IAM Conditions

aws:SourceIp

• EXPLICITLY ALLOW access to AWS based on the source IP of the API calls.

aws:RequestedRegion

• EXPLICITLY ALLOW access to AWS based on the regions of the API calls.

Resource Tags

• You can use conditions in your IAM policies to control access to AWS resources based on the tags on that resource.

• You can do this using the global aws:ResourceTag/tag-key condition key, or a service-specific key such as iam:ResourceTag/tag-key.

  • Some services, such as IAM, support only the service-specific version of this key and not the global version.

• For example, this bottom image says:

  • Allow the identity to Start and Stop EC2 Instances only if the instance tag Owner has the value of that user's user name.

  • This policy also grants the necessary permissions to complete this action on the console.

aws:MultiFactorAuthPresent

• In some cases, you might want the additional security of requiring users to be authenticated with AWS multi-factor authentication (MFA) before you allow them to perform sensitive actions.