such as AWS CloudTrail sending log data to your Amazon S3 buckets. To learn how you can safely grant access for AWS services, see [aws:PrincipalIsAWSService](#condition-keys-principalisawsservice).
For more information about AWS Organizations, see [What Is AWS Organizations?](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) in the *AWS Organizations User Guide*.
### aws:PrincipalTag/*tag-key*
Use this key to compare the tag attached to the principal making the request with the tag that you specify in the policy. If the principal has more than one tag attached, the request context includes one `aws:PrincipalTag` key for each attached tag key.
+ **Availability** – This key is included in the request context if the principal is using an IAM user with attached tags. It is included for a principal using an IAM role with attached tags or [session tags](id_session-tags.md). Anonymous requests do not include this key.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
You can add custom attributes to a user or role in the form of a key-value pair. For more information about IAM tags, see [Tags for AWS Identity and Access Management resources](id_tags.md). You can use `aws:PrincipalTag` to [control access](access_iam-tags.md#access_iam-tags_control-principals) for AWS principals.
This example shows how you might create an identity-based policy that allows users with the **department=hr** tag to manage IAM users, groups, or roles. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*",
"iam:Generate*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/department": "hr"
}
}
}
]
}
```
------
### aws:PrincipalIsAWSService
Use this key to check whether the call to your resource is being made directly by an AWS [service principal](reference_policies_elements_principal.md#principal-services). For example, AWS CloudTrail uses the service principal `cloudtrail.amazonaws.com` to write logs to your Amazon S3 bucket. The request context key is set to true when a service uses a service principal to perform a direct action on your resources. The context key is set to false if the service uses the credentials of an IAM principal to make a request on the principal's behalf. It is also set to false if the service uses a [service role or service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) to make a call on the principal's behalf.
+ **Availability** – This key is present in the request context for all signed API requests that use AWS credentials. Anonymous requests do not include this key.
+ **Data type** – [Boolean](reference_policies_elements_condition_operators.md#Conditions_Boolean)
+ **Value type** – Single-valued
You can use this condition key to limit access to your trusted identities and expected network locations while safely granting access to AWS services.
In the following Amazon S3 bucket policy example, access to the bucket is restricted unless the request originates from `vpc-111bbb22` or is from a service principal, such as CloudTrail.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ExpectedNetworkServicePrincipal",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket1/AWSLogs/AccountNumber/*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:SourceVpc": "vpc-111bbb22"
},
"BoolIfExists": {
"aws:PrincipalIsAWSService": "false"
}
}
}
]
}
```
------
In the following video, learn more about how you might use the `aws:PrincipalIsAWSService` condition key in a policy.
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/gv-_H8a42G4)
### aws:PrincipalServiceName
Use this key to compare the [service principal](reference_policies_elements_principal.md#principal-services) name in the policy with the service principal that is making requests to your resources. You can use this key to check whether this call is made by a specific service principal. When a service principal makes a direct request to your resource, the `aws:PrincipalServiceName` key contains the name of the service principal. For example, the AWS CloudTrail service principal name is `cloudtrail.amazonaws.com`.
+ **Availability** – This key is present in the request when the call is made by an AWS service principal. This key is not present in any other situation, including the following:
+ If the service uses a [service role or service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) to make a call on the principal's behalf.
+ If the service uses the credentials of an IAM principal to make a request on the principal's behalf.
+ If the call is made directly by an IAM principal.
+ If the call is made by an anonymous requester.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
You can use this condition key to limit access to your trusted identities and expected network locations while safely granting access to an AWS service.
In the following Amazon S3 bucket policy example, access to the bucket is restricted unless the request originates from `vpc-111bbb22` or is from a service principal, such as CloudTrail.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ExpectedNetworkServicePrincipal",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket1/AWSLogs/AccountNumber/*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:SourceVpc": "vpc-111bbb22",
"aws:PrincipalServiceName": "cloudtrail.amazonaws.com"
}
}
}
]
}
```
------
### aws:PrincipalServiceNamesList
This key provides a list of all [service principal](reference_policies_elements_principal.md#principal-services) names that belong to the service. This is an advanced condition key. You can use it to restrict the service from accessing your resource from a specific Region only. Some services may create Regional service principals to indicate a particular instance of the service within a specific Region. You can limit access to a resource to a particular instance of the service. When a service principal makes a direct request to your resource, the `aws:PrincipalServiceNamesList` contains an unordered list of all service principal names associated with the Regional instance of the service.
+ **Availability** – This key is present in the request when the call is made by an AWS service principal. This key is not present in any other situation, including the following:
+ If the service uses a [service role or service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) to make a call on the principal's behalf.
+ If the service uses the credentials of an IAM principal to make a request on the principal's behalf.
+ If the call is made directly by an IAM principal.
+ If the call is made by an anonymous requester.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String) (list)
+ **Value type** – Multivalued
`aws:PrincipalServiceNamesList` is a multivalued condition key. Multivalued keys can have multiple values in the request context. You must use the `ForAnyValue` or `ForAllValues` set operators with [string condition operators](reference_policies_elements_condition_operators.md#Conditions_String) for this key. For more information about multivalued condition keys, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
### aws:PrincipalType
Use this key to compare the type of principal making the request with the principal type that you specify in the policy. For more information, see [How to specify a principal](reference_policies_elements_principal.md#Principal_specifying). For specific examples of `principal` key values, see [Principal key values](reference_policies_variables.md#principaltable).
+ **Availability** – This key is included in the request context for all requests, including anonymous requests.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
### aws:userid
Use this key to compare the requester's principal identifier with the ID that you specify in the policy. For IAM users, the request context value is the user ID. For IAM roles, this value format can vary. For details about how the information appears for different principals, see [How to specify a principal](reference_policies_elements_principal.md#Principal_specifying). For specific examples of `principal` key values, see [Principal key values](reference_policies_variables.md#principaltable).
+ **Availability** – This key is included in the request context for all requests, including anonymous requests.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
### aws:username
Use this key to compare the requester's user name with the user name that you specify in the policy. For details about how the information appears for different principals, see [How to specify a principal](reference_policies_elements_principal.md#Principal_specifying). For specific examples of `principal` key values, see [Principal key values](reference_policies_variables.md#principaltable).
+ **Availability** – This key is always included in the request context for IAM users. Anonymous requests and requests that are made using the AWS account root user or IAM roles do not include this key. Requests made using IAM Identity Center credentials do not include this key in the context.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
## Properties of a role session
Use the following condition keys to compare properties of the role session at the time the session was generated. These condition keys are only available when a request is made by a principal with role session or federated user principal credentials. The values for these condition keys are embedded in the role’s session token.
A [role](reference_policies_elements_principal.md#principal-roles) is a type of principal. You can also use the condition keys from the [Properties of the principal](#condition-keys-principal-properties) section to evaluate the properties of a role when a role is making a request.
### aws:AssumedRoot
Use this key to check whether the request was made using [AssumeRoot](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html). `AssumeRoot` returns short term credentials for a privileged root user session you can use to take privileged actions on member accounts in your organization. For more information, see [Centrally manage root access for member accounts](id_root-user.md#id_root-user-access-management).
+ **Availability** – This key is included in the request context only when the principal uses credentials from [AssumeRoot](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html) to make the request.
+ **Data type** – [Boolean](reference_policies_elements_condition_operators.md#Conditions_Boolean)
+ **Value type** – Single-valued
In the following example, when used as a service control policy, denies the usage of the long term credentials of a root user in an AWS Organizations member account. The policy does not deny `AssumeRoot` sessions from taking the actions allowed by an `AssumeRoot` session.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Deny",
"Action":"*",
"Resource": "*",
"Condition":{
"ArnLike":{
"aws:PrincipalArn":[
"arn:aws:iam::*:root"
]
},
"Null":{
"aws:AssumedRoot":"true"
}
}
}
]
}
```
------
### aws:FederatedProvider
Use this key to compare the principal's issuing identity provider (IdP) with the IdP that you specify in the policy. This means that an IAM role assumed using the [https://docs.aws.amazon.com//STS/latest/APIReference/API_AssumeRoleWithWebIdentity](https://docs.aws.amazon.com//STS/latest/APIReference/API_AssumeRoleWithWebIdentity) AWS STS operation. When the resulting role session's temporary credentials are used to make a request, the request context identifies the IdP that authenticated the original federated identity.
+ **Availability** – This key is present in the role-session of a role that was assumed using OpenID Connect (OIDC) provider, and in the role-trust policy when an OIDC provider is used to call `AssumeRoleWithWebIdentity`.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)\$1
+ **Value type** – Single-valued
\$1 The data type depends on your IdP:
+ If you're using a built-in AWS IdP, like [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html), the key value will be a **string**. The key value may look like: `cognito-identity.amazonaws.com`.
+ If you're using an IdP that is not built-in to AWS, like [https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) or [Amazon EKS](https://docs.aws.amazon.com//eks/latest/userguide/associate-service-account-role.html), the key value will be **ARN**. The key value may look like: `arn:aws:iam::111122223333:oidc-provider/oidc.eks.region.amazonaws.com/id/OIDC_Provider_ID`.
For more information on external IdPs and `AssumeRoleWithWebIdentity`, see [Common scenarios](id_federation_common_scenarios.md). For more information, see [Role session principals](reference_policies_elements_principal.md#principal-role-session).
### aws:TokenIssueTime
Use this key to compare the date and time that temporary security credentials were issued with the date and time that you specify in the policy.
+ **Availability** – This key is included in the request context only when the principal uses temporary credentials to make the request. The key is not present in AWS CLI, AWS API, or AWS SDK requests that are made using access keys.
+ **Data type** – [Date](reference_policies_elements_condition_operators.md#Conditions_Date)
+ **Value type** – Single-valued
To learn which services support using temporary credentials, see [AWS services that work with IAM](reference_aws-services-that-work-with-iam.md).
### aws:MultiFactorAuthAge
Use this key to compare the number of seconds since the requesting principal was authorized using MFA with the number that you specify in the policy. For more information about MFA, see [AWS Multi-factor authentication in IAM](id_credentials_mfa.md).
**Important**
This condition key is not present for federated identities or requests made using access keys to sign AWS CLI, AWS API, or AWS SDK requests. To learn more about adding MFA protection to API operations with temporary security credentials, see [Secure API access with MFA](id_credentials_mfa_configure-api-require.md).
To check whether MFA is used to validate IAM federated identities, you can pass the authentication method from your identity provider to AWS as a session tag. For details, see [Pass session tags in AWS STS](id_session-tags.md). To enforce MFA for IAM Identity Center identities, you can [ enable attributes for access control](https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-abac.html) to pass a SAML assertion claim with the authentication method from your identity provider to IAM Identity Center.
+ **Availability** – This key is included in the request context only when the principal uses [temporary security credentials](id_credentials_temp.md) to make the request. Policies with MFA conditions can be attached to:
+ An IAM user or group
+ A resource such as an Amazon S3 bucket, Amazon SQS queue, or Amazon SNS topic
+ The trust policy of an IAM role that can be assumed by a user
+ **Data type** – [Numeric](reference_policies_elements_condition_operators.md#Conditions_Numeric)
+ **Value type** – Single-valued
### aws:MultiFactorAuthPresent
Use this key to check whether multi-factor authentication (MFA) was used to validate the [temporary security credentials](id_credentials_temp.md) that made the request.
**Important**
This condition key is not present for federated identities or requests made using access keys to sign AWS CLI, AWS API, or AWS SDK requests. To learn more about adding MFA protection to API operations with temporary security credentials, see [Secure API access with MFA](id_credentials_mfa_configure-api-require.md).
To check whether MFA is used to validate IAM federated identities, you can pass the authentication method from your identity provider to AWS as a session tag. For details, see [Pass session tags in AWS STS](id_session-tags.md). To enforce MFA for IAM Identity Center identities, you can [ enable attributes for access control](https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-abac.html) to pass a SAML assertion claim with the authentication method from your identity provider to IAM Identity Center.
+ **Availability** – This key is included in the request context only when the principal uses temporary credentials to make the request. Policies with MFA conditions can be attached to:
+ An IAM user or group
+ A resource such as an Amazon S3 bucket, Amazon SQS queue, or Amazon SNS topic
+ The trust policy of an IAM role that can be assumed by a user
+ **Data type** – [Boolean](reference_policies_elements_condition_operators.md#Conditions_Boolean)
+ **Value type** – Single-valued
Temporary credentials are used to authenticate IAM roles and IAM users with temporary tokens from [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) or [GetSessionToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html), and users of the AWS Management Console.
IAM user access keys are long-term credentials, but in some cases, AWS creates temporary credentials on behalf of IAM users to perform operations. In these cases, the `aws:MultiFactorAuthPresent` key is present in the request and set to a value of `false`. There are two common cases where this can happen:
+ IAM users in the AWS Management Console unknowingly use temporary credentials. Users sign into the console using their user name and password, which are long-term credentials. However, in the background, the console generates temporary credentials on behalf of the user.
+ If an IAM user makes a call to an AWS service, the service re-uses the user's credentials to make another request to a different service. For example, when calling Athena to access an Amazon S3 bucket, or when using CloudFormation to create an Amazon EC2 instance. For the subsequent request, AWS uses temporary credentials.
To learn which services support using temporary credentials, see [AWS services that work with IAM](reference_aws-services-that-work-with-iam.md).
The `aws:MultiFactorAuthPresent` key is not present when an API or CLI command is called with long-term credentials, such as user access key pairs. Therefore we recommend that when you check for this key that you use the `...IfExists` versions of the condition operators.
It is important to understand that the following `Condition` element is ***not*** a reliable way to check whether a request is authenticated using MFA.
```
##### WARNING: NOT RECOMMENDED #####
"Effect" : "Deny",
"Condition" : { "Bool" : { "aws:MultiFactorAuthPresent" : "false" } }
```
This combination of the `Deny` effect, `Bool` element, and `false` value denies requests that can be authenticated using MFA, but were not. This applies only to temporary credentials that support using MFA. This statement does not deny access to requests that are made using long-term credentials, or to requests that are authenticated using MFA. Use this example with caution because its logic is complicated and it does not test whether MFA-authentication was actually used.
Also do not use the combination of the `Deny` effect, `Null` element, and `true` because it behaves the same way and the logic is even more complicated.
**Recommended Combination**
We recommend that you use the [`BoolIfExists`](reference_policies_elements_condition_operators.md#Conditions_IfExists) operator to check whether a request is authenticated using MFA.
```
"Effect" : "Deny",
"Condition" : { "BoolIfExists" : { "aws:MultiFactorAuthPresent" : "false" } }
```
This combination of `Deny`, `BoolIfExists`, and `false` denies requests that are not authenticated using MFA. Specifically, it denies requests from temporary credentials that do not include MFA. It also denies requests that are made using long-term credentials, such as AWS CLI or AWS API operations made using access keys. The `*IfExists` operator checks for the presence of the `aws:MultiFactorAuthPresent` key and whether or not it could be present, as indicated by its existence. Use this when you want to deny any request that is not authenticated using MFA. This is more secure, but can break any code or scripts that use access keys to access the AWS CLI or AWS API.
**Alternative Combinations**
You can also use the [`BoolIfExists`](reference_policies_elements_condition_operators.md#Conditions_IfExists) operator to allow MFA-authenticated requests and AWS CLI or AWS API requests that are made using long-term credentials.
```
"Effect" : "Allow",
"Condition" : { "BoolIfExists" : { "aws:MultiFactorAuthPresent" : "true" } }
```
This condition matches either if the key exists and is present **or** if the key does not exist. This combination of `Allow`, `BoolIfExists`, and `true` allows requests that are authenticated using MFA, or requests that cannot be authenticated using MFA. This means that AWS CLI, AWS API, and AWS SDK operations are allowed when the requester uses their long-term access keys. This combination does not allow requests from temporary credentials that could, but do not include MFA.
When you create a policy using the IAM console visual editor and choose **MFA required**, this combination is applied. This setting requires MFA for console access, but allows programmatic access with no MFA.
Alternatively, you can use the `Bool` operator to allow programmatic and console requests only when authenticated using MFA.
```
"Effect" : "Allow",
"Condition" : { "Bool" : { "aws:MultiFactorAuthPresent" : "true" } }
```
This combination of the `Allow`, `Bool`, and `true` allows only MFA-authenticated requests. This applies only to temporary credentials that support using MFA. This statement does not allow access to requests that were made using long-term access keys, or to requests made using temporary credentials without MFA.
***Do not*** use a policy construct similar to the following to check whether the MFA key is present:
```
##### WARNING: USE WITH CAUTION #####
"Effect" : "Allow",
"Condition" : { "Null" : { "aws:MultiFactorAuthPresent" : "false" } }
```
This combination of the `Allow` effect, `Null` element, and `false` value allows only requests that can be authenticated using MFA, regardless of whether the request is actually authenticated. This allows all requests that are made using temporary credentials, and denies access for long-term credentials. Use this example with caution because it does not test whether MFA-authentication was actually used.
### aws:ChatbotSourceArn
Use this key to compare the source chat configuration ARN set by the principal to the chat configuration ARN you specify in the policy of the IAM role associated with your channel configuration. You can authorize requests based on the assume role session initiated by Amazon Q Developer in chat applications.
