Conditions define when a policy will be in effect. Conditions consist of operators and key-value pairs.
Conditions use key-value pairs for evaluation. A Condition element can contain multiple conditions, and each condition can contain multiple key-value pairs. The condition block uses the following format:
Condition: { condition_type: { condition_key: condition_values
In the following example, the IpAddress condition uses the SourceIp condition key.
"Condition": { "IpAddress": { "aws:SourceIp": "54.240.143.0/24" ... }, ...
Condition operators | Description |
---|---|
StringEquals | Compares a key to a string value based on exact matching (case sensitive). |
StringNotEquals | Compares a key to a string value based on negated matching (case sensitive). |
StringEqualsIgnoreCase | Compares a key to a string value based on exact matching (ignores case). |
StringNotEqualsIgnoreCase | Compares a key to a string value based on negated matching (ignores case). |
StringLike | Compares a key to a string value based on exact matching (case sensitive). Can include * and ? wildcard characters. |
StringNotLike | Compares a key to a string value based on negated matching (case sensitive). Can include * and ? wildcard characters. |
NumericEquals | Compares a key to a numeric value based on exact matching. |
NumericNotEquals | Compares a key to a numeric value based on negated matching. |
NumericGreaterThan | Compares a key to a numeric value based on greater thanmatching. |
NumericGreaterThanEquals | Compares a key to a numeric value based on greater than or equalsmatching. |
NumericLessThan | Compares a key to a numeric value based on less thanmatching. |
NumericLessThanEquals | Compares a key to a numeric value based on less than or equalsmatching. |
Bool | Compares a key to a Boolean value based on true or falsematching. |
IpAddress | Compares a key to an IP address or range of IP addresses. |
NotIpAddress | Compares a key to an IP address or range of IP addresses based on negated matching. Attention: If you use the NotIpAddress operator to specify an array (not a range) of IP addresses, the condition is always true, because the key does not equal at least one of the IP addresses. For this reason, if the statement has an Effect of Deny, access will be denied to all IP addresses in the array.
|
Null | Checks if a condition key is present in the current request context. |
Category | Applicable condition keys | Description |
---|---|---|
IP operators | aws:SourceIp | Will compare to the IP address from which the request was sent. Can be used for bucket or object operations. Note: If the S3 request was sent through the Load Balancer service on Admin Nodes and Gateways Nodes, this will compare to the IP address upstream of the Load Balancer service.
Note: If a third-party, non-transparent load balancer is used, this will compare to the IP address of that load balancer. Any X-Forwarded-For header will be ignored since its validity cannot be ascertained.
|
Resource/Identity | aws:username | Will compare to the sender's username from which the request was sent. Can be used for bucket or object operations. |
S3:ListBucket and S3:ListBucketVersions permissions |
s3:delimiter | Will compare to the delimiter parameter specified in a GET Bucket or GET Bucket Object versions request. |
s3:max-keys | Will compare to the max-keys parameter specified in a GET Bucket or GET Bucket Object versions request. | |
s3:prefix | Will compare to the prefix parameter specified in a GET Bucket or GET Bucket Object versions request. |