You can use conditions to allow policies to take effect based on request values. Conditions consist of operators and key-value pairs.
Conditions use key-value pairs for evaluation. A Condition element can contain multiple conditions, and each condition can contain multiple key-value pairs. The condition block uses the following format:
Condition: { condition_type: { condition_key: condition_values
In the following example, the IpAddress condition uses the SourceIp condition key.
"Condition": { "IpAddress": { "sgws:SourceIp": "54.240.143.0/24" ... }, ...
Condition operators | Description |
---|---|
StringEquals | Compares a key to a string value based on exact equality (case sensitive). |
StringNotEquals | Compares a key to a string value based on exact non-equality (case sensitive). |
StringEqualsIgnoreCase | Compares a key to a string value based on exact equality (ignores case). |
StringNotEqualsIgnoreCase | Compares a key to a string value based on exact non-equality (ignores case). |
StringLike | Compares a key to a string value and provides access if there is an exact match (case sensitive). Can include * and ? wildcard characters. |
StringNotLike | Compares a key to a string value and provides access to all except the specified string (case sensitive). Can include * and ? wildcard characters. |
NumericEquals | Compares a key to a numeric value and provides access if there is an exact match. |
NumericNotEquals | Compares a key to a numeric value and provides access to all except the specified value. |
NumericGreaterThan | Compares a key to a numeric value and provides access if there is a "greater than" matching. |
NumericGreaterThanEquals | Compares a key to a numeric value and provides access if there is a "greater than or equals" matching. |
NumericLessThan | Compares a key to a numeric value and provides access if there is a "less than" matching. |
NumericLessThanEquals | Compares a key to a numeric value and provides access if there is a "less than or equals" matching. |
Bool | Compares a key to a Boolean value and provides access based on a "true or false" matching. |
IpAddress | Compares a key to a numeric value and provides access if there is a match to an IP or range of IP addresses. |
NotIpAddress | Compares a key to a numeric value and provides access to all addresses except the specified IP or range of IP addresses. |
Null | Checks if a condition key is present in the current request context. |
Category | Applicable condition keys | Description |
---|---|---|
IP operators | sgws:SourceIp | Will compare to the IP address from which the request was sent. Can be used for bucket or object operations. |
Resource/Identity | sgws:username | Will compare to the sender's username from which the request was sent. Can be used for bucket or object operations. |
S3:ListBucket and S3:ListBucketVersions permissions |
s3:delimiter | Will compare to the delimiter parameter specified in a GET Bucket or GET Bucket Object versions request. |
s3:max-keys | Will compare to the max-keys parameter specified in a GET Bucket or GET Bucket Object versions request. | |
s3:prefix | Will compare to the prefix parameter specified in a GET Bucket or GET Bucket Object versions request. |