+ **Availability** – This key is included in the request context by the Amazon Q Developer in chat applications service whenever a role session is assumed. The key value is the chat configuration ARN, such as when you [run an AWS CLI command from a chat channel](https://docs.aws.amazon.com/chatbot/latest/adminguide/chatbot-cli-commands.html).
+ **Data type** – [ARN](reference_policies_elements_condition_operators.md#Conditions_ARN)
+ **Value type** – Single-valued
+ **Example value** – `arn:aws::chatbot::123456789021:chat-configuration/slack-channel/private_channel`
The following policy denies Amazon S3 put requests on the specified bucket for all requests originating from a Slack channel.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ExampleS3Deny",
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
"Condition": {
"ArnLike": {
"aws:ChatbotSourceArn": "arn:aws:chatbot::*:chat-configuration/slack-channel/*"
}
}
}
]
}
```
------
### aws:Ec2InstanceSourceVpc
This key identifies the VPC to which Amazon EC2 IAM role credentials were delivered to. You can use this key in a policy with the [`aws:SourceVPC`](#condition-keys-sourcevpc) global key to check if a call is made from a VPC (`aws:SourceVPC`) that matches the VPC where a credential was delivered to (`aws:Ec2InstanceSourceVpc`).
+ **Availability** – This key is included in the request context whenever the requester is signing requests with an Amazon EC2 role credential. It can be used in IAM policies, service control policies, VPC endpoint policies, and resource policies.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
This key can be used with VPC identifier values, but is most useful when used as a variable combined with the `aws:SourceVpc` context key. The `aws:SourceVpc` context key is included in the request context only if the requester uses a VPC endpoint to make the request. Using `aws:Ec2InstanceSourceVpc` with `aws:SourceVpc` allows you to use `aws:Ec2InstanceSourceVpc` more broadly since it compares values that typically change together.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "RequireSameVPC",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:SourceVpc": "${aws:Ec2InstanceSourceVpc}"
},
"Null": {
"ec2:SourceInstanceARN": "false"
},
"BoolIfExists": {
"aws:ViaAWSService": "false"
}
}
}
]
}
```
------
In the example above, access is denied if the `aws:SourceVpc` value isn’t equal to the `aws:Ec2InstanceSourceVpc` value. The policy statement is limited to only roles used as Amazon EC2 instance roles by testing for the existence of the `ec2:SourceInstanceARN` condition key.
The policy uses `aws:ViaAWSService` to allow AWS to authorize requests when requests are made on behalf of your Amazon EC2 instance roles. For example, when you make a request from an Amazon EC2 instance to an encrypted Amazon S3 bucket, Amazon S3 makes a call to AWS KMS on your behalf. Some of the keys are not present when the request is made to AWS KMS.
### aws:Ec2InstanceSourcePrivateIPv4
This key identifies the private IPv4 address of the primary elastic network interface to which Amazon EC2 IAM role credentials were delivered. You must use this condition key with its companion key `aws:Ec2InstanceSourceVpc` to ensure that you have a globally unique combination of VPC ID and source private IP. Use this key with `aws:Ec2InstanceSourceVpc` to ensure that a request was made from the same private IP address that the credentials were delivered to.
+ **Availability** – This key is included in the request context whenever the requester is signing requests with an Amazon EC2 role credential. It can be used in IAM policies, service control policies, VPC endpoint policies, and resource policies.
+ **Data type** – [IP address](reference_policies_elements_condition_operators.md#Conditions_IPAddress)
+ **Value type** – Single-valued
**Important**
This key should not be used alone in an `Allow` statement. Private IP addresses are by definition not globally unique. You should use the `aws:Ec2InstanceSourceVpc` key every time you use the `aws:Ec2InstanceSourcePrivateIPv4` key to specify the VPC your Amazon EC2 instance credentials can be used from.
The following example is a service control policy (SCP) that denies access to all resources unless the request arrives via a VPC Endpoint in the same VPC as the as the role credentials. In this example, `aws:Ec2InstanceSourcePrivateIPv4` limits the credential source to a particular instance based on the source IP.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:Ec2InstanceSourceVpc": "${aws:SourceVpc}"
},
"Null": {
"ec2:SourceInstanceARN": "false"
},
"BoolIfExists": {
"aws:ViaAWSService": "false"
}
}
},
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:Ec2InstanceSourcePrivateIPv4": "${aws:VpcSourceIp}"
},
"Null": {
"ec2:SourceInstanceARN": "false"
},
"BoolIfExists": {
"aws:ViaAWSService": "false"
}
}
}
]
}
```
------
### aws:SourceIdentity
Use this key to compare the source identity that was set by the principal with the source identity that you specify in the policy.
+ **Availability** – This key is included in the request context after a source identity has been set when a role is assumed using any AWS STS assume-role CLI command, or AWS STS `AssumeRole` API operation.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
You can use this key in a policy to allow actions in AWS by principals that have set a source identity when assuming a role. Activity for the role's specified source identity appears in [AWS CloudTrail](cloudtrail-integration.md#cloudtrail-integration_signin-tempcreds). This makes it easier for administrators to determine who or what performed actions with a role in AWS.
Unlike [`sts:RoleSessionName`](reference_policies_iam-condition-keys.md#ck_rolesessionname), after the source identity is set, the value cannot be changed. It is present in the request context for all actions taken by the role. The value persists into subsequent role sessions when you use the session credentials to assume another role. Assuming one role from another is called [role chaining](id_roles.md#iam-term-role-chaining).
The [`sts:SourceIdentity`](reference_policies_iam-condition-keys.md#ck_sourceidentity) key is present in the request when the principal initially sets a source identity while assuming a role using any AWS STS assume-role CLI command, or AWS STS `AssumeRole` API operation. The `aws:SourceIdentity` key is present in the request for any actions that are taken with a role session that has a source identity set.
The following role trust policy for `CriticalRole` in account `111122223333` contains a condition for `aws:SourceIdentity` that prevents a principal without a source identity that is set to Saanvi or Diego from assuming the role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AssumeRoleIfSourceIdentity",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:role/CriticalRole"},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity"
],
"Condition": {
"StringLike": {
"aws:SourceIdentity": ["Saanvi","Diego"]
}
}
}
]
}
```
------
To learn more about using source identity information, see [Monitor and control actions taken with assumed roles](id_credentials_temp_control-access_monitor.md).
### ec2:RoleDelivery
Use this key to compare the version of the instance metadata service in the signed request with the IAM role credentials for Amazon EC2. The instance metadata service distinguishes between IMDSv1 and IMDSv2 requests based on whether, for any given request, either the `PUT` or `GET` headers, which are unique to IMDSv2, are present in that request.
+ **Availability** – This key is included in the request context whenever the role session is created by an Amazon EC2 instance.
+ **Data type** – [Numeric](reference_policies_elements_condition_operators.md#Conditions_Numeric)
+ **Value type** – Single-valued
+ **Example values** – 1.0, 2.0
You can configure the Instance Metadata Service (IMDS) on each instance so that local code or users must use IMDSv2. When you specify that IMDSv2 must be used, IMDSv1 no longer works.
+ Instance Metadata Service Version 1 (IMDSv1) – A request/response method
+ Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method
For information about how to configure your instance to use IMDSv2, see [Configure the instance metadata options](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html).
In the following example, access is denied if the ec2:RoleDelivery value in the request context is 1.0 (IMDSv1). This policy statement can be applied generally because, if the request is not signed by Amazon EC2 role credentials, it has no effect.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "RequireAllEc2RolesToUseV2",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NumericLessThan": {
"ec2:RoleDelivery": "2.0"
}
}
}
]
}
```
------
For more information, see [Example policies for working with instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-instance-metadata).
### ec2:SourceInstanceArn
Use this key to compare the ARN of the instance from which the role’s session was generated.
+ **Availability** – This key is included in the request context whenever the role session is created by an Amazon EC2 instance.
+ **Data type** – [ARN](reference_policies_elements_condition_operators.md#Conditions_ARN)
+ **Value type** – Single-valued
+ **Example value** – arn:aws:ec2:us-west-2:111111111111:instance/instance-id
For policy examples, see [Allow a specific instance to view resources in other AWS services](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-source-instance).
### glue:RoleAssumedBy
The AWS Glue service sets this condition key for each AWS API request where AWS Glue makes a request using a service role on the customer's behalf (not by a job or developer endpoint, but directly by the AWS Glue service). Use this key to verify whether a call to an AWS resource came from the AWS Glue service.
+ **Availability** – This key is included in the request context when AWS Glue makes a request using a service role on the customer's behalf.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
+ **Example value** – This key is always set to `glue.amazonaws.com`.
The following example adds a condition to allow the AWS Glue service to get an object from an Amazon S3 bucket.
```
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
"Condition": {
"StringEquals": {
"glue:RoleAssumedBy": "glue.amazonaws.com"
}
}
}
```
### glue:CredentialIssuingService
The AWS Glue service sets this key for each AWS API request using a service role that comes from a job or developer endpoint. Use this key to verify whether a call to an AWS resource came from an AWS Glue job or developer endpoint.
+ **Availability** – This key is included in the request context when AWS Glue makes a request that comes from a job or developer endpoint.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
+ **Example value** – This key is always set to `glue.amazonaws.com`.
The following example adds a condition that is attached to an IAM role that is used by an AWS Glue job. This ensures certain actions are allowed/denied based on whether the role session is used for an AWS Glue job runtime environment.
```
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
"Condition": {
"StringEquals": {
"glue:CredentialIssuingService": "glue.amazonaws.com"
}
}
}
```
### codebuild:BuildArn
This key identifies the CodeBuild build ARN that IAM role credentials were delivered to. Use this key to verify whether a call to an AWS resource came from a specific CodeBuild build.
**Note**
The full value of `codebuild:BuildArn` is not known in advance because it contains the dynamically generated build ID.
+ **Availability** – This key is included in the request context whenever a request is made by a role assumed by CodeBuild.
+ **Data type** – [ARN](reference_policies_elements_condition_operators.md#Conditions_ARN)
+ **Value type** – Single-valued
+ **Example value** – arn:aws:codebuild:us-east-1:123456789012:build/MyBuildProject:12345678-1234-1234-1234-123456789012
The following example allows a specific CodeBuild build to have `s3:GetObject` access to the specified bucket.
```
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
"Condition": {
"ArnLike": {
"codebuild:BuildArn": "arn:aws:codebuild:us-east-1:123456789012:build/MyBuildProject:*"
}
}
}
```
### codebuild:ProjectArn
This key identifies the CodeBuild project ARN that IAM role credentials were delivered to an CodeBuild build. Use this key to verify whether a call to an AWS resource came from a specific CodeBuild project.
+ **Availability** – This key is included in the request context whenever a request is made by a role assumed by CodeBuild.
+ **Data type** – [ARN](reference_policies_elements_condition_operators.md#Conditions_ARN)
+ **Value type** – Single-valued
+ **Example value** – arn:aws:codebuild:us-east-1:123456789012:project/MyBuildProject
The following example allows any build from a specific CodeBuild project to have `s3:GetObject` access to the specified bucket.
```
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
"Condition": {
"ArnEquals": {
"codebuild:ProjectArn": "arn:aws:codebuild:us-east-1:123456789012:project/MyBuildProject"
}
}
}
```
### lambda:SourceFunctionArn
Use this key to identify the Lambda function ARN that IAM role credentials were delivered to. The Lambda service sets this key for each AWS API request that comes from your function's execution environment. Use this key to verify whether a call to an AWS resource came from a specific Lambda function’s code. Lambda also sets this key for some requests that come from outside the execution environment, such as writing logs to CloudWatch and sending traces to X-Ray.
+ **Availability** – This key is included in the request context whenever Lambda function code is invoked.
+ **Data type** – [ARN](reference_policies_elements_condition_operators.md#Conditions_ARN)
+ **Value type** – Single-valued
+ **Example value** – arn:aws:lambda:us-east-1:123456789012:function:TestFunction
The following example allows one specific Lambda function to have `s3:PutObject` access the specified bucket.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ExampleSourceFunctionArn",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
"Condition": {
"ArnEquals": {
"lambda:SourceFunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:source_lambda"
}
}
}
]
}
```
------
For more information, see [Working with Lambda execution environment credentials](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html#permissions-executionrole-source-function-arn) in the *AWS Lambda Developer Guide*.
### ssm:SourceInstanceArn
Use this key to identify the AWS Systems Manager managed instance ARN that IAM role credentials were delivered to. This condition key is not present when the request comes from a managed instance with an IAM role associated with an Amazon EC2 instance profile.
+ **Availability** – This key is included in the request context whenever role credentials are delivered to an AWS Systems Manager managed instance.
+ **Data type** – [ARN](reference_policies_elements_condition_operators.md#Conditions_ARN)
+ **Value type** – Single-valued
+ **Example value** – arn:aws:ec2:us-west-2:111111111111:instance/instance-id
### identitystore:UserId
Use this key to compare IAM Identity Center workforce identity in the signed request with the identity specified in the policy.
+ **Availability** – This key is included when the caller of the request is a user in IAM Identity Center.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
+ **Example value** – 94482488-3041-7026-18f3-be45837cd0e4
You can find the UserId of a user in IAM Identity Center by making a request to the [GetUserId](https://docs.aws.amazon.com//singlesignon/latest/IdentityStoreAPIReference/API_GetUserId.html) API using the AWS CLI, AWS API, or AWS SDK.
## Properties of the network
Use the following condition keys to compare details about the network that the request originated from or passed through with the network properties that you specify in the policy.
### aws:SourceIp
Use this key to compare the requester's IP address with the IP address that you specify in the policy. The `aws:SourceIp` condition key can only be used for public IP address ranges.
+ **Availability** – This key is included in the request context, except when the requester uses a VPC endpoint to make the request.
+ **Data type** – [IP address](reference_policies_elements_condition_operators.md#Conditions_IPAddress)
+ **Value type** – Single-valued
The `aws:SourceIp` condition key can be used in a policy to allow principals to make requests only from within a specified IP range.
**Note**
`aws:SourceIp` supports both IPv4 and IPv6 address or range of IP addresses. For a list of AWS services that support IPv6, see [AWS services that support IPv6](https://docs.aws.amazon.com/vpc/latest/userguide/aws-ipv6-support.html) in the *Amazon VPC User Guide*.
For example, you can attach the following identity-based policy to an IAM role. This policy allows the user to put objects into the `amzn-s3-demo-bucket3` Amazon S3 bucket if they make the call from the specified IPv4 address range. This policy also allows an AWS service that uses [Forward access sessions](access_forward_access_sessions.md) to perform this operation on your behalf.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PrincipalPutObjectIfIpAddress",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket3/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}
```
------
If you need to restrict access from networks that support both IPv4 and IPv6 addressing, you can include the IPv4 and IPv6 address or ranges of IP addresses in the IAM policy condition. The following identity-based policy will allow the user to put objects into the `amzn-s3-demo-bucket3` Amazon S3 bucket if the user makes the call from either specified IPv4 or IPv6 address ranges. Before you include IPv6 address ranges in your IAM policy, verify that the AWS service you are working with supports IPv6. For a list of AWS services that support IPv6, see [AWS services that support IPv6](https://docs.aws.amazon.com/vpc/latest/userguide/aws-ipv6-support.html) in the *Amazon VPC User Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PrincipalPutObjectIfIpAddress",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket3/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"203.0.113.0/24",
"2001:DB8:1234:5678::/64"
]
}
}
}
]
}
```
------
If the request comes from a host that uses an Amazon VPC endpoint, then the `aws:SourceIp` key is not available. You should instead use a VPC-specific key such as [aws:VpcSourceIp](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-vpcsourceip). For more information about using VPC endpoints, see [Identity and access management for VPC endpoints and VPC endpoint services](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-iam.html) in the *AWS PrivateLink Guide*.
**Note**
When AWS services make calls to other AWS services on your behalf (service-to-service calls), certain network-specific authorization context is redacted. If your policy uses this condition key with `Deny` statements, AWS service principals might be unintentionally blocked. To allow AWS services to work properly while maintaining your security requirements, exclude service principals from your `Deny` statements by adding the `aws:PrincipalIsAWSService` condition key with a value of `false`.
### aws:SourceVpc
Use this key to check whether the request travels through the VPC that the VPC endpoint is attached to. In a policy, you can use this key to allow access to only a specific VPC. For more information, see [Restricting Access to a Specific VPC](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html#example-bucket-policies-restrict-access-vpc) in the *Amazon Simple Storage Service User Guide*.
+ **Availability** – This key is included in the request context only if the requester uses a VPC endpoint to make the request.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
In a policy, you can use this key to allow or restrict access to a specific VPC.
For example, you can attach the following identity-based policy to an IAM role to deny `PutObject` to the `amzn-s3-demo-bucket3` Amazon S3 bucket, unless the request is made from the specified VPC ID or by AWS services that use [forward access sessions (FAS)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) to make requests on behalf of the role. Unlike with [aws:SourceIp](#condition-keys-sourceip), you must use [aws:ViaAWSService](#condition-keys-viaawsservice) or [aws:CalledVia](#condition-keys-calledvia) to allow FAS requests, because the source VPC of the initial request is not preserved.
