IAM policy elements: Condition

The Condition element (or Condition block) lets you specify conditions for when a policy is in effect.
The Condition element is optional.
In the Condition element, you build expressions in which you use condition operators (equal, less than, etc.) to match the condition keys and values in the policy against keys and values in the request context.

{
    "Version": "2012-10-17",
    "Statement": {
        "Sid": "AllowRemoveMfaOnlyIfRecentMfa",
        "Effect": "Allow",
        "Action": [
            "iam:DeactivateMFADevice",
            "iam:DeleteVirtualMFADevice"
        ],
        "Resource": "arn:aws:iam::*:user/${aws:username}",
        "Condition": {
            "NumericLessThanEquals": {"aws:MultiFactorAuthAge": "3600"}
        }
    }
}

The request context can return the following values:
- True - If the requester signed in using MFA in the last one hour or less, then the condition returns true.
- False - If the requester signed in using MFA more than one hour ago, then the condition returns false.
- Not present - If the requester made a request using their IAM user access keys in the AWS CLI or AWS API, the key is not present.

PreviousPolicy elements: Principal and NotPrincipal NextSecurity Token Service (STS)

Last updated 5 years ago