IAM Conditions

aws:SourceIp

  • EXPLICITLY ALLOW access to AWS based on the source IP of the API calls.

aws:RequestedRegion

  • EXPLICITLY ALLOW access to AWS based on the regions of the API calls.

Resource Tags

  • You can use conditions in your IAM policies to control access to AWS resources based on the tags on that resource.

  • You can do this using the global aws:ResourceTag/tag-key condition key, or a service-specific key such as iam:ResourceTag/tag-key.

    • Some services, such as IAM, support only the service-specific version of this key and not the global version.

  • For example, this bottom image says:

    • Allow the identity to Start and Stop EC2 Instances only if the instance tag Owner has the value of that user's user name.

    • This policy also grants the necessary permissions to complete this action on the console.

aws:MultiFactorAuthPresent

  • In some cases, you might want the additional security of requiring users to be authenticated with AWS multi-factor authentication (MFA) before you allow them to perform sensitive actions.

PreviousAuthorizationNextIAM for S3 Resources

Last updated