**Note**
This policy does not allow any actions. Use this policy in combination with other policies that allow specific actions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PutObjectIfNotVPCID",
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket3/*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:SourceVpc": "vpc-1234567890abcdef0"
},
"Bool": {
"aws:ViaAWSService": "false"
}
}
}
]
}
```
------
**Note**
AWS recommends to use `aws:SourceVpcArn` instead of `aws:SourceVpc` if `aws:SourceVpcArn` is supported by the service you are targeting. Please refer to [aws:SourceVpcArn](#condition-keys-sourcevpcarn) for the list of supported services.
### aws:SourceVpcArn
Use this key to verify the ARN of the VPC through which a request was made via a VPC endpoint. This key returns the ARN of the VPC to which the VPC endpoint is attached.
+ **Availability** – This key is included in the request context for supported services when a request is made through a VPC endpoint. The key is not included for requests made through public service endpoints. The following services support this key:
+ AWS App Runner (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapprunner.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapprunner.html))
+ AWS Application Discovery Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationdiscoveryservice.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationdiscoveryservice.html))
+ Amazon Athena (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html))
+ AWS Cloud Map (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html))
+ Amazon CloudWatch Application Insights (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchapplicationinsights.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchapplicationinsights.html))
+ AWS CloudFormation (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html))
+ Amazon Comprehend Medical (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehendmedical.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehendmedical.html))
+ AWS Compute Optimizer (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscomputeoptimizer.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscomputeoptimizer.html))
+ Amazon; Elastic Container Registry (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html))
+ Amazon Elastic Container Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html))
+ Amazon Kinesis Analytics (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalytics.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalytics.html))
+ Amazon Route 53 (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html))
+ AWS DataSync (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatasync.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatasync.html))
+ Amazon Elastic Block Store (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticblockstore.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticblockstore.html))
+ Amazon EventBridge Scheduler (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgescheduler.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgescheduler.html))
+ Amazon Data Firehose (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html))
+ AWS HealthImaging (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html))
+ AWS HealthLake (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthlake.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthlake.html))
+ AWS HealthOmics (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthomics.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthomics.html))
+ AWS Identity and Access Management (except for the `iam:PassRole` action) (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html))
+ AWS IoT FleetWise (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html))
+ AWS IoT Wireless (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html))
+ AWS Key Management Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html))
+ AWS Lambda (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html))
+ AWS Payment Cryptography (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspaymentcryptography.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspaymentcryptography.html))
+ Amazon Polly (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpolly.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpolly.html))
+ AWS Private Certificate Authority (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecertificateauthority.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecertificateauthority.html))
+ AWS Recycle Bin (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrecyclebin.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrecyclebin.html))
+ Amazon Rekognition (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html))
+ Service Quotas (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html))
+ Amazon Simple Storage Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html))
+ AWS Storage Gateway (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstoragegateway.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstoragegateway.html))
+ AWS Systems Manager Incident Manager Contacts (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanagercontacts.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanagercontacts.html))
+ Amazon Textract (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontextract.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontextract.html))
+ Amazon Transcribe (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranscribe.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranscribe.html))
+ AWS Transfer Family (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransferfamily.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransferfamily.html))
+ **Data type** – ARN
AWS recommends that you use [ARN operators](reference_policies_elements_condition_operators.md#Conditions_ARN) instead of [string operators](reference_policies_elements_condition_operators.md#Conditions_String) when comparing ARNs.
+ **Value type** – Single-valued
+ **Example value** – `arn:aws:ec2:us-east-1:123456789012:vpc/vpc-0e9801d129EXAMPLE`
The following is an example of a bucket policy that denies access to `amzn-s3-demo-bucket` and its objects from anywhere outside VPC `vpc-1a2b3c4d`.
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"],
"Condition": {
"ArnNotEquals": {
"aws:SourceVpcArn": "arn:aws:ec2:us-east-1:*:vpc/vpc-1a2b3c4d"
}
}
}
]
}
```
### aws:SourceVpce
Use this key to compare the VPC endpoint identifier of the request with the endpoint ID that you specify in the policy.
+ **Availability** – This key is included in the request context only if the requester uses a VPC endpoint to make the request.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
In a policy, you can use this key to restrict access to a specific VPC endpoint. For more information, see [Restricting access to a specific VPC](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html#example-bucket-policies-restrict-access-vpc) in the *Amazon Simple Storage Service User Guide*. Similarly to using [aws:SourceVpc](#condition-keys-sourcevpc), you must use [aws:ViaAWSService](#condition-keys-viaawsservice) or [aws:CalledVia](#condition-keys-calledvia) to allow requests made by AWS services using [forward access sessions (FAS)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html). This is because the source VPC endpoint of the initial request is not preserved.
### aws:VpceAccount
Use this key to compare the AWS account ID that owns the VPC endpoint through which the request was made with the account ID that you specify in the policy. This condition key helps you establish network perimeter controls by ensuring requests come through VPC endpoints owned by specific accounts.
+ **Availability** – This key is included in the request context when a request is made through a VPC endpoint. The key is not included for requests made through public service endpoints.
The following services support this key:
+ AWS App Runner (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapprunner.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapprunner.html))
+ AWS Application Discovery Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationdiscoveryservice.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationdiscoveryservice.html))
+ Amazon Athena (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html))
+ AWS Cloud Map (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html))
+ Amazon CloudWatch Application Insights (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchapplicationinsights.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchapplicationinsights.html))
+ AWS CloudFormation (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html))
+ Amazon Comprehend Medical (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehendmedical.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehendmedical.html))
+ AWS Compute Optimizer (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscomputeoptimizer.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscomputeoptimizer.html))
+ Amazon; Elastic Container Registry (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html))
+ Amazon Elastic Container Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html))
+ Amazon Kinesis Analytics (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalytics.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalytics.html))
+ Amazon Route 53 (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html))
+ AWS DataSync (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatasync.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatasync.html))
+ Amazon Elastic Block Store (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticblockstore.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticblockstore.html))
+ Amazon EventBridge Scheduler (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgescheduler.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgescheduler.html))
+ Amazon Data Firehose (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html))
+ AWS HealthImaging (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html))
+ AWS HealthLake (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthlake.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthlake.html))
+ AWS HealthOmics (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthomics.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthomics.html))
+ AWS Identity and Access Management (except for the `iam:PassRole` action) (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html))
+ AWS IoT FleetWise (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html))
+ AWS IoT Wireless (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html))
+ AWS Key Management Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html))
+ AWS Lambda (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html))
+ AWS Payment Cryptography (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspaymentcryptography.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspaymentcryptography.html))
+ Amazon Polly (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpolly.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpolly.html))
+ AWS Private Certificate Authority (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecertificateauthority.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecertificateauthority.html))
+ AWS Recycle Bin (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrecyclebin.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrecyclebin.html))
+ Amazon Rekognition (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html))
+ Service Quotas (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html))
+ Amazon Simple Storage Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html))
+ AWS Storage Gateway (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstoragegateway.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstoragegateway.html))
+ AWS Systems Manager Incident Manager Contacts (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanagercontacts.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanagercontacts.html))
+ Amazon Textract (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontextract.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontextract.html))
+ Amazon Transcribe (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranscribe.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranscribe.html))
+ AWS Transfer Family (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransferfamily.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransferfamily.html))
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
+ **Example value** – `123456789012`
You can use this condition key to restrict access to resources so that requests must come through VPC endpoints owned by your account. The following Amazon S3 bucket policy example allows access when the request comes through a VPC endpoint owned by the specified account:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AccessToSpecificVpceAccountOnly",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/RoleName"
},
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket1/*",
"Condition": {
"StringEquals": {
"aws:VpceAccount": "111122223333"
}
}
}
]
}
```
------
**Note**
This condition key is currently supported for a select set of AWS services. Using this key with unsupported services can lead to unintended authorization results. Always scope the condition key to supported services in your policies.
Some AWS services access your resources from their networks when they act on your behalf. If you use such services, you will need to edit the above policy example to allow AWS services access your resources from outside your network. For more information on access patterns that need to be accounted for when enforcing access controls based on the request origin, see [Establish permissions guardrails using data perimeters](access_policies_data-perimeters.md).
### aws:VpceOrgID
Use this key to compare the identifier of the organization in AWS Organizations that owns the VPC endpoint from which the request was made with the identifier that you specify in the policy. This condition key provides the most scalable approach to network perimeter controls, automatically including all VPC endpoints owned by accounts within your organization.
+ **Availability** – This key is included in the request context when a request is made through a VPC endpoint and the VPC endpoint owner account is a member of an AWS organization. The key is not included for requests made through other network paths or when the VPC endpoint owner account is not part of an organization.
The following services support this key:
+ AWS App Runner (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapprunner.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapprunner.html))
+ AWS Application Discovery Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationdiscoveryservice.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationdiscoveryservice.html))
+ Amazon Athena (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html))
+ AWS B2B Data Interchange (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsb2bdatainterchange.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsb2bdatainterchange.html))
+ AWS Cloud Map (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html))
+ Amazon CloudWatch Application Insights (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchapplicationinsights.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchapplicationinsights.html))
+ AWS CloudFormation (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html))
+ Amazon Cognito (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitoidentity.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitoidentity.html))
+ Amazon Comprehend Medical (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehendmedical.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehendmedical.html))
+ AWS Compute Optimizer (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscomputeoptimizer.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscomputeoptimizer.html))
+ AWS Database Migration Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html))
+ AWS Directory Service Data (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdirectoryservicedata.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdirectoryservicedata.html))
+ Amazon; Elastic Container Registry (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html))
+ Amazon Elastic Container Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html))
+ Amazon Kinesis Analytics (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalytics.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalytics.html))
+ Amazon Route 53 (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html))
+ AWS DataSync (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatasync.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatasync.html))
+ Amazon Elastic Block Store (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticblockstore.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticblockstore.html))
+ Amazon EventBridge Scheduler (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgescheduler.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgescheduler.html))
+ Amazon Data Firehose (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html))
+ AWS HealthImaging (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html))
+ AWS HealthLake (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthlake.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthlake.html))
+ AWS HealthOmics (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthomics.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthomics.html))
+ AWS Identity and Access Management (except for the `iam:PassRole` action) (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html))
+ AWS Identity Store (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html))
+ AWS IoT FleetWise (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html))
+ AWS IoT TwinMaker (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiottwinmaker.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiottwinmaker.html))
+ AWS IoT Wireless (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html))
+ Amazon Keyspaces (for Apache Cassandra) (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkeyspacesforapachecassandra.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkeyspacesforapachecassandra.html))
+ AWS Key Management Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html))
+ AWS Lambda (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html))
+ AWS Network Firewall (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnetworkfirewall.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnetworkfirewall.html))
+ AWS Payment Cryptography (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspaymentcryptography.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspaymentcryptography.html))
+ Amazon Pinpoint SMS and Voice Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpointsmsandvoiceservice.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpointsmsandvoiceservice.html))
+ Amazon Polly (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpolly.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpolly.html))
+ AWS Price List (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspricelist.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspricelist.html))
+ AWS Private Certificate Authority (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecertificateauthority.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecertificateauthority.html))
+ AWS Recycle Bin (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrecyclebin.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrecyclebin.html))
+ Amazon Rekognition (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html))
+ Service Quotas (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html))
+ Amazon Simple Email Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html))
+ Amazon Simple Storage Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html))
+ Amazon Simple Queue Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsqs.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsqs.html))
+ AWS Storage Gateway (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstoragegateway.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstoragegateway.html))
+ AWS Systems Manager Incident Manager Contacts (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanagercontacts.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanagercontacts.html))
+ Amazon Textract (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontextract.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontextract.html))
+ Amazon Transcribe (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranscribe.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranscribe.html))
+ AWS Transfer Family (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransferfamily.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransferfamily.html))
+ Amazon WorkMail (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkmail.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkmail.html))
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
+ **Example values** – `o-a1b2c3d4e5`
The following resource control policy example denies access to your Amazon S3 and AWS Key Management Service resources unless the request comes through VPC endpoints owned by the specified organization or from networks of AWS services that act on your behalf. Some organizations may need to further edit this policy to meet the needs of their organization, for example, allow third-party partner access. For more information on access patterns that need to be accounted for when enforcing access controls based on the request origin, see [Establish permissions guardrails using data perimeters](access_policies_data-perimeters.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "EnforceNetworkPerimeterVpceOrgID",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:*",
"kms:*"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:PrincipalIsAWSService": "false",
"aws:ViaAWSService": "false"
},
"StringNotEqualsIfExists": {
"aws:VpceOrgID": "o-abcdef0123",
"aws:PrincipalTag/network-perimeter-exception": "true"
}
}
}
]
}
```
------
**Note**
This condition key is currently supported for a select set of AWS services. Using this key with unsupported services can lead to unintended authorization results. Always scope the condition key to supported services in your policies.
### aws:VpceOrgPaths
Use this key to compare the AWS Organizations path for the VPC endpoint from which the request was made with the path that you specify in the policy. This condition key enables you to implement network perimeter controls at the organizational unit (OU) level, automatically scaling with your VPC endpoint usage as you add new endpoints within the specified OUs.
+ **Availability** – This key is included in the request context when a request is made through a VPC endpoint and the VPC endpoint owner account is a member of an organization. The key is not included for requests made through other network paths or when the VPC endpoint owner account is not part of an organization.
The following services support this key:
+ AWS App Runner (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapprunner.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapprunner.html))
+ AWS Application Discovery Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationdiscoveryservice.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationdiscoveryservice.html))
+ Amazon Athena (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html))
+ AWS Cloud Map (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html))
+ Amazon CloudWatch Application Insights (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchapplicationinsights.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchapplicationinsights.html))
+ AWS CloudFormation (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html))
+ Amazon Comprehend Medical (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehendmedical.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehendmedical.html))
+ AWS Compute Optimizer (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscomputeoptimizer.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscomputeoptimizer.html))
+ Amazon; Elastic Container Registry (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html))
+ Amazon Elastic Container Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html))
+ Amazon Kinesis Analytics (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalytics.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalytics.html))
+ Amazon Route 53 (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html))
+ AWS DataSync (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatasync.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatasync.html))
+ Amazon Elastic Block Store (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticblockstore.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticblockstore.html))
+ Amazon EventBridge Scheduler (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgescheduler.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgescheduler.html))
+ Amazon Data Firehose (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html))
+ AWS HealthImaging (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html))
+ AWS HealthLake (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthlake.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthlake.html))
+ AWS HealthOmics (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthomics.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthomics.html))
+ AWS Identity and Access Management (except for the `iam:PassRole` action) (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html))
+ AWS IoT FleetWise (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html))
+ AWS IoT Wireless (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html))
+ AWS Key Management Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html))
+ AWS Lambda (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html))
+ AWS Payment Cryptography (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspaymentcryptography.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspaymentcryptography.html))
+ Amazon Polly (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpolly.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpolly.html))
+ AWS Private Certificate Authority (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecertificateauthority.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecertificateauthority.html))
+ AWS Recycle Bin (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrecyclebin.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrecyclebin.html))
+ Amazon Rekognition (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html))
+ Service Quotas (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html))
+ Amazon Simple Storage Service (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html))
+ AWS Storage Gateway (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstoragegateway.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstoragegateway.html))
+ AWS Systems Manager Incident Manager Contacts (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanagercontacts.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanagercontacts.html))
+ Amazon Textract (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontextract.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontextract.html))
+ Amazon Transcribe (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranscribe.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranscribe.html))
+ AWS Transfer Family (prefix: [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransferfamily.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransferfamily.html))
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String) (list)
+ **Value type** – Multivalued
+ **Example values** – `o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/`
Since `aws:VpceOrgPaths` is a multivalued condition key, you must use the `ForAnyValue` or `ForAllValues` set operators with [string condition operators](reference_policies_elements_condition_operators.md#Conditions_String) for this key. The following Amazon S3 bucket policy example allows access only when requests come through VPC endpoints owned by accounts in specific organizational units:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccessFromSpecificOrgPaths",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/RoleName"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket1/*",
"Condition": {
"ForAnyValue:StringLike": {
"aws:VpceOrgPaths": [
"o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/*",
"o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-33333333/*"
]
}
}
}
]
}
```
------
**Note**
This condition key is currently supported for a select set of AWS services. Using this key with unsupported services can lead to unintended authorization results. Always scope the condition key to supported services in your policies.
Some AWS services access your resources from their networks when they act on your behalf. If you use such services, you will need to edit the above policy example to allow AWS services access your resources from outside your network. For more information on access patterns that need to be accounted for when enforcing access controls based on the request origin, see [Establish permissions guardrails using data perimeters](access_policies_data-perimeters.md).
### aws:VpcSourceIp
Use this key to compare the IP address from which a request was made with the IP address that you specify in the policy. In a policy, the key matches only if the request originates from the specified IP address and it goes through a VPC endpoint.
+ **Availability** – This key is included in the request context only if the request is made using a VPC endpoint.
+ **Data type** – [IP address](reference_policies_elements_condition_operators.md#Conditions_IPAddress)
+ **Value type** – Single-valued
For more information, see [Control access to VPC endpoints using endpoint policies](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html) in the *Amazon VPC User Guide*. Similarly to using [aws:SourceVpc](#condition-keys-sourcevpc), you must use [aws:ViaAWSService](#condition-keys-viaawsservice) or [aws:CalledVia](#condition-keys-calledvia) to allow requests made by AWS services using [forward access sessions (FAS)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html). This is because the source IP of the initial request made using a VPC endpoint is not preserved in FAS requests.
