2.2.3. Condition Keys and Policy Variables
First Principle: IAM condition keys and policy variables provide fine-grained, context-aware access control within IAM policies, enabling highly specific security rules based on request attributes.
IAM policies allow you to specify permissions. Condition keys and policy variables enable you to add specific conditions to your IAM policies, making them more granular and context-aware.
Key Concepts of Condition Keys and Policy Variables:
- Condition Key:
- Purpose: Allows you to specify conditions under which a policy statement is effective.
- Syntax: Uses a "Condition" block in a policy statement, containing a condition operator (e.g.,
StringEquals,IpAddress), the condition key, and the value to test. - Types: AWS-wide condition keys (e.g.,
aws:SourceIp,aws:RequestedRegion,aws:MultiFactorAuthPresent) and service-specific condition keys (e.g.,s3:Prefix,dynamodb:LeadingKeys).
- Policy Variables:
- Purpose: Placeholders in a policy that are substituted with actual values at runtime based on the context of the request.
- Syntax: Use a dollar sign (
$) followed by a curly brace, e.g.,${aws:username}or${s3:prefix}. - Use Cases: Creating dynamic policies that allow access to resources based on the requesting user's name or a file prefix.
Scenario: You need to create an IAM policy that allows a user to access an S3 bucket only if they are accessing it from a specific corporate IP range and have MFA enabled. You also want to create an S3 bucket policy that allows users to write to a specific folder within a bucket named after their IAM user name.
Reflection Question: How do IAM condition keys (e.g., aws:SourceIp, aws:MultiFactorAuthPresent) and policy variables (e.g., ${aws:username}) fundamentally provide fine-grained, context-aware access control within IAM policies, enabling highly specific security rules based on request attributes?