Specifying conditions in a policy

Conditions define when a policy will be in effect. Conditions consist of operators and key-value pairs.

Conditions use key-value pairs for evaluation. A Condition element can contain multiple conditions, and each condition can contain multiple key-value pairs. The condition block uses the following format:

Condition: {
     condition_type: {
          condition_key: condition_values

In the following example, the IpAddress condition uses the SourceIp condition key.

"Condition": {
    "IpAddress": {
      "aws:SourceIp": "54.240.143.0/24"
		...
},
		...

Supported condition operators

Condition operators are categorized as follows:
  • String
  • Numeric
  • Boolean
  • IP address
  • Null check
Condition operators Description
StringEquals Compares a key to a string value based on exact matching (case sensitive).
StringNotEquals Compares a key to a string value based on negated matching (case sensitive).
StringEqualsIgnoreCase Compares a key to a string value based on exact matching (ignores case).
StringNotEqualsIgnoreCase Compares a key to a string value based on negated matching (ignores case).
StringLike Compares a key to a string value based on exact matching (case sensitive). Can include * and ? wildcard characters.
StringNotLike Compares a key to a string value based on negated matching (case sensitive). Can include * and ? wildcard characters.
NumericEquals Compares a key to a numeric value based on exact matching.
NumericNotEquals Compares a key to a numeric value based on negated matching.
NumericGreaterThan Compares a key to a numeric value based on greater than matching.
NumericGreaterThanEquals Compares a key to a numeric value based on greater than or equals matching.
NumericLessThan Compares a key to a numeric value based on less than matching.
NumericLessThanEquals Compares a key to a numeric value based on less than or equals matching.
Bool Compares a key to a Boolean value based on true or false matching.
IpAddress Compares a key to an IP address or range of IP addresses.
NotIpAddress Compares a key to an IP address or range of IP addresses based on negated matching.
Null Checks if a condition key is present in the current request context.

Supported condition keys

Category Applicable condition keys Description
IP operators aws:SourceIp Will compare to the IP address from which the request was sent. Can be used for bucket or object operations.
Note: If the S3 request was sent through the Load Balancer service on Admin Nodes and Gateways Nodes, this will compare to the IP address upstream of the Load Balancer service.
Note: If a third-party, non-transparent load balancer is used, this will compare to the IP address of that load balancer. Any X-Forwarded-For header will be ignored since its validity cannot be ascertained.
Resource/Identity aws:username Will compare to the sender's username from which the request was sent. Can be used for bucket or object operations.
S3:ListBucket

and

S3:ListBucketVersions permissions

s3:delimiter Will compare to the delimiter parameter specified in a GET Bucket or GET Bucket Object versions request.
s3:max-keys Will compare to the max-keys parameter specified in a GET Bucket or GET Bucket Object versions request.
s3:prefix Will compare to the prefix parameter specified in a GET Bucket or GET Bucket Object versions request.