**Note**
`aws:VpcSourceIp` supports both IPv4 and IPv6 address or range of IP addresses. For a list of AWS services that support IPv6, see [AWS services that support IPv6](https://docs.aws.amazon.com/vpc/latest/userguide/aws-ipv6-support.html) in the *Amazon VPC User Guide*.
Always use the `aws:VpcSourceIp` condition key with the `aws:SourceVpc`, `aws:SourceVpce`, or `aws:SourceVpcArn` condition keys. If you don't, a policy might permit API calls from an unexpected VPC that uses the same or overlapping IP CIDR. This can happen because IP CIDRs from two unrelated VPCs can be the same or overlap.
**Note**
When AWS services make calls to other AWS services on your behalf (service-to-service calls), certain network-specific authorization context is redacted. If your policy uses this condition key with `Deny` statements, AWS service principals might be unintentionally blocked. To allow AWS services to work properly while maintaining your security requirements, exclude service principals from your `Deny` statements by adding the `aws:PrincipalIsAWSService` condition key with a value of `false`.
## Properties of the resource
Use the following condition keys to compare details about the resource that is the target of the request with the resource properties that you specify in the policy.
### aws:ResourceAccount
Use this key to compare the requested resource owner's [AWS account ID](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html) with the resource account in the policy. You can then allow or deny access to that resource based on the account that owns the resource.
+ **Availability** – This key is always included in the request context for most service actions. The following actions don't support this key:
+ AWS Audit Manager
+ `auditmanager:UpdateAssessmentFrameworkShare`
+ Amazon Detective
+ `detective:AcceptInvitation`
+ AWS Directory Service
+ `ds:AcceptSharedDirectory`
+ Amazon Elastic Block Store – All actions
+ Amazon EC2
+ `ec2:AcceptTransitGatewayPeeringAttachment`
+ `ec2:AcceptVpcEndpointConnections`
+ `ec2:AcceptVpcPeeringConnection`
+ `ec2:CreateTransitGatewayPeeringAttachment`
+ `ec2:CreateVpcEndpoint`
+ `ec2:CreateVpcPeeringConnection`
+ Amazon EventBridge
+ `events:PutEvents` – EventBridge `PutEvents` calls on an event bus in another account, if that event bus was configured as a cross-account EventBridge target before March 2, 2023. For more information, see [Grant permissions to allow events from other AWS accounts](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html#eb-receiving-events-from-another-account) in the *Amazon EventBridge User Guide*.
+ Amazon GuardDuty
+ `guardduty:AcceptAdministratorInvitation`
+ Amazon Macie
+ `macie2:AcceptInvitation`
+ Amazon OpenSearch Service
+ `es:AcceptInboundConnection`
+ Amazon Route 53
+ `route53:AssociateVpcWithHostedZone`
+ `route53:CreateVPCAssociationAuthorization`
+ AWS Security Hub CSPM
+ `securityhub:AcceptAdministratorInvitation`
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
**Note**
For additional considerations for the above unsupported actions, see the [Data Perimeter Policy Examples](https://github.com/aws-samples/data-perimeter-policy-examples) repository.
This key is equal to the AWS account ID for the account with the resources evaluated in the request.
For most resources in your account, the [ARN](reference_policies_elements_condition_operators.md#Conditions_ARN) contains the owner account ID for that resource. For certain resources, such as Amazon S3 buckets, the resource ARN does not include the account ID. The following two examples show the difference between a resource with an account ID in the ARN, and an Amazon S3 ARN without an account ID:
+ `arn:aws:iam::123456789012:role/AWSExampleRole` – IAM role created and owned within the account 123456789012.
+ `arn:aws:s3:::amzn-s3-demo-bucket2` – Amazon S3 bucket created and owned within the account `111122223333`, not displayed in the ARN.
Use the AWS console, or API, or CLI, to find all of your resources and corresponding ARNs.
You write a policy that denies permissions to resources based on the resource owner's account ID. For example, the following identity-based policy denies access to the *specified resource* if the resource does not belong to the *specified account*.
To use this policy, replace the *italicized placeholder text* with your account information.
**Important**
This policy does not allow any actions. Instead, it uses the `Deny` effect which explicitly denies access to all of the resources listed in the statement that do not belong to the listed account. Use this policy in combination with other policies that allow access to specific resources.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyInteractionWithResourcesNotInSpecificAccount",
"Action": "service:*",
"Effect": "Deny",
"Resource": [
"arn:aws:service:us-east-1:111122223333:*"
],
"Condition": {
"StringNotEquals": {
"aws:ResourceAccount": [
"111122223333"
]
}
}
}
]
}
```
------
This policy denies access to all resources for a specific AWS service unless the specified AWS account owns the resource.
**Note**
Some AWS services require access to AWS owned resources that are hosted in another AWS account. Using `aws:ResourceAccount` in your identity-based policies might impact your identity's ability to access these resources.
Certain AWS services, such as AWS Data Exchange, rely on access to resources outside of your AWS accounts for normal operations. If you use the element `aws:ResourceAccount` in your policies, include additional statements to create exemptions for those services. The example policy [AWS: Deny access to Amazon S3 resources outside your account except AWS Data Exchange](reference_policies_examples_resource_account_data_exch.md) demonstrates how to deny access based on the resource account while defining exceptions for service-owned resources.
Use this policy example as a template for creating your own custom policies. Refer to your service [documentation](https://docs.aws.amazon.com/index.html) for more information.
### aws:ResourceOrgPaths
Use this key to compare the AWS Organizations path for the accessed resource to the path in the policy. In a policy, this condition key ensures that the resource belongs to an account member within the specified organization root or organizational units (OUs) in AWS Organizations. An AWS Organizations path is a text representation of the structure of an Organizations entity. For more information about using and understanding paths, see [Understand the AWS Organizations entity path](access_policies_last-accessed-view-data-orgs.md#access_policies_last-accessed-viewing-orgs-entity-path)
+ **Availability** – This key is included in the request context only if the account that owns the resource is a member of an organization. This global condition key does not support the following actions:
+ AWS Audit Manager
+ `auditmanager:UpdateAssessmentFrameworkShare`
+ Amazon Detective
+ `detective:AcceptInvitation`
+ AWS Directory Service
+ `ds:AcceptSharedDirectory`
+ Amazon Elastic Block Store – All actions
+ Amazon EC2
+ `ec2:AcceptTransitGatewayPeeringAttachment`
+ `ec2:AcceptVpcEndpointConnections`
+ `ec2:AcceptVpcPeeringConnection`
+ `ec2:CreateTransitGatewayPeeringAttachment`
+ `ec2:CreateVpcEndpoint`
+ `ec2:CreateVpcPeeringConnection`
+ Amazon EventBridge
+ `events:PutEvents` – EventBridge `PutEvents` calls on an event bus in another account, if that event bus was configured as a cross-account EventBridge target before March 2, 2023. For more information, see [Grant permissions to allow events from other AWS accounts](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html#eb-receiving-events-from-another-account) in the *Amazon EventBridge User Guide*.
+ Amazon GuardDuty
+ `guardduty:AcceptAdministratorInvitation`
+ Amazon Macie
+ `macie2:AcceptInvitation`
+ Amazon OpenSearch Service
+ `es:AcceptInboundConnection`
+ Amazon Route 53
+ `route53:AssociateVpcWithHostedZone`
+ `route53:CreateVPCAssociationAuthorization`
+ AWS Security Hub CSPM
+ `securityhub:AcceptAdministratorInvitation`
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String) (list)
+ **Value type** – Multivalued
**Note**
For additional considerations for the above unsupported actions, see the [Data Perimeter Policy Examples](https://github.com/aws-samples/data-perimeter-policy-examples) repository.
`aws:ResourceOrgPaths` is a multivalued condition key. Multivalued keys can have multiple values in the request context. You must use the `ForAnyValue` or `ForAllValues` set operators with [string condition operators](reference_policies_elements_condition_operators.md#Conditions_String) for this key. For more information about multivalued condition keys, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
For example, the following condition returns `True` for resources that belong to the organization `o-a1b2c3d4e5`. When you include a wildcard, you must use the [StringLike](reference_policies_elements_condition_operators.md) condition operator.
```
"Condition": {
"ForAnyValue:StringLike": {
"aws:ResourceOrgPaths":["o-a1b2c3d4e5/*"]
}
}
```
The following condition returns `True` for resources with the OU ID `ou-ab12-11111111`. It will match resources owned by accounts attached to the OU ou-ab12-11111111 or any of the child OUs.
```
"Condition": { "ForAnyValue:StringLike" : {
"aws:ResourceOrgPaths":["o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/*"]
}}
```
The following condition returns `True` for resources owned by accounts attached directly to the OU ID `ou-ab12-22222222`, but not the child OUs. The following example uses the [StringEquals](reference_policies_elements_condition_operators.md) condition operator to specify the exact match requirement for the OU ID and not a wildcard match.
```
"Condition": { "ForAnyValue:StringEquals" : {
"aws:ResourceOrgPaths":["o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/"]
}}
```
**Note**
Some AWS services require access to AWS owned resources that are hosted in another AWS account. Using `aws:ResourceOrgPaths` in your identity-based policies might impact your identity's ability to access these resources.
Certain AWS services, such as AWS Data Exchange, rely on access to resources outside of your AWS accounts for normal operations. If you use the `aws:ResourceOrgPaths` key in your policies, include additional statements to create exemptions for those services. The example policy [AWS: Deny access to Amazon S3 resources outside your account except AWS Data Exchange](reference_policies_examples_resource_account_data_exch.md) demonstrates how to deny access based on the resource account while defining exceptions for service-owned resources. You can create a similar policy to restrict access to resources within an organizational unit (OU) using the `aws:ResourceOrgPaths` key, while accounting for service-owned resources.
Use this policy example as a template for creating your own custom policies. Refer to your service [documentation](https://docs.aws.amazon.com/index.html) for more information.
### aws:ResourceOrgID
Use this key to compare the identifier of the organization in AWS Organizations to which the requested resource belongs with the identifier specified in the policy.
+ **Availability** – This key is included in the request context only if the account that owns the resource is a member of an organization. This global condition key does not support the following actions:
+ AWS Audit Manager
+ `auditmanager:UpdateAssessmentFrameworkShare`
+ Amazon Detective
+ `detective:AcceptInvitation`
+ AWS Directory Service
+ `ds:AcceptSharedDirectory`
+ Amazon Elastic Block Store – All actions
+ Amazon EC2
+ `ec2:AcceptTransitGatewayPeeringAttachment`
+ `ec2:AcceptVpcEndpointConnections`
+ `ec2:AcceptVpcPeeringConnection`
+ `ec2:CreateTransitGatewayPeeringAttachment`
+ `ec2:CreateVpcEndpoint`
+ `ec2:CreateVpcPeeringConnection`
+ Amazon EventBridge
+ `events:PutEvents` – EventBridge `PutEvents` calls on an event bus in another account, if that event bus was configured as a cross-account EventBridge target before March 2, 2023. For more information, see [Grant permissions to allow events from other AWS accounts](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html#eb-receiving-events-from-another-account) in the *Amazon EventBridge User Guide*.
+ Amazon GuardDuty
+ `guardduty:AcceptAdministratorInvitation`
+ Amazon Macie
+ `macie2:AcceptInvitation`
+ Amazon OpenSearch Service
+ `es:AcceptInboundConnection`
+ Amazon Route 53
+ `route53:AssociateVpcWithHostedZone`
+ `route53:CreateVPCAssociationAuthorization`
+ AWS Security Hub CSPM
+ `securityhub:AcceptAdministratorInvitation`
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
**Note**
For additional considerations for the above unsupported actions, see the [Data Perimeter Policy Examples](https://github.com/aws-samples/data-perimeter-policy-examples) repository.
This global key returns the resource organization ID for a given request. It allows you to create rules that apply to all resources in an organization that are specified in the `Resource` element of an [identity-based policy](access_policies_identity-vs-resource.md). You can specify the [organization ID](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_details.html) in the condition element. When you add and remove accounts, policies that include the `aws:ResourceOrgID` key automatically include the correct accounts and you don't have to manually update it.
For example, the following policy prevents the principal from adding objects to the `policy-genius-dev` resource unless the Amazon S3 resource belongs to the same organization as the principal making the request.
**Important**
This policy does not allow any actions. Instead, it uses the `Deny` effect which explicitly denies access to all of the resources listed in the statement that do not belong to the listed account. Use this policy in combination with other policies that allow access to specific resources.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Sid": "DenyPutObjectToS3ResourcesOutsideMyOrganization",
"Effect": "Deny",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::policy-genius-dev/*",
"Condition": {
"StringNotEquals": {
"aws:ResourceOrgID": "${aws:PrincipalOrgID}"
}
}
}
}
```
------
**Note**
Some AWS services require access to AWS owned resources that are hosted in another AWS account. Using `aws:ResourceOrgID` in your identity-based policies might impact your identity's ability to access these resources.
Certain AWS services, such as AWS Data Exchange, rely on access to resources outside of your AWS accounts for normal operations. If you use the `aws:ResourceOrgID` key in your policies, include additional statements to create exemptions for those services. The example policy [AWS: Deny access to Amazon S3 resources outside your account except AWS Data Exchange](reference_policies_examples_resource_account_data_exch.md) demonstrates how to deny access based on the resource account while defining exceptions for service-owned resources. You can create a similar policy to restrict access to resources within your organization using the `aws:ResourceOrgID` key, while accounting for service-owned resources.
Use this policy example as a template for creating your own custom policies. Refer to your service [documentation](https://docs.aws.amazon.com/index.html) for more information.
In the following video, learn more about how you might use the `aws:ResourceOrgID` condition key in a policy.
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/cWVW0xAiWwc)
### aws:ResourceTag/*tag-key*
Use this key to compare the tag key-value pair that you specify in the policy with the key-value pair attached to the resource. For example, you could require that access to a resource is allowed only if the resource has the attached tag key `"Dept"` with the value `"Marketing"`. For more information, see [Controlling access to AWS resources](access_tags.md#access_tags_control-resources).
+ **Availability** – This key is included in the request context when the requested resource already has attached tags or in requests that create a resource with an attached tag. This key is returned only for resources that [support authorization based on tags](reference_aws-services-that-work-with-iam.md). There is one context key for each tag key-value pair.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
This context key is formatted `"aws:ResourceTag/tag-key":"tag-value"` where *tag-key* and *tag-value* are a tag key and value pair. Tag keys are not case-sensitive. This means that if you specify `"aws:ResourceTag/TagKey1": "Value1"` in the condition element of your policy, then the condition matches a resource tag key named either `TagKey1` or `tagkey1`, but not both. Values in these tag key/value pairs are case-sensitive. This means that if you specify `"aws:ResourceTag/TagKey1": "Production"` in the condition element of your policy, then the condition matches a resource tag value named `Production` but it would not match `production` or `PRODUCTION`.
For examples of using the `aws:ResourceTag` key to control access to IAM resources, see [Controlling access to AWS resources](access_tags.md#access_tags_control-resources).
For examples of using the `aws:ResourceTag` key to control access to other AWS resources, see [Controlling access to AWS resources using tags](access_tags.md).
For a tutorial on using the `aws:ResourceTag` condition key for attribute based access control (ABAC), see [IAM tutorial: Define permissions to access AWS resources based on tags](tutorial_attribute-based-access-control.md).
## Properties of the request
Use the following condition keys to compare details about the request itself and the contents of the request with the request properties that you specify in the policy.
### aws:CalledVia
Use this key to compare the services in the policy with the services that made requests on behalf of the IAM principal (user or role). When a principal makes a request to an AWS service, that service might use the principal's credentials to make subsequent requests to other services. When the request is made using forward access sessions (FAS), this key is set with the value of the service principal. The `aws:CalledVia` key contains an ordered list of each service in the chain that made requests on the principal's behalf.
For more information, see [Forward access sessions](access_forward_access_sessions.md).
+ **Availability** – This key is present in the request when a service that supports `aws:CalledVia` uses the credentials of an IAM principal to make a request to another service. This key is not present if the service uses a [service role or service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) to make a call on the principal's behalf. This key is also not present when the principal makes the call directly.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String) (list)
+ **Value type** – Multivalued
To use the `aws:CalledVia` condition key in a policy, you must provide the service principals to allow or deny AWS service requests. For example, you can use AWS CloudFormation to read and write from an Amazon DynamoDB table. DynamoDB then uses encryption supplied by AWS Key Management Service (AWS KMS).
To allow or deny access when *any* service makes a request using the principal's credentials, use the `aws:ViaAWSService` condition key. That condition key supports AWS services.
The `aws:CalledVia` key is a [multivalued key](reference_policies_condition-single-vs-multi-valued-context-keys.md). However, you can't enforce order using this key in a condition. Using the example above, **User 1** makes a request to CloudFormation, which calls DynamoDB, which calls AWS KMS. These are three separate requests. The final call to AWS KMS is performed by User 1 *via* CloudFormation and then DynamoDB.
![\[Example using aws:CalledVia\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/condition-key-calledvia-example-diagram.png)
In this case, the `aws:CalledVia` key in the request context includes `cloudformation.amazonaws.com` and `dynamodb.amazonaws.com`, in that order. If you care only that the call was made via DynamoDB somewhere in the chain of requests, you can use this condition key in your policy.
