Specifying conditions in a policy

You can use conditions to allow policies to take effect based on request values. Conditions consist of operators and key-value pairs.

Conditions use key-value pairs for evaluation. A Condition element can contain multiple conditions, and each condition can contain multiple key-value pairs. The condition block uses the following format:

Condition: {
     condition_type: {
          condition_key: condition_values

In the following example, the IpAddress condition uses the SourceIp condition key.

"Condition": {
    "IpAddress": {
      "sgws:SourceIp": "54.240.143.0/24"
		...
},
		...

Supported condition operators

Condition operators are categorized as follows:
  • String
  • Numeric
  • Boolean
  • IP address
  • Null check
Condition operators Description
StringEquals Compares a key to a string value based on exact equality (case sensitive).
StringNotEquals Compares a key to a string value based on exact non-equality (case sensitive).
StringEqualsIgnoreCase Compares a key to a string value based on exact equality (ignores case).
StringNotEqualsIgnoreCase Compares a key to a string value based on exact non-equality (ignores case).
StringLike Compares a key to a string value and provides access if there is an exact match (case sensitive). Can include * and ? wildcard characters.
StringNotLike Compares a key to a string value and provides access to all except the specified string (case sensitive). Can include * and ? wildcard characters.
NumericEquals Compares a key to a numeric value and provides access if there is an exact match.
NumericNotEquals Compares a key to a numeric value and provides access to all except the specified value.
NumericGreaterThan Compares a key to a numeric value and provides access if there is a "greater than" matching.
NumericGreaterThanEquals Compares a key to a numeric value and provides access if there is a "greater than or equals" matching.
NumericLessThan Compares a key to a numeric value and provides access if there is a "less than" matching.
NumericLessThanEquals Compares a key to a numeric value and provides access if there is a "less than or equals" matching.
Bool Compares a key to a Boolean value and provides access based on a "true or false" matching.
IpAddress Compares a key to a numeric value and provides access if there is a match to an IP or range of IP addresses.
NotIpAddress Compares a key to a numeric value and provides access to all addresses except the specified IP or range of IP addresses.
Null Checks if a condition key is present in the current request context.

Supported condition keys

Category Applicable condition keys Description
IP operators sgws:SourceIp Will compare to the IP address from which the request was sent. Can be used for bucket or object operations.
Resource/Identity sgws:username Will compare to the sender's username from which the request was sent. Can be used for bucket or object operations.
S3:ListBucket

and

S3:ListBucketVersions permissions

s3:delimiter Will compare to the delimiter parameter specified in a GET Bucket or GET Bucket Object versions request.
s3:max-keys Will compare to the max-keys parameter specified in a GET Bucket or GET Bucket Object versions request.
s3:prefix Will compare to the prefix parameter specified in a GET Bucket or GET Bucket Object versions request.