Specifying conditions in a policy

Conditions define when a policy will be in effect. Conditions consist of operators and key-value pairs.

Conditions use key-value pairs for evaluation. A Condition element can contain multiple conditions, and each condition can contain multiple key-value pairs. The condition block uses the following format:

Condition: {
     condition_type: {
          condition_key: condition_values

In the following example, the IpAddress condition uses the SourceIp condition key.

"Condition": {
    "IpAddress": {
      "aws:SourceIp": "54.240.143.0/24"
		...
},
		...

Supported condition operators

Condition operators are categorized as follows:
  • String
  • Numeric
  • Boolean
  • IP address
  • Null check
Condition operators Description
StringEquals Compares a key to a string value based on exact matching (case sensitive).
StringNotEquals Compares a key to a string value based on negated matching (case sensitive).
StringEqualsIgnoreCase Compares a key to a string value based on exact matching (ignores case).
StringNotEqualsIgnoreCase Compares a key to a string value based on negated matching (ignores case).
StringLike Compares a key to a string value based on exact matching (case sensitive). Can include * and ? wildcard characters.
StringNotLike Compares a key to a string value based on negated matching (case sensitive). Can include * and ? wildcard characters.
NumericEquals Compares a key to a numeric value based on exact matching.
NumericNotEquals Compares a key to a numeric value based on negated matching.
NumericGreaterThan Compares a key to a numeric value based on greater than matching.
NumericGreaterThanEquals Compares a key to a numeric value based on greater than or equals matching.
NumericLessThan Compares a key to a numeric value based on less than matching.
NumericLessThanEquals Compares a key to a numeric value based on less than or equals matching.
Bool Compares a key to a Boolean value based on true or false matching.
IpAddress Compares a key to an IP address or range of IP addresses.
NotIpAddress Compares a key to an IP address or range of IP addresses based on negated matching.
Attention: If you use the NotIpAddress operator to specify an array (not a range) of IP addresses, the condition is always true, because the key does not equal at least one of the IP addresses. For this reason, if the statement has an Effect of Deny, access will be denied to all IP addresses in the array.
Null Checks if a condition key is present in the current request context.

Supported condition keys

Category Applicable condition keys Description
IP operators aws:SourceIp Will compare to the IP address from which the request was sent. Can be used for bucket or object operations.
Note: If the S3 request was sent through the Load Balancer service on Admin Nodes and Gateways Nodes, this will compare to the IP address upstream of the Load Balancer service.
Note: If a third-party, non-transparent load balancer is used, this will compare to the IP address of that load balancer. Any X-Forwarded-For header will be ignored since its validity cannot be ascertained.
Resource/Identity aws:username Will compare to the sender's username from which the request was sent. Can be used for bucket or object operations.
S3:ListBucket

and

S3:ListBucketVersions permissions

s3:delimiter Will compare to the delimiter parameter specified in a GET Bucket or GET Bucket Object versions request.
s3:max-keys Will compare to the max-keys parameter specified in a GET Bucket or GET Bucket Object versions request.
s3:prefix Will compare to the prefix parameter specified in a GET Bucket or GET Bucket Object versions request.