For example, the following policy allows managing the AWS KMS key named `my-example-key`, but only if DynamoDB is one of the requesting services. The `ForAnyValue:StringEquals` condition operator ensures that DynamoDB is one of the calling services. If the principal makes the call to AWS KMS directly, the condition returns `false` and the request is not allowed by this policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "KmsActionsIfCalledViaDynamodb",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/my-example-key",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"dynamodb.amazonaws.com"
]
}
}
}
]
}
```
------
If you want to enforce which service makes the first or last call in the chain, you can use the `aws:CalledViaFirst` and `aws:CalledViaLast` keys. For example, the following policy allows managing the key named `my-example-key` in AWS KMS. These AWS KMS operations are allowed only if multiple requests were included in the chain. The first request must be made via CloudFormation and the last via DynamoDB. If other services make requests in the middle of the chain, the operation is still allowed.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "KmsActionsIfCalledViaChain",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/my-example-key",
"Condition": {
"StringEquals": {
"aws:CalledViaFirst": "cloudformation.amazonaws.com",
"aws:CalledViaLast": "dynamodb.amazonaws.com"
}
}
}
]
}
```
------
The `aws:CalledViaFirst` and `aws:CalledViaLast` keys are present in the request when a service uses an IAM principal's credentials to call another service. They indicate the first and last services that made calls in the chain of requests. For example, assume that CloudFormation calls another service named `X Service`, which calls DynamoDB, which then calls AWS KMS. The final call to AWS KMS is performed by `User 1` *via* CloudFormation, then `X Service`, and then DynamoDB. It was first called via CloudFormation and last called via DynamoDB.
![\[Example using aws:CalledViaFirst and aws:CalledViaLast\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/condition-key-calledviafirstlast-example-diagram.png)
### aws:CalledViaFirst
Use this key to compare the services in the policy with the ***first service*** that made a request on behalf of the IAM principal (user or role). For more information, see `aws:CalledVia`.
+ **Availability** – This key is present in the request when a service uses the credentials of an IAM principal to make at least one other request to a different service. This key is not present if the service uses a [service role or service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) to make a call on the principal's behalf. This key is also not present when the principal makes the call directly.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
### aws:CalledViaLast
Use this key to compare the services in the policy with the *last service* that made a request on behalf of the IAM principal (user or role). For more information, see `aws:CalledVia`.
+ **Availability** – This key is present in the request when a service uses the credentials of an IAM principal to make at least one other request to a different service. This key is not present if the service uses a [service role or service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) to make a call on the principal's behalf. This key is also not present when the principal makes the call directly.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
### aws:ViaAWSService
Use this key to check whether an AWS service makes a request to another service on your behalf using [forward access sessions (FAS)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html).
The request context key returns `true` when a service uses forward access sessions to make a request on behalf of the original IAM principal. The request context key also returns `false` when the principal makes the call directly.
+ **Availability** – This key is always included in the request context.
+ **Data type** – [Boolean](reference_policies_elements_condition_operators.md#Conditions_Boolean)
+ **Value type** – Single-valued
### aws:CalledViaAWSMCP
Use this key to compare the services in the policy with the AWS MCP services that made requests on behalf of the IAM principal (user or role). When a principal makes a request to an AWS MCP service, that service uses the principal's credentials to make subsequent requests to other services. When the request is made using an AWS MCP service, this key is set with the value of the service principal. The `aws:CalledViaAWSMCP` key contains the service principal name of the MCP service that made requests on the principal's behalf.
+ **Availability** – This key is present in the request when an AWS MCP service uses the credentials of an IAM principal to make a request to an AWS service. This key is also not present when the principal makes the call directly.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
You can use this condition key to allow or deny access based on which specific MCP server initiated the request. For example, the following policy denies sensitive delete operations when they are initiated through a specific MCP server:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenySensitiveActionsViaSpecificMCP",
"Effect": "Deny",
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"dynamodb:DeleteTable"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:CalledViaAWSMCP": "aws-mcp.amazonaws.com"
}
}
}
]
}
```
### aws:ViaAWSMCPService
Use this key to check whether an AWS MCP service makes a request to another AWS service on your behalf using forward access sessions (FAS). The request context key returns `true` when an AWS MCP service forwards a request to an AWS service on behalf of the original IAM principal. The request context key also returns `false` when the principal makes the call directly.
+ **Availability** – This key is included in the request context when an AWS MCP server makes a request to a downstream AWS service on behalf of an IAM principal.
+ **Data type** – [Boolean](reference_policies_elements_condition_operators.md#Conditions_Boolean)
+ **Value type** – Single-valued
You can use this key to restrict specific actions when they come through MCP servers. For example, the following policy denies sensitive delete operations when initiated through any AWS MCP server:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenySensitiveActionsViaMCP",
"Effect": "Deny",
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"dynamodb:DeleteTable"
],
"Resource": "*",
"Condition": {
"Bool": {
"aws:ViaAWSMCPService": "true"
}
}
}
]
}
```
### aws:CurrentTime
Use this key to compare the date and time of the request with the date and time that you specify in the policy. To view an example policy that uses this condition key, see [AWS: Allows access based on date and time](reference_policies_examples_aws-dates.md).
+ **Availability** – This key is always included in the request context.
+ **Data type** – [Date](reference_policies_elements_condition_operators.md#Conditions_Date)
+ **Value type** – Single-valued
### aws:EpochTime
Use this key to compare the date and time of the request in epoch or Unix time with the value that you specify in the policy. This key also accepts the number of seconds since January 1, 1970.
+ **Availability** – This key is always included in the request context.
+ **Data type** – [Date](reference_policies_elements_condition_operators.md#Conditions_Date), [Numeric](reference_policies_elements_condition_operators.md#Conditions_Numeric)
+ **Value type** – Single-valued
### aws:referer
Use this key to compare who referred the request in the client browser with the referer that you specify in the policy. The `aws:referer` request context value is provided by the caller in an HTTP header. The `Referer` header is included in a web browser request when you select a link on a web page. The `Referer` header contains the URL of the web page where the link was selected.
+ **Availability** – This key is included in the request context only if the request to the AWS resource was invoked by linking from a web page URL in the browser. This key is not included for programmatic requests because it doesn't use a browser link to access the AWS resource.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
For example, you can access an Amazon S3 object directly using a URL or using direct API invocation. For more information, see [Amazon S3 API operations directly using a web browser](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-4). When you access an Amazon S3 object from a URL that exists in a webpage, the URL of the source web page is in used in `aws:referer`. When you access an Amazon S3 object by typing the URL into your browser, `aws:referer` is not present. When you invoke the API directly, `aws:referer` is also not present. You can use the `aws:referer` condition key in a policy to allow requests made from a specific referer, such as a link on a web page in your company's domain.
**Warning**
This key should be used carefully. It is dangerous to include a publicly known referer header value. Unauthorized parties can use modified or custom browsers to provide any `aws:referer` value that they choose. As a result, `aws:referer` should not be used to prevent unauthorized parties from making direct AWS requests. It is offered only to allow customers to protect their digital content, such as content stored in Amazon S3, from being referenced on unauthorized third-party sites.
### aws:RequestedRegion
Use this key to compare the AWS Region that was called in the request with the Region that you specify in the policy. You can use this global condition key to control which Regions can be requested. To view the AWS Regions for each service, see [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html) in the *Amazon Web Services General Reference*.
+ **Availability** – This key is always included in the request context.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
Some global services, such as IAM, have a single endpoint. Because this endpoint is physically located in the US East (N. Virginia) Region, IAM calls are always made to the us-east-1 Region. For example, if you create a policy that denies access to all services if the requested Region is not us-west-2, then IAM calls always fail. To view an example of how to work around this, see [NotAction with Deny](reference_policies_elements_notaction.md).
**Note**
The `aws:RequestedRegion` condition key allows you to control which endpoint of a service is invoked but does not control the impact of the operation. Some services have cross-Region impacts.
For example, Amazon S3 has API operations that extend across regions.
You can invoke `s3:PutBucketReplication` in one Region (which is affected by the `aws:RequestedRegion` condition key), but other Regions are affected based on the replications configuration settings.
You can invoke `s3:CreateBucket` to create a bucket in another region, and use the `s3:LocationConstraint` condition key to control the applicable regions.
You can use this context key to limit access to AWS services within a given set of Regions. For example, the following policy allows a user to view all of the Amazon EC2 instances in the AWS Management Console. However it only allows them to make changes to instances in Ireland (eu-west-1), London (eu-west-2), or Paris (eu-west-3).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "InstanceConsoleReadOnly",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:Export*",
"ec2:Get*",
"ec2:Search*"
],
"Resource": "*"
},
{
"Sid": "InstanceWriteRegionRestricted",
"Effect": "Allow",
"Action": [
"ec2:Associate*",
"ec2:Import*",
"ec2:Modify*",
"ec2:Monitor*",
"ec2:Reset*",
"ec2:Run*",
"ec2:Start*",
"ec2:Stop*",
"ec2:Terminate*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"eu-west-1",
"eu-west-2",
"eu-west-3"
]
}
}
}
]
}
```
------
### aws:RequestTag/*tag-key*
Use this key to compare the tag key-value pair that was passed in the request with the tag pair that you specify in the policy. For example, you could check whether the request includes the tag key `"Dept"` and that it has the value `"Accounting"`. For more information, see [Controlling access during AWS requests](access_tags.md#access_tags_control-requests).
+ **Availability** – This key is included in the request context when tag key-value pairs are passed in the request. When multiple tags are passed in the request, there is one context key for each tag key-value pair.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
This context key is formatted `"aws:RequestTag/tag-key":"tag-value"` where *tag-key* and *tag-value* are a tag key and value pair. Tag keys are not case-sensitive. This means that if you specify `"aws:RequestTag/TagKey1": "Value1"` in the condition element of your policy, then the condition matches a request tag key named either `TagKey1` or `tagkey1`, but not both. Values in these tag key/value pairs are case-sensitive. This means that if you specify `"aws:RequestTag/TagKey1": "Production"` in the condition element of your policy, then the condition matches a request tag value named `Production` but it would not match `production` or `PRODUCTION`.
This example shows that while the key is single-valued, you can still use multiple key-value pairs in a request if the keys are different.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2::111122223333:instance/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/environment": [
"preprod",
"production"
],
"aws:RequestTag/team": [
"engineering"
]
}
}
}
}
```
------
### aws:TagKeys
Use this key to compare the tag keys in a request with the keys that you specify in the policy. We recommend that when you use policies to control access using tags, use the `aws:TagKeys` condition key to define what tag keys are allowed. For example policies and more information, see [Controlling access based on tag keys](access_tags.md#access_tags_control-tag-keys).
+ **Availability** – This key is included in the request context if the operation supports passing tags in the request.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String) (list)
+ **Value type** – Multivalued
This context key is formatted `"aws:TagKeys":"tag-key"` where *tag-key* is a list of tag keys without values (for example, `["Dept","Cost-Center"]`).
Because you can include multiple tag key-value pairs in a request, the request content could be a [multivalued](reference_policies_condition-single-vs-multi-valued-context-keys.md) request. In this case, you must use the `ForAllValues` or `ForAnyValue` set operators. For more information, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
Some services support tagging with resource operations, such as creating, modifying, or deleting a resource. To allow tagging and operations as a single call, you must create a policy that includes both the tagging action and the resource-modifying action. You can then use the `aws:TagKeys` condition key to enforce using specific tag keys in the request. For example, to limit tags when someone creates an Amazon EC2 snapshot, you must include the `ec2:CreateSnapshot` creation action ***and*** the `ec2:CreateTags` tagging action in the policy. To view a policy for this scenario that uses `aws:TagKeys`, see [Creating a Snapshot with Tags](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-creating-snapshot-with-tags) in the *Amazon EC2 User Guide*.
### aws:SecureTransport
Use this key to check whether the request was sent using TLS. The request context returns `true` or `false`. In a policy, you can allow specific actions only if the request is sent using TLS.
+ **Availability** – This key is always included in the request context.
+ **Data type** – [Boolean](reference_policies_elements_condition_operators.md#Conditions_Boolean)
+ **Value type** – Single-valued
**Note**
When AWS services make calls to other AWS services on your behalf (service-to-service calls), certain network-specific authorization context is redacted. If your policy uses this condition key with `Deny` statements, AWS service principals might be unintentionally blocked. To allow AWS services to work properly while maintaining your security requirements, exclude service principals from your `Deny` statements by adding the `aws:PrincipalIsAWSService` condition key with a value of `false`. For example:
```
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false",
"aws:PrincipalIsAWSService": "false"
}
}
}
```
This policy denies access to Amazon S3 operations when HTTPS is not used (`aws:SecureTransport` is false), but only for non-AWS service principals. This ensures your conditional restrictions apply to all principals except AWS service principals.
### aws:SourceAccount
Use this key to compare the account ID of the resource making a service-to-service request with the account ID that you specify in the policy, but only when the request is made by an AWS service principal.
+ **Availability** – This key is included in the request context only when the call to your resource is being made directly by an [AWS service principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) on behalf of a resource for which the configuration triggered the service-to-service request. The calling service passes the account ID of the original resource to the called service.
**Note**
This key provides a uniform mechanism for enforcing cross-service confused deputy control across AWS services. However, not all service integrations require the use of this global condition key. See the documentation of the AWS services you use for more information about service-specific mechanisms for mitigating cross-service confused deputy risks.
![\[aws:SourceAccount\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/sourceAccount.png)
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
You can use this condition key to help ensure that a calling service can access your resource only when the request originates from a specific account. For example, you can attach the following resource control policy (RCP) to deny requests by service principals against Amazon S3 buckets, unless they were triggered by a resource in the specified account. This policy applies the control only on requests by service principals (`"Bool": {"aws:PrincipalIsAWSService": "true"}`) that have the `aws:SourceAccount` key present (`"Null": {"aws:SourceAccount": "false"}`), so that service integrations that don't require the use of this key and calls by your principals aren't impacted. If the `aws:SourceAccount` key is present in the request context, the `Null` condition will evaluate to `true`, causing the `aws:SourceAccount` key to be enforced.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "RCPEnforceConfusedDeputyProtection",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:*"
],
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:SourceAccount": "111122223333"
},
"Null": {
"aws:SourceAccount": "false"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
}
}
}
]
}
```
------
In resource-based policies where the principal is an AWS service principal, use the key to limit permissions granted to the service. For example, when an Amazon S3 bucket is configured to send notifications to an Amazon SNS topic, the Amazon S3 service invokes the `sns:Publish` API operation for all configured events. In the topic policy that allows the `sns:Publish` operation, set the value of the condition key to the account ID of the Amazon S3 bucket.
### aws:SourceArn
Use this key to compare the [Amazon Resource Name (ARN)](reference_identifiers.md#identifiers-arns) of the resource making a service-to-service request with the ARN that you specify in the policy, but only when the request is made by an AWS service principal. When the source's ARN includes the account ID, it is not necessary to use `aws:SourceAccount` with `aws:SourceArn`.
This key does not work with the ARN of the principal making the request. Instead, use `aws:PrincipalArn`.
+ **Availability** – This key is included in the request context only when the call to your resource is being made directly by an [AWS service principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) on behalf of a resource for which the configuration triggered the service-to-service request. The calling service passes the ARN of the original resource to the called service.
**Note**
This key provides a uniform mechanism for enforcing cross-service confused deputy control across AWS services. However, not all service integrations require the use of this global condition key. See the documentation of the AWS services you use for more information about service-specific mechanisms for mitigating cross-service confused deputy risks.
![\[aws:SourceArn\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/sourceArn.png)
+ **Data type** – ARN
AWS recommends that you use [ARN operators](reference_policies_elements_condition_operators.md#Conditions_ARN) instead of [string operators](reference_policies_elements_condition_operators.md#Conditions_String) when comparing ARNs.
+ **Value type** – Single-valued
You can use this condition key to help ensure that a calling service can access your resource only when the request originates from a specific resource. When using a resource-based policy with an AWS service principal as the `Principal`, set this condition key's value to the ARN of the resource you want to restrict access to. For example, when an Amazon S3 bucket is configured to send notifications to an Amazon SNS topic, the Amazon S3 service invokes the `sns:Publish` API operation for all configured events. In the topic policy that allows the `sns:Publish` operation, set the value of the condition key to the ARN of the Amazon S3 bucket. For recommendations on when to use this condition key in resource-based policies, see the documentation for the AWS services you are using.
### aws:SourceOrgID
Use this key to compare the [organization ID](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_details.html) of the resource making a service-to-service request with the organization ID that you specify in the policy, but only when the request is made by an AWS service principal. When you add and remove accounts to an organization in AWS Organizations, policies that include the `aws:SourceOrgID` key automatically include the correct accounts and you don't have to manually update the policies.
+ **Availability** – This key is included in the request context only when the call to your resource is being made directly by an [AWS service principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) on behalf of a resource owned by an account which is a member of an organization. The calling service passes the organization ID of the original resource to the called service.
**Note**
This key provides a uniform mechanism for enforcing cross-service confused deputy control across AWS services. However, not all service integrations require the use of this global condition key. See the documentation of the AWS services you use for more information about service-specific mechanisms for mitigating cross-service confused deputy risks.
