Simple Notification Service (SNS)
Kinesis + MQ
Databases & Analytics
IAM Conditions


  • EXPLICITLY ALLOW access to AWS based on the source IP of the API calls.


  • EXPLICITLY ALLOW access to AWS based on the regions of the API calls.

Resource Tags

  • You can use conditions in your IAM policies to control access to AWS resources based on the tags on that resource.
  • You can do this using the global aws:ResourceTag/tag-key condition key, or a service-specific key such as iam:ResourceTag/tag-key.
    • Some services, such as IAM, support only the service-specific version of this key and not the global version.
  • For example, this bottom image says:
    • Allow the identity to Start and Stop EC2 Instances only if the instance tag Owner has the value of that user's user name.
    • This policy also grants the necessary permissions to complete this action on the console.


  • In some cases, you might want the additional security of requiring users to be authenticated with AWS multi-factor authentication (MFA) before you allow them to perform sensitive actions.