![\[aws:SourceOrgID\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/sourceOrgID.png)
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
You can use this condition key to help ensure that a calling service can access your resource only when the request originates from a specific organization. For example, you can attach the following resource control policy (RCP) to deny requests by service principals against Amazon S3 buckets, unless they were triggered by a resource in the specified AWS organization. This policy applies the control only on requests by service principals (`"Bool": {"aws:PrincipalIsAWSService": "true"}`) that have the `aws:SourceAccount` key present (`"Null": {"aws:SourceAccount": "false"}`), so that service integrations that don't require the use of the key and calls by your principals aren't impacted. If the `aws:SourceAccount` key is present in the request context, the `Null` condition will evaluate to `true`, causing the `aws:SourceOrgID` key to be enforced. We use `aws:SourceAccount` instead of `aws:SourceOrgID` in the `Null` condition operator so that the control still applies if the request originates from an account that doesn’t belong to an organization.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "RCPEnforceConfusedDeputyProtection",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:*"
],
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:SourceOrgID": "o-xxxxxxxxxx"
},
"Null": {
"aws:SourceAccount": "false"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
}
}
}
]
}
```
------
### aws:SourceOrgPaths
Use this key to compare the AWS Organizations path of the resource making a service-to-service request with the organizations path that you specify in the policy, but only when the request is made by an AWS service principal. An AWS Organizations path is a text representation of the structure of an AWS Organizations entity. For more information about using and understanding paths, see [Understand the AWS Organizations entity path](access_policies_last-accessed-view-data-orgs.md#access_policies_last-accessed-viewing-orgs-entity-path).
+ **Availability** – This key is included in the request context only when the call to your resource is being made directly by an [AWS service principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) on behalf of a resource owned by an account which is a member of an organization. The calling service passes the organization path of the original resource to the called service.
**Note**
This key provides a uniform mechanism for enforcing cross-service confused deputy control across AWS services. However, not all service integrations require the use of this global condition key. See the documentation of the AWS services you use for more information about service-specific mechanisms for mitigating cross-service confused deputy risks.
![\[aws:SourceOrgPaths\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/sourceOrgPaths.png)
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String) (list)
+ **Value type** – Multivalued
Use this condition key to help ensure that a calling service can access your resource only when the request originates from a specific organizational unit (OU) in AWS Organizations.
Similarly to `aws:SourceOrgID`, to help prevent impact on service integrations that don't require the use of this key, use the `Null` condition operator with the `aws:SourceAccount` condition key so that the control still applies if the request originates from an account that doesn’t belong to an organization.
```
{
"Condition": {
"ForAllValues:StringNotLikeIfExists": {
"aws:SourceOrgPaths": "o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/"
},
"Null": {
"aws:SourceAccount": "false"
},
"Bool": {
"aws:PrincipalIsAWSService": "true"
}
}
}
```
`aws:SourceOrgPaths` is a multivalued condition key. Multivalued keys can have multiple values in the request context. You must use the `ForAnyValue` or `ForAllValues` set operators with [string condition operators](reference_policies_elements_condition_operators.md#Conditions_String) for this key. For more information about multivalued condition keys, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
### aws:UserAgent
Use this key to compare the requester's client application with the application that you specify in the policy.
+ **Availability** – This key is always included in the request context.
+ **Data type** – [String](reference_policies_elements_condition_operators.md#Conditions_String)
+ **Value type** – Single-valued
**Warning**
This key should be used carefully. Since the `aws:UserAgent` value is provided by the caller in an HTTP header, unauthorized parties can use modified or custom browsers to provide any `aws:UserAgent` value that they choose. As a result, `aws:UserAgent` should not be used to prevent unauthorized parties from making direct AWS requests. You can use it to allow only specific client applications, and only after testing your policy.
### aws:IsMcpServiceAction
Use this key to verify that the action being authorized is an MCP Service action. This key does not refer to actions taken by the MCP service to other AWS services.
+ **Availability** – This key is included in the request context and set to True only when the MCP service is authorizing an MCP service action.
+ **Data type** – [Boolean](reference_policies_elements_condition_operators.md#Conditions_Boolean)
+ **Value type** – Single-valued
## Other cross-service condition keys
AWS STS supports [SAML-based federation condition keys](reference_policies_iam-condition-keys.md#condition-keys-saml) and cross-service condition keys for [OIDC federation](reference_policies_iam-condition-keys.md#condition-keys-wif). These keys are available when a user who was federated using OIDC or SAML performs AWS operations in other services.
# IAM and AWS STS condition context keys
You can use the `Condition` element in a JSON policy to test the value of keys that are included in the request context of all AWS requests. These keys provide information about the request itself or the resources that the request references. You can check that keys have specified values before allowing the action requested by the user. This gives you granular control over when your JSON policy statements match or don't match an incoming request. For information about how to use the `Condition` element in a JSON policy, see [IAM JSON policy elements: Condition](reference_policies_elements_condition.md).
This topic describes the keys defined and provided by the IAM service (with an `iam:` prefix) and the AWS Security Token Service (AWS STS) service (with an `sts:` prefix). Several other AWS services also provide service-specific keys that are relevant to the actions and resources defined by that service. For more information, see [Actions, Resources, and Condition Keys for AWS Services](reference_policies_actions-resources-contextkeys.html). The documentation for a service that supports condition keys often has additional information. For example, for information about keys that you can use in policies for Amazon S3 resources, see [Amazon S3 Policy Keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html#AvailableKeys-iamV2) in the *Amazon Simple Storage Service User Guide*.
**Topics**
+ [Available keys for IAM](#available-keys-for-iam)
+ [Available keys for AWS OIDC federation](#condition-keys-wif)
+ [Available keys for SAML-based AWS STS federation](#condition-keys-saml)
+ [Cross-service SAML-based AWS STS federation context keys](#cross-condition-keys-saml)
+ [Available keys for AWS STS](#condition-keys-sts)
## Available keys for IAM
You can use the following condition keys in policies that control access to IAM resources:
**iam:AssociatedResourceArn**
Works with [ARN operators](reference_policies_elements_condition_operators.md#Conditions_ARN).
Specifies the ARN of the resource to which this role will be associated at the destination service. The resource usually belongs to the service to which the principal is passing the role. Sometimes, the resource might belong to a third service. For example, you might pass a role to Amazon EC2 Auto Scaling that they use on an Amazon EC2 instance. In this case, the condition would match the ARN of the Amazon EC2 instance.
This condition key applies to only the [PassRole](id_roles_use_passrole.md) action in a policy. It can't be used to limit any other action.
When using the `iam:AssociatedResourceArn` condition in a policy to restrict the [PassRole](id_roles_use_passrole.md) action, special considerations apply if the policy is intended to define access for the [AddRoleToInstanceProfile](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddRoleToInstanceProfile.html) action. In this case, you cannot specify a Region or instance ID in the EC2 instance ARN. The ARN value must be `arn:aws:ec2:*:CallerAccountId:instance/*`. Using any other ARN value may lead to unexpected evaluation results.
Use this condition key in an identity-based policy to allow an entity to pass a role, but only if that role is associated with the specified resource. For example, you can allow an IAM user or role to pass any role to the Amazon EC2 service to be used with instances in the AWS account. The IAM user or role would not be allowed to pass roles to other services.
```
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
},
"ArnLike": {
"iam:AssociatedResourceARN": [
"arn:aws:ec2:*:111122223333:instance/*"
]
}
}
}
```
AWS services that support [iam:PassedToService](#ck_PassedToService) also support this condition key.
**iam:AWSServiceName**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Specifies the AWS service to which this role is attached.
This condition key is supported by the [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceLinkedRole.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceLinkedRole.html) API operation.
For information about which services support using service-linked roles, see [AWS services that work with IAM](reference_aws-services-that-work-with-iam.md) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
In this example, you allow an entity to create a service-linked role using the [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceLinkedRole.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceLinkedRole.html) API operation if the service name is *access-analyzer.amazonaws.com.*
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "access-analyzer.amazonaws.com"
}
}
}]
}
```
**iam:FIDO-certification**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Checks the MFA device FIDO certification level at the time of registration of a FIDO security key. The device certification is retrieved from the [FIDO Alliance Metadata Service (MDS)](https://fidoalliance.org/metadata/). If the certification status or level of your FIDO security key changes, it will not be updated unless the device is unregistered and registered again to fetch the updated certification information.
Possible values of L1, L1plus, L2, L2plus, L3, L3plus
In this example, you register a security key and retrieve the FIDO Level 1 plus certification for your device.
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey" : "Create"
}
}
},
{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey" : "Activate",
"iam:FIDO-certification": "L1plus"
}
}
}
]
}
```
**iam:FIDO-FIPS-140-2-certification**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Checks the MFA device FIPS-140-2 validation certification level at the time of registration of a FIDO security key. The device certification is retrieved from the [FIDO Alliance Metadata Service (MDS)](https://fidoalliance.org/metadata/). If the certification status or level of your FIDO security key changes, it will not be updated unless the device is unregistered and registered again to fetch the updated certification information.
Possible values of L1, L2, L3, L4
In this example, you register a security key and retrieve the FIPS-140-2 Level 2 certification for your device.
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey" : "Create"
}
}
},
{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey" : "Activate",
"iam:FIDO-FIPS-140-2-certification": "L2"
}
}
}
]
}
```
**iam:FIDO-FIPS-140-3-certification**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Checks the MFA device FIPS-140-3 validation certification level at the time of registration of a FIDO security key. The device certification is retrieved from the [FIDO Alliance Metadata Service (MDS)](https://fidoalliance.org/metadata/). If the certification status or level of your FIDO security key changes, it will not be updated unless the device is unregistered and registered again to fetch the updated certification information.
Possible values of L1, L2, L3, L4
In this example, you register a security key and retrieve the FIPS-140-3 Level 3 certification for your device.
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey" : "Create"
}
}
},
{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey" : "Activate",
"iam:FIDO-FIPS-140-3-certification": "L3"
}
}
}
]
}
```
**iam:OrganizationsPolicyId**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Checks that the policy with the specified AWS Organizations ID matches the policy used in the request. To view an example IAM policy that uses this condition key, see [IAM: View service last accessed information for an AWS Organizations policy](reference_policies_examples_iam_service-accessed-data-orgs.md).
**iam:PassedToService**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Specifies the service principal of the service to which a role can be passed. This condition key applies to only the [PassRole](id_roles_use_passrole.md) action in a policy. It can't be used to limit any other action.
When you use this condition key in a policy, specify the service using a service principal. A service principal is the name of a service that can be specified in the `Principal` element of a policy. This is the usual format: `SERVICE_NAME_URL.amazonaws.com`.
You can use `iam:PassedToService` to restrict your users so that they can pass roles only to specific services. For example, a user might create a [service role](id_roles.md#iam-term-service-role) that trusts CloudWatch to write log data to an Amazon S3 bucket on their behalf. Then the user must attach a permissions policy and a trust policy to the new service role. In this case, the trust policy must specify `cloudwatch.amazonaws.com` in the `Principal` element. To view a policy that allows the user to pass the role to CloudWatch, see [IAM: Pass an IAM role to a specific AWS service](reference_policies_examples_iam-passrole-service.md).
By using this condition key, you can ensure that users create service roles only for the services that you specify. For example, if a user with the preceding policy attempts to create a service role for Amazon EC2, the operation will fail. The failure occurs because the user does not have permission to pass the role to Amazon EC2.
Sometimes you pass a role to a service that then passes the role to a different service. `iam:PassedToService` includes only the final service that assumes the role, not the intermediate service that passes the role.
Some services do not support this condition key.
**iam:PermissionsBoundary**
Works with [ARN operators](reference_policies_elements_condition_operators.md#Conditions_ARN).
Checks that the specified policy is attached as permissions boundary on the IAM principal resource. For more information, see [Permissions boundaries for IAM entities](access_policies_boundaries.md)
**iam:PolicyARN**
Works with [ARN operators](reference_policies_elements_condition_operators.md#Conditions_ARN).
Checks the Amazon Resource Name (ARN) of a managed policy in requests that involve a managed policy. For more information, see [Controlling access to policies](access_controlling.md#access_controlling-policies).
**iam:RegisterSecurityKey**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Checks the current state of MFA device enablement.
Possible values of `Create` or `Activate`.
In this example, you register a security key and retrieve the FIPS-140-3 Level 1 certification for your device.
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey" : "Create"
}
}
},
{
"Effect": "Allow",
"Action": "iam:EnableMFADevice",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:RegisterSecurityKey" : "Activate",
"iam:FIDO-FIPS-140-3-certification": "L1"
}
}
}
]
}
```
**iam:ResourceTag/*key-name***
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Checks that the tag attached to the identity resource (user or role) matches the specified key name and value.
IAM and AWS STS support both the `iam:ResourceTag` IAM condition key and the `aws:ResourceTag` global condition key.
You can add custom attributes to IAM resources in the form of a key-value pair. For more information about tags for IAM resources, see [Tags for AWS Identity and Access Management resources](id_tags.md). You can use `ResourceTag` to [control access](access_tags.md#access_tags_control-resources) to AWS resources, including IAM resources. However, because IAM does not support tags for groups, you cannot use tags to control access to groups.
This example shows how you might create an identity-based policy that allows deleting users with the **status=terminated** tag. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "iam:DeleteUser",
"Resource": "*",
"Condition": {"StringEquals": {"iam:ResourceTag/status": "terminated"}}
}]
}
```
**iam:ServiceSpecificCredentialAgeDays**
Works with [numeric operators](reference_policies_elements_condition_operators.md#Conditions_Numeric).
This condition key limits the creation of service-specific credentials based on their expiration settings. It allows you to control the maximum age, in days, of service-specific credentials that can be created.
The valid range for days is 1 to 36600 (minimum 1 day, maximum 36600 days).
This condition key is supported by the [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceSpecificCredential.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceSpecificCredential.html) API operation.
In this example, you allow a user to create service-specific credentials for the Amazon Bedrock service only if they expire within 90 days.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceSpecificCredential",
"Resource": "arn:aws:iam::111122223333:user/username",
"Condition": {
"StringEquals": {
"iam:ServiceSpecificCredentialServiceName": "bedrock.amazonaws.com"
},
"NumericLessThanEquals": {
"iam:ServiceSpecificCredentialAgeDays": "90"
}
}
}
]
}
```
**iam:ServiceSpecificCredentialServiceName**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Specifies which AWS services can be used when managing service-specific credentials. This condition key allows you to restrict which AWS services are permitted when managing service-specific credentials.
This condition key is supported by the following API operations:
+ [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceSpecificCredential.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceSpecificCredential.html)
+ [https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteServiceSpecificCredential.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteServiceSpecificCredential.html)
+ [https://docs.aws.amazon.com/IAM/latest/APIReference/API_ResetServiceSpecificCredential.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ResetServiceSpecificCredential.html)
+ [https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateServiceSpecificCredential.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateServiceSpecificCredential.html)
The following services are supported for service-specific credentials with their exact value formatting:
+ `bedrock.amazonaws.com`
+ `cassandra.amazonaws.com`
+ `codecommit.amazonaws.com`
In this example, you allow a user to create service-specific credentials using the [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceSpecificCredential.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceSpecificCredential.html) API operation only for the Amazon Bedrock service.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceSpecificCredential",
"Resource": "arn:aws:iam::111122223333:user/username",
"Condition": {
"StringEquals": {
"iam:ServiceSpecificCredentialServiceName": "bedrock.amazonaws.com"
}
}
}
]
}
```
**iam:DelegationDuration**
Works with [numeric operators](reference_policies_elements_condition_operators.md#Conditions_Numeric).
Filters access based on the duration of temporary access requested in a delegation request.
Product providers can use this condition key to control the maximum duration they allow in delegation requests sent to customers. The duration is specified in seconds and determines how long temporary credentials remain valid after the customer releases the exchange token. This helps product providers enforce internal policies around access duration limits based on their use case.
This condition key is supported by the `CreateDelegationRequest` API operation.
In this example, you allow creating delegation requests only if the requested duration is 7200 seconds (2 hours) or less.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateDelegationRequest",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"iam:DelegationDuration": "7200"
}
}
}
]
}
```
**iam:NotificationChannel**
Works with [ARN operators](reference_policies_elements_condition_operators.md#Conditions_ARN).
Filters access based on the Amazon SNS topic ARN specified for receiving delegation request notifications.
Product providers can use this condition key to restrict which SNS topics can be used for delegation request notifications in the CreateDelegationRequest API call. Product providers must specify an SNS topic to receive state change notifications and exchange tokens. This ensures that notifications are sent only to approved channels within the product provider's organization.
This condition key is supported by the `CreateDelegationRequest` API operation.
In this example, you allow creating delegation requests only if they use a specific SNS topic for notifications.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateDelegationRequest",
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:NotificationChannel": "arn:aws:sns:us-east-1:123456789012:delegation-notifications"
}
}
}
]
}
```
**iam:TemplateArn**
Works with [ARN operators](reference_policies_elements_condition_operators.md#Conditions_ARN).
Filters access based on the policy template ARN used to define permissions in a delegation request.
Product providers can use this condition key to control which policy templates can be used in the CreateDelegationRequest API call. Policy templates define the temporary permissions that product providers request in customer accounts. This allows product providers to restrict which registered policy templates can be used when creating delegation requests.
This condition key is supported by the `CreateDelegationRequest` API operation.
In this example, you allow creating delegation requests only if they use a policy template from a specific partner domain.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateDelegationRequest",
"Resource": "*",
"Condition": {
"ArnLike": {
"iam:TemplateArn": "arn:aws:iam:::delegation-template/partner_*"
}
}
}
]
}
```
**iam:DelegationRequestOwner**
Works with [ARN operators](reference_policies_elements_condition_operators.md#Conditions_ARN).
Filters access based on the AWS identity or principal that owns the delegation request.
Customers can use this condition key to control who can perform actions on delegation requests based on ownership. The owner of a delegation request is the AWS identity or principal in the customer account that initiated or received the delegation request.
This condition key is supported by the following API operations:
+ `GetDelegationRequest`
+ `AcceptDelegationRequest`
+ `RejectDelegationRequest`
+ `SendDelegatedToken`
+ `ListDelegationRequests`
+ `UpdateDelegationRequest`
In this example, you allow users to manage only delegation requests that they own.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetDelegationRequest",
"iam:AcceptDelegationRequest",
"iam:RejectDelegationRequest",
"iam:SendDelegatedToken",
"iam:UpdateDelegationRequest",
"iam:ListDelegationRequests"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:DelegationRequestOwner": "${aws:PrincipalArn}"
}
}
}
]
}
```
## Available keys for AWS OIDC federation
You can use OIDC federation to give temporary security credentials to users who have been authenticated through an OpenID Connect compatible identity provider (IdP) to an IAM OpenID Connect (OIDC) identity provider in your AWS account. Examples of such providers include GitHub, Amazon Cognito, Login with Amazon, and Google. Identity tokens and access tokens from your own IdP may be used, as well as [service account tokens](https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html#service-account-tokens) granted to Amazon Elastic Kubernetes Service workloads.
You can use AWS OIDC condition context keys to write policies that limit the access of federated principals to resources that are associated with a specific provider, app, or user. These keys are typically used in the trust policy for a role. Define condition keys using the name of the OIDC provider (`token.actions.githubusercontent.com`) followed by a claim (`:aud`): `token.actions.githubusercontent.com:aud`.
Some OIDC federation condition keys can be used in the role session to authorize resource access. If the value is **Yes** in the **Available in session** column, you can use these condition keys in policies to define what users are allowed to access in other AWS services. When a claim is not available in session, the OIDC condition context key can only be used in a role trust policy for the initial [AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) authentication.
Select your IdP to see how claims from your IdP map to IAM condition context keys in AWS. More information on keys for GitHub and Google can be found under the **Default** tab.
------
#### [ Default ]
Default lists the standard OIDC claims and how they map to AWS STS condition context keys in AWS. You can use these keys to control access to a role. To do that, compare the **AWS STS condition keys** to the values in the **IdP JWT claim** column. Use this mapping if your IdP is not listed in the tab options.
GitHub Actions workflows and Google are some examples of IdPs that use the default implementation in their OIDC JWT ID token.
| AWS STS condition key | IdP JWT claim | Available in session |
| --- | --- | --- |
| amr | amr | Yes |
| aud | azp If no value is set for `azp`, the `aud` condition key maps to the `aud` claim. | Yes |
| email | email | No |
| oaud | aud | No |
| sub | sub | Yes |
For more information about using OIDC condition context keys with GitHub, see [Configuring a role for GitHub OIDC identity provider](id_roles_create_for-idp_oidc.md#idp_oidc_Create_GitHub). For more information about Google `aud` and `azp` fields, see the [Google Identity Platform OpenID Connect](https://developers.google.com/identity/protocols/OpenIDConnect) Guide.
**amr**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String). The key is multivalued, meaning that you test it in a policy using [condition set operators](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
**Example**: `token.actions.githubusercontent.com:amr`
Authentication Methods Reference includes login information about the user. The key can contain the following values:
+ If the user is unauthenticated, the key contains only `unauthenticated`.
+ If the user is authenticated, the key contains the value `authenticated` and the name of the login provider used in the call (`accounts.google.com`).
**aud**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Examples**:
+ `accounts.google.com:aud`
+ `token.actions.githubusercontent.com:aud`
Use the `aud` condition key to verify that the audience matches the one you specify in the policy. You can use the aud key with the sub key for the same identity provider.
This condition key is set from the following token fields:
+ `aud` for OAuth 2.0 Google client IDs of your application, when the `azp` field is not set. When the `azp` field is set, the `aud` field matches the `accounts.google.com:oaud` condition key.
+ `azp` when the `azp` field is set. This can happen for hybrid apps where a web application and Android app have a different OAuth 2.0 Google client ID but share the same Google APIs project.
When you write a policy using the `accounts.google.com:aud` condition key, you must know whether the app is a hybrid app that sets the `azp` field.
`azp` Field Not Set
The following example policy works for non-hybrid apps that do not set the `azp` field. In this case the Google ID Token `aud` field value matches both the `accounts.google.com:aud` and the `accounts.google.com:oaud` condition key values.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Federated": "accounts.google.com"},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:aud": "aud-value",
"accounts.google.com:oaud": "aud-value",
"accounts.google.com:sub": "sub-value"
}
}
}
]
}
```
`azp` Field Set
The following example policy works for hybrid apps that do set the `azp` field. In this case, the Google ID Token `aud` field value matches only the `accounts.google.com:oaud` condition key value. The `azp` field value matches the `accounts.google.com:aud` condition key value.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Federated": "accounts.google.com"},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:aud": "azp-value",
"accounts.google.com:oaud": "aud-value",
"accounts.google.com:sub": "sub-value"
}
}
}
]
}
```
**email**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example**: `accounts.google.com:email`
This condition key validates the user's email address. The value of this claim may not be unique to this account and could change over time, therefore you should not use this value as the primary identifier to verify your user record.
**oaud**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example**: `accounts.google.com:oaud`
This key specifies the other audience (`aud`) that this ID token is intended for. It must be one of the OAuth 2.0 client IDs of your application.
**sub**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Examples**:
+ `accounts.google.com:sub`
+ token.actions.githubusercontent.com:sub
Use these keys to verify that the subject matches the one that you specify in the policy. You can use the `sub` key with the `aud` key for the same identity provider.
In the following role trust policy, the `sub` condition key limits the role to the GitHub branch named `demo`.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::111122223333:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
"token.actions.githubusercontent.com:sub": "repo:org-name/repo-name:ref:refs/heads/demo"
}
}
}
]
}
```
------
#### [ Amazon Cognito ]
This tab explains how Amazon Cognito maps OIDC claims to AWS STS condition context keys in AWS. You can use these keys to control access to a role. To do that, compare the **AWS STS condition keys** to the values in the **IdP JWT claim** column.
For roles used by Amazon Cognito, keys are defined using `cognito-identity.amazonaws.com` followed by the claim.
For more information about identity pool claim mapping, see [Default provider mappings](https://docs.aws.amazon.com/cognito/latest/developerguide/provider-mappings.html) in the *Amazon Cognito Developer Guide*. For more information about user pool claim mapping see [Using the ID token](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-id-token.html) in the *Amazon Cognito Developer Guide*.
| AWS STS condition key | IdP JWT claim | Available in session |
| --- | --- | --- |
| amr | amr | Yes |
| aud | aud | Yes |
| oaud | aud | No |
| sub | sub | Yes |
**amr**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String). The key is multivalued, meaning that you test it in a policy using [condition set operators](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
**Example** – `cognito-identity.amazonaws.com:amr`
Authentication Methods Reference includes login information about the user. The key can contain the following values:
+ If the user is unauthenticated, the key contains only `unauthenticated`.
+ If the user is authenticated, the key contains the value `authenticated` and the name of the login provider used in the call (`cognito-identity.amazonaws.com`).
As an example, the following condition in the trust policy for an Amazon Cognito role tests whether the user is unauthenticated.
```
"Condition": {
"StringEquals":
{ "cognito-identity.amazonaws.com:aud": "us-east-2:identity-pool-id" },
"ForAnyValue:StringLike":
{ "cognito-identity.amazonaws.com:amr": "unauthenticated" }
}
```
**aud**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `cognito-identity.amazonaws.com:aud`
The user pool app client that authenticated your user. Amazon Cognito renders the same value in the access token `client_id` claim.
**oaud**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `cognito-identity.amazonaws.com:oaud`
The user pool app client that authenticated your user. Amazon Cognito renders the same value in the access token `client_id` claim.
**sub**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `cognito-identity.amazonaws.com:sub`
A unique identifier (UUID), or subject, for the authenticated user. The username might not be unique in your user pool. The sub claim is the best way to identify a given user. You can use the `sub` key with the `aud` key for the same identity provider.
```
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:12345678-abcd-abcd-abcd-123456790ab",
"cognito-identity.amazonaws.com:sub": [
"us-east-1:12345678-1234-1234-1234-123456790ab",
"us-east-1:98765432-1234-1234-1243-123456790ab"
]
}
}
```
------
#### [ Login with Amazon ]
This tab explains how Login with Amazon maps OIDC claims to AWS STS condition context keys in AWS. You can use these keys to control access to a role. To do that, compare the **AWS STS condition keys** to the values in the **IdP JWT claim** column.
| AWS STS condition key | IdP JWT claim | Available in session |
| --- | --- | --- |
| app\$1id | Application ID | Yes |
| sub | User ID | Yes |
| user\$1id | User ID | Yes |
**app\$1id**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `www.amazon.com:app_id`
This key specifies the audience context that matches the `aud` field used by other identity providers.
**sub**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `www.amazon.com:sub`
This key verifies that the user ID matches the one that you specify in the policy. You can use the `sub `key with the `aud` key for the same identity provider.
**user\$1id**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `www.amazon.com:user_id`
This key specifies the audience context that matches the `aud` field used by other identity providers.You can use the `user_id` key with the `id` key for the same identity provider.
------
#### [ Facebook ]
This tab explains how Facebook maps OIDC claims to AWS STS condition context keys in AWS. You can use these keys to control access to a role. To do that, compare the **AWS STS condition keys** to the values in the **IdP JWT claim** column.
| AWS STS condition key | IdP JWT claim | Available in session |
| --- | --- | --- |
| app\$1id | Application ID | Yes |
| id | id | Yes |
**app\$1id**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `graph.facebook.com:app_id`
This key verifies that the audience context matches the `aud` field used by other identity providers.
**id**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `graph.facebook.com:id`
This key verified that the application (or site) ID matches the one that you specify in the policy.
------
#### [ GitHub ]
This tab explains how GitHub Actions maps OIDC claims to AWS STS condition context keys in AWS. You can use these keys to control access to a role. To do that, compare the **AWS STS condition keys** to the values in the **IdP JWT claim** column.
| AWS STS condition key | IdP JWT claim | Available in session |
| --- | --- | --- |
| actor | actor | No |
| actor\$1id | actor\$1id | No |
| job\$1workflow\$1ref | job\$1workflow\$1ref | No |
| repository | repository | No |
| repository\$1id | repository\$1id | No |
| workflow | workflow | No |
| ref | ref | No |
| environment | environment | No |
| enterprise\$1id | enterprise\$1id | No |
**actor**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `token.actions.githubusercontent.com:actor`
This key identifies the personal account that initiated the workflow run. Use this to restrict access to specific actors.
**actor\$1id**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `token.actions.githubusercontent.com:actor_id`
This key verifies the ID of the personal account that initiated the workflow run. Actor IDs are generated by GitHub and are immutable.
**job\$1workflow\$1ref**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `token.actions.githubusercontent.com:job_workflow_ref`
This key contains the reference path to the reusable workflow for jobs using a reusable workflow. Use this to restrict access to specific workflows and to ensure only approved workflows can assume roles.
**repository**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `token.actions.githubusercontent.com:repository`
This key identifies the repository from where the workflow is running. Use this to limit access to specific GitHub repositories.
**repository\$1id**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `token.actions.githubusercontent.com:repository_id`
This key verifies the ID of the repository from where the workflow is running. Repository IDs are immutable and don't change even if the repository is renamed.
**workflow**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `token.actions.githubusercontent.com:workflow`
This key contains the name of the workflow. Use this to restrict access to specific workflows within your repositories.
**ref**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `token.actions.githubusercontent.com:ref`
This key identifies the git ref (branch or tag) that triggered the workflow run. Use this to limit access based on specific branches, such as allowing only `main` or `production` branches.
**environment**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `token.actions.githubusercontent.com:environment`
This key contains the name of the environment used by the job. Use this to implement environment-based access controls, such as separate permissions for development, staging, and production environments.
If the environment claim is included in your trust policy, an environment must be configured and provided in the GitHub workflow.
**enterprise\$1id**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `token.actions.githubusercontent.com:enterprise_id`
This key verifies the ID of the enterprise that contains the repository from where the workflow is running. Use this to ensure access is limited to repositories within your GitHub Enterprise organization.
The following example trust policy uses custom claims in GitHub OIDC token to limit access to a role.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
"token.actions.githubusercontent.com:job_workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
"token.actions.githubusercontent.com:repository": "octo-org/octo-repo",
"token.actions.githubusercontent.com:actor": "octocat",
"token.actions.githubusercontent.com:ref": "refs/heads/main",
"token.actions.githubusercontent.com:enterprise_id": "345"
}
}
}
]
}
```
------
#### [ Google ]
This tab explains how Google maps OIDC claims to AWS STS condition context keys in AWS. You can use these keys to control access to a role. To do that, compare the **AWS STS condition keys** to the values in the **IdP JWT claim** column.
| AWS STS condition key | IdP JWT claim | Available in session |
| --- | --- | --- |
| google/organization\$1number | google:organization\$1number | No |
**google/organization\$1number**
Works with [numeric operators](reference_policies_elements_condition_operators.md#Conditions_Numeric).
**Example** – `accounts.google.com:google/organization_number`
This key verifies that a token represents a Google identity belonging to a specific Google Cloud or Google Workspace organization. Use this to restrict access to users from specific organizations, ensuring that only identities from your organization can assume the role.
The following example trust policy uses the `google/organization_number` claim to limit access to a role.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"NumericEquals": {
"accounts.google.com:google/organization_number": "123456"
}
}
}
]
}
```
------
#### [ CircleCI ]
This tab explains how CircleCI maps OIDC claims to AWS STS condition context keys in AWS. You can use these keys to control access to a role. To do that, compare the **AWS STS condition keys** to the values in the **IdP JWT claim** column.
| AWS STS condition key | IdP JWT claim | Available in session |
| --- | --- | --- |
| oidc.circleci.com/project-id | oidc.circleci.com/project-id | No |
**oidc.circleci.com/project-id**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `circleci-issuer-url:oidc.circleci.com/project-id`
This key identifies the CircleCI project in which the job is running. Its value is a string containing a UUID that uniquely identifies the CircleCI project. Use this to restrict access to specific CircleCI projects.
The following example trust policy uses the `oidc.circleci.com/project-id` claim to limit access to a role.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/oidc.circleci.com/org/12345"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.circleci.com/org/12345:aud": "sts.amazonaws.com",
"oidc.circleci.com/org/12345:oidc.circleci.com/project-id": "76543210-ba98-fedc-3210-edcba0987654"
}
}
}
]
}
```
------
#### [ Oracle Cloud Infrastructure (OCI) ]
This tab explains how Oracle Cloud Infrastructure maps OIDC claims to AWS STS condition context keys in AWS. You can use these keys to control access to a role. To do that, compare the **AWS STS condition keys** to the values in the **IdP JWT claim** column.
| AWS STS condition key | IdP JWT claim | Available in session |
| --- | --- | --- |
| rpst\$1id | rpst\$1id | No |
**rpst\$1id**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
**Example** – `oci-issuer-url:rpst_id`
This key uniquely identifies the resource principal in OCI. Use this to restrict access to specific OCI resource principals. The rpst\$1id (Resource Principal Session Token ID) provides a stable identifier for OCI resource-based authentication.
The following example trust policy uses the `rpst_id` claim to limit access to a role.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/idcs-abc123ef5678901234abcd.identity.oraclecloud.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"idcs-abc123ef5678901234abcd.identity.oraclecloud.com:aud": "sts.amazonaws.com",
"idcs-abc123ef5678901234abcd.identity.oraclecloud.com:rpst_id": "your-rpst-id"
}
}
}
]
}
```
------
### More information about OIDC federation
+ [Amazon Cognito User Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html)
+ [OIDC federation](id_roles_providers_oidc.md)
## Available keys for SAML-based AWS STS federation
If you are working with [SAML-based federation](https://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html) using AWS Security Token Service (AWS STS), you can include additional condition keys in the policy.
### SAML role trust policies
In the trust policy of a role, you can include the following keys, which help you establish whether the caller is allowed to assume the role. Except for `saml:doc`, all the values are derived from the SAML assertion. All items in the list are available in the IAM console visual editor when you create or edit a policy with conditions. Items marked with `[]` *can* have a value that is a list of the specified type.
**saml:aud**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
An endpoint URL to which SAML assertions are presented. The value for this key comes from the `SAML Recipient` field in the assertion, *not *the `Audience` field.
**saml:commonName[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is a `commonName` attribute.
**saml:cn[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduOrg` attribute.
**saml:doc**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This represents the principal that was used to assume the role. The format is *account-ID*/*provider-friendly-name*, such as `123456789012/SAMLProviderName`. The *account-ID* value refers to the account that owns the [SAML provider](id_roles_providers_create_saml.md).
**saml:edupersonaffiliation[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduPerson` attribute.
**saml:edupersonassurance[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduPerson` attribute.
**saml:edupersonentitlement[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduPerson` attribute.
**saml:edupersonnickname[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduPerson` attribute.
**saml:edupersonorgdn**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduPerson` attribute.
**saml:edupersonorgunitdn[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduPerson` attribute.
**saml:edupersonprimaryaffiliation**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduPerson` attribute.
**saml:edupersonprimaryorgunitdn**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduPerson` attribute.
**saml:edupersonprincipalname**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduPerson` attribute.
**saml:edupersonscopedaffiliation[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduPerson` attribute.
**saml:edupersontargetedid[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduPerson` attribute.
**saml:eduorghomepageuri[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduOrg` attribute.
**saml:eduorgidentityauthnpolicyuri[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduOrg` attribute.
**saml:eduorglegalname[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduOrg` attribute.
**saml:eduorgsuperioruri[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduOrg` attribute.
**saml:eduorgwhitepagesuri[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `eduOrg` attribute.
**saml:givenName[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is a `givenName` attribute.
**saml:iss**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
The issuer, which is represented by a URN.
**saml:mail[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is a `mail` attribute.
**saml:name[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is a `name` attribute.
**saml:namequalifier**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
A hash value based on the friendly name of the SAML provider. The value is the concatenation of the following values, in order and separated by a '/' character:
1. The `Issuer` response value (`saml:iss`)
1. The `AWS` account ID
1. The friendly name (the last part of the ARN) of the SAML provider in IAM
The concatenation of the account ID and friendly name of the SAML provider is available to IAM policies as the key `saml:doc`. For more information, see [Uniquely identifying users in SAML-based federation](id_roles_providers_saml.md#CreatingSAML-userid).
**saml:organizationStatus[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `organizationStatus` attribute.
**saml:primaryGroupSID[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is a `primaryGroupSID` attribute.
**saml:sub**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is the subject of the claim, which includes a value that uniquely identifies an individual user within an organization (for example, `_cbb88bf52c2510eabe00c1642d4643f41430fe25e3`).
**saml:sub\$1type**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This key can have the value `persistent`, `transient`, or consist of the full `Format` URI from the `Subject` and `NameID` elements used in your SAML assertion. A value of `persistent` indicates that the value in `saml:sub` is the same for a user between sessions. If the value is `transient`, the user has a different `saml:sub` value for each session. For information about the `NameID` element's `Format` attribute, see [Configure SAML assertions for the authentication response](id_roles_providers_create_saml_assertions.md).
**saml:surname[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is a `surnameuid` attribute.
**saml:uid[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is a `uid` attribute.
**saml:x500UniqueIdentifier[]**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is an `x500UniqueIdentifier` attribute.
For general information about `eduPerson` and `eduOrg` attributes, see the [REFEDS Wiki website](https://wiki.refeds.org/display/STAN/eduPerson). For a list of `eduPerson` attributes, see [eduPerson Object Class Specification (201602)](https://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html).
Condition keys whose type is a list can include multiple values. To create conditions in the policy for list values, you can use [set operators](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys) (`ForAllValues`, `ForAnyValue`). For example, to allow any user whose affiliation is "faculty" or "staff" (but not "student"), you might use a condition like the following:
```
"Condition": {
"ForAllValues:StringLike": {
"saml:edupersonaffiliation":[ "faculty", "staff"]
}
}
```
## Cross-service SAML-based AWS STS federation context keys
Some SAML-based federation condition keys can be used in subsequent requests to authorize AWS operations in other services and `AssumeRole` calls. These are the following condition keys that can be used in role trust policies when federated principals assume another role, and in resource policies from other AWS services to authorize resource access by federated principals. For more information about using these keys, see [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html#CreatingSAML-userid).
Select a condition key to see the description.
+ [saml:namequalifier](#ck_saml-namequalifier)
+ [saml:sub](#ck_saml-sub)
+ [saml:sub_type](#ck_saml-subtype)
**Note**
No other SAML-based federation condition keys are available for use after the initial external identity provider (IdP) authentication response.
## Available keys for AWS STS
You can use the following condition keys in IAM role trust policies for roles that are assumed using AWS Security Token Service (AWS STS) operations.
**saml:sub**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
This is the subject of the claim, which includes a value that uniquely identifies an individual user within an organization (for example, `_cbb88bf52c2510eabe00c1642d4643f41430fe25e3`).
**sts:AWSServiceName**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Use this key to specify a service where a bearer token can be used. When you use this condition key in a policy, specify the service using a service principal. A service principal is the name of a service that can be specified in the `Principal` element of a policy. For example, `codeartifact.amazonaws.com` is the AWS CodeArtifact service principal.
**Availability** – This key is present in requests that get a bearer token. You cannot make a direct call to AWS STS to get a bearer token. When you perform some operations in other services, the service requests the bearer token on your behalf.
Some AWS services require that you have permission to get an AWS STS service bearer token before you can access their resources programmatically. For example, AWS CodeArtifact requires principals to use bearer tokens to perform some operations. The `aws codeartifact get-authorization-token` command returns a bearer token. You can then use the bearer token to perform AWS CodeArtifact operations. For more information about bearer tokens, see [Service bearer tokens](id_credentials_bearer.md).
You can use this condition key to allow principals to get a bearer token for use with a specific service.
**sts:DurationSeconds**
Works with [numeric operators](reference_policies_elements_condition_operators.md#Conditions_Numeric).
Use this key to specify the duration (in seconds) that a principal can use when getting an AWS AWS STS bearer token or a JSON Web Token from the [GetWebIdentityToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetWebIdentityToken.html) API.
**Availability** – This key is present in requests that get a bearer token or a JSON Web Token from the GetWebIdentityToken API. You cannot make a direct call to AWS STS to get a bearer token. When you perform some operations in other services, the service requests the bearer token on your behalf. The key is not applicable for AWS STS assume-role operations.
Some AWS services require that you have permission to get an AWS STS service bearer token before you can access their resources programmatically. For example, AWS CodeArtifact requires principals to use bearer tokens to perform some operations. The `aws codeartifact get-authorization-token` command returns a bearer token. You can then use the bearer token to perform AWS CodeArtifact operations. For more information about bearer tokens, see [Service bearer tokens](id_credentials_bearer.md).
**sts:IdentityTokenAudience**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Use this key to specify the audience for which an IAM principal can request JSON Web Tokens (JWTs) using the [GetWebIdentityToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetWebIdentityToken.html) API. When this condition key is present in an IAM policy, IAM principals can only request tokens for the audiences specified in the policy. External services validate the audience ("aud") claim in the JSON Web Token to ensure the token was intended for them.
**Availability** – This key is present in requests to the GetWebIdentityToken API which is used to obtain JSON Web Tokens (JWTs) for authentication with external services.
When you use this condition key in a policy, specify the audience value that matches the intended recipient's identifier (for example, https://api.example.com).
The following example policy allows a principal to request tokens for the specified external services:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetWebIdentityToken",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"sts:IdentityTokenAudience": [
"https://api2.example.com",
"https://api1.example.com"
]
}
}
}
]
}
```
**sts:SigningAlgorithm**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Use this key to specify the cryptographic algorithm AWS AWS STS uses to sign JSON Web Tokens (JWTs) generated by the [GetWebIdentityToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetWebIdentityToken.html) API. When you use this condition key in a policy, specify either ES384 (ECDSA with P-384 curve and SHA-384) or RS256 (RSA with SHA-256).
**Availability** – This key is present in requests to the GetWebIdentityToken API which is used to obtain JSON Web Tokens (JWTs) for authentication with external services.
You can use this condition key to enforce that IAM principals request tokens using signing algorithms compatible with your security requirements or the external services you integrate with. ES384 provides optimal security and performance, while RS256 offers broader compatibility with systems that do not support ECDSA.
The following example policy requires principals to use the ES384 signing algorithm:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetWebIdentityToken",
"Resource": "*",
"Condition": {
"StringEquals": {
"sts:SigningAlgorithm": "ES384"
}
}
}
]
}
```
**sts:ExternalId**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Use this key to require that a principal provide a specific identifier when assuming an IAM role.
**Availability** – This key is present in the request when the principal provides an external ID while assuming a role using the AWS CLI or AWS API.
A unique identifier that might be required when you assume a role in another account. If the administrator of the account to which the role belongs provided you with an external ID, then provide that value in the `ExternalId` parameter. This value can be any string, such as a passphrase or account number. The primary function of the external ID is to address and prevent the confused deputy problem. For more information about the external ID and the confused deputy problem, see [Access to AWS accounts owned by third parties](id_roles_common-scenarios_third-party.md).
The `ExternalId` value must have a minimum of 2 characters and a maximum of 1,224 characters. The value must be alphanumeric without white space. It can also include the following symbols: plus (\$1), equal (=), comma (,), period (.), at (@), colon (:), forward slash (/), and hyphen (-).
**sts:RequestContext/*context-key***
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Use this key to compare the session context key-value pairs that are embedded in the trusted token issuer signed context assertion passed in the request with the context key-values specified in the role trust policy.
**Availability** – This key is present in the request when a context assertion is provided in the `ProvidedContexts` request parameter while assuming a role using the AWS STS [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API operation.
This context key is formatted as `"sts:RequestContext/context-key":"context-value"` where `context-key` and `context-value` are a context key-value pair. When multiple context keys are embedded in the signed context assertion passed in the request, there is one context key for each key-value pair. You must grant permission for the `sts:SetContext` action in the role trust policy to allow a principal to set context keys within the resulting session token. To learn more about the supported IAM Identity Center context keys that can be used with this key, see [AWS STS condition keys for IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/condition-context-keys-sts-idc.html) in the *AWS IAM Identity Center User Guide*.
You can use this key in a role trust policy to enforce fine-grained access control based on the user or their attributes when they assume a role. After the role is assumed, activity appears in the AWS CloudTrail logs within the `AdditionalEventData` attribute, containing the session context key-value pairs that were set by the context provider in the assume role request. This makes it easier for administrators to differentiate between role sessions when a role is used by different principals. The key-value pairs are set by the specified context provider, not by AWS CloudTrail or AWS STS. This gives the context provider control over what context is included in the CloudTrail logs and session information.
**sts:RequestContextProviders**
Works with [ARN operators](reference_policies_elements_condition_operators.md#Conditions_ARN).
Use this key to compare the context provider ARN in the request with the context provider ARN specified in the role trust policy.
**Availability** – This key is present in the request when a context assertion is provided in the `ProvidedContexts` request parameter while assuming a role using the AWS STS [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API operation.
The following example condition checks that the context provider ARN passed in the request matches the ARN specified in the role trust policy condition. We recommend you add a null check with `ForAllValues` to prevent missing context keys or context keys with empty values from evaluating to true. For details, see [Condition operator to check existence of condition keys](reference_policies_elements_condition_operators.md#Conditions_Null).
****
```
{
"Version":"2012-10-17",
"Statement": {
"Action": "sts:SetContext",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"ForAllValues:ArnEquals": {
"sts:RequestContextProviders": [
"arn:aws:iam::aws:contextProvider/IdentityCenter"
]
},
"Null": {
"sts:RequestContextProviders": "false"
}
}
}
}
```
**sts:RoleSessionName**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Use this key to compare the session name that a principal specifies when assuming a role with the value that is specified in the policy.
**Availability** – This key is present in the request when the principal assumes the role using the AWS Management Console, any assume-role CLI command, or any AWS STS `AssumeRole` API operation.
You can use this key in a role trust policy to require that your users provide a specific session name when they assume a role. For example, you can require that IAM users specify their own user name as their session name. After the IAM user assumes the role, activity appears in [AWS CloudTrail logs](cloudtrail-integration.md#cloudtrail-integration_signin-tempcreds) with the session name that matches their user name. This makes it easier for administrators to differentiate between role sessions when a role is used by different principals.
The following role trust policy requires that IAM users in account `111122223333` provide their IAM user name as the session name when they assume the role. This requirement is enforced using the `aws:username` [condition variable](reference_policies_variables.md) in the condition key. This policy allows IAM users to assume the role to which the policy is attached. This policy does not allow anyone using temporary credentials to assume the role because the `username` variable is present for only IAM users.
You can use any single-valued condition key as a [variable](reference_policies_variables.md). You can't use a multivalued condition key as a variable.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "RoleTrustPolicyRequireUsernameForSessionName",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Condition": {
"StringLike": {"sts:RoleSessionName": "prefix-${aws:username}"}
}
}
]
}
```
When an administrator views the AWS CloudTrail log for an action, they can compare the session name to the user names in their account. In the following example, the user named `matjac` performed the operation using the role named `MateoRole`. The administrator can then contact Mateo Jackson, who has the user named `matjac`.
```
"assumedRoleUser": {
"assumedRoleId": "AROACQRSTUVWRAOEXAMPLE:matjac",
"arn": "arn:aws:sts::111122223333:assumed-role/MateoRole/matjac"
}
```
If you allow [cross-account access using roles](id_roles_common-scenarios_aws-accounts.md), then users in one account can assume a role in another account. The ARN of the assumed role user listed in CloudTrail includes the account *where the role exists*. It does not include the account of the user that assumed the role. Users are unique only within an account. Therefore, we recommend that you use this method for checking CloudTrail logs only for roles that are assumed by users in accounts that you administer. Your users might use the same user name in multiple accounts.
**sts:SourceIdentity**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Use this key to compare the source identity that a principal specifies when assuming a role with the value that is specified in the policy.
**Availability** – This key is present in the request when the principal provides a source identity while assuming a role using any AWS STS assume-role CLI command, or AWS STS `AssumeRole` API operation.
You can use this key in a role trust policy to require that your users set a specific source identity when they assume a role. For example, you can require your workforce or federated identities to specify a value for source identity. You can configure your identity provider (IdP) to use one of the attributes that are associated with your users, like a user name or email as the source identity. The IdP then passes the source identity as an attribute in the assertions or claims that it sends to AWS. The value of the source identity attribute identifies the user or application who is assuming the role.
After the user assumes the role, activity appears in [AWS CloudTrail logs](cloudtrail-integration.md#cloudtrail-integration_signin-tempcreds) with the source identity value that was set. This makes it easier for administrators to determine who or what performed actions with a role in AWS. You must grant permissions for the `sts:SetSourceIdentity` action to allow an identity to set a source identity.
Unlike [`sts:RoleSessionName`](#ck_rolesessionname), after the source identity is set, the value cannot be changed. It is present in the request context for all actions taken with the role by the source identity. The value persists into subsequent role sessions when you use the session credentials to assume another role. Assuming one role from another is called [role chaining](id_roles.md#iam-term-role-chaining).
You can use the [`aws:SourceIdentity`](reference_policies_condition-keys.md#condition-keys-sourceidentity) global condition key to further control access to AWS resources based on the value of source identity in subsequent requests.
The following role trust policy allows the IAM user `AdminUser` to assume a role in account `111122223333`. It also grants permission to the `AdminUser` to set a source identity, as long as the source identity set is `DiegoRamirez`.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAdminUserAssumeRole",
"Effect": "Allow",
"Principal": {"AWS": " arn:aws:iam::111122223333:user/AdminUser"},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity"
],
"Condition": {
"StringEquals": {"sts:SourceIdentity": "DiegoRamirez"}
}
}
]
}
```
To learn more about using source identity information, see [Monitor and control actions taken with assumed roles](id_credentials_temp_control-access_monitor.md).
**sts:TaskPolicyArn**
Works with [ARN operators](reference_policies_elements_condition_operators.md#Conditions_ARN).
Use this key to compare the policy ARN in an [sts:AssumeRoot](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html) request with the policy ARN specified in the policy.
**Availability** – This key is present in the request when you make a request using [sts:AssumeRoot](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html).
Administrators can use this condition key in IAM policies to restrict specific roles or users within the management account or delegated administrator account from performing certain actions when assuming root credentials. For more information, see [Perform a privileged task on an AWS Organizations member account](id_root-user-privileged-task.md).
**sts:TransitiveTagKeys**
Works with [string operators](reference_policies_elements_condition_operators.md#Conditions_String).
Use this key to compare the transitive session tag keys in the request with those specified in the policy.
**Availability** – This key is present in the request when you make a request using temporary security credentials. These include credentials created using any assume-role operation, or the `GetFederationToken` operation.
When you make a request using temporary security credentials, the [request context](reference_policies_elements_condition.md#AccessPolicyLanguage_RequestContext) includes the `aws:PrincipalTag` context key. This key includes a list of [session tags](id_session-tags.md), [transitive session tags](id_session-tags.md#id_session-tags_role-chaining), and role tags. Transitive session tags are tags that persist into all subsequent sessions when you use the session credentials to assume another role. Assuming one role from another is called [role chaining](id_roles.md#iam-term-role-chaining).
You can use this condition key in a policy to require setting specific session tags as transitive when assuming a role or federating a user.
# Actions, resources, and condition keys for AWS services
Each AWS service can define actions, resources, and condition context keys for use in IAM policies. For a list of AWS services and their actions, resources, and condition context keys, see [Actions, resources, and condition keys ](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference.*