To check for date and time conditions using a date in epoch or UNIX time
aws:PrincipalArn
ARN
Checks the ARN of the IAM user or role that made the request.
aws:UserAgent
String
To check the client application of the requestor.
aws:PrincipalTag/
tag-key
String
Checks that the tag attached to the principal making the request matches the specified key name and value.
aws:RequestTag/ tag-key
String
Checks that the tag key-value pair is present in an AWS request.
aws:ResourceTag/ tag-key
String
Checks that the tag key-value pair is attached to the resource.
aws:SourceIp
IpAddr
To check the IP address of the requester
aws:TagKeys
String,
ForAllValues:String
ForAnyValue: String
This context key is a list of tag keys without values
aws:TokenIssueTime
Date
Checks the date and time that temporary security credentials were issued.
aws:principaltype
String
Indicates the type of principal making the request.
Root user is Account.
IAM user is User.
Legacy object user is ECSUser.
SAML or Assumed role user is AssumedRole.
aws:userid
String
Based on authorized user access is set to the following:
Root user ARN if root user is requester.
IAM user unique id IAM user is requester.
If SAML federated user is requester, it is set to the role-id:caller-specified-role-name
If assumed role user is requester, it is set to the role-id:caller-specified-role-name
role-id: is the unique id of role
caller-specified-role-name: is the
RoleSessionName in
AssumeRole
request or the name attribute value in SAML assertion passed to
AssumeRoleWithSAML request.
aws:username
String
Based on authorized user access, if requester is an IAM user, it is set to the IAM username otherwise it is not set.
IAM condition keys
Type
Description
iam:PermissionsBoundary
String
Checks that the specified policy is attached as permissions boundary on the IAM principal resource.
iam:PolicyARN
ARN
Checks the ARN of a managed policy in requests that involve a managed policy.
iam:ResourceTag/
key-name
String
Checks that the tag attached to the IAM entity (user or role) matches the specified key name and value.
STS and SAML condition keys
Type
Description
saml:aud
String
An endpoint URL to which SAML assertions are presented. The value for this key comes from the
SAML Recipient field in the assertion, not the
Audience field.
saml:edupersonorgdn
String
This is an
eduPerson attribute in SAML assertion.
saml:iss
String
The issuer, which is represented by a URN.
saml:namequalifier
String
This contains a hash value that represents the combination of the
saml:doc and
saml:iss values. It is used as a namespace qualifier; the combination of
saml:namequalifier and
saml:sub uniquely identifies a user.
saml:sub
String
This is the subject of the claim, which includes a value that uniquely identifies an individual user within an organization.
saml:sub_type
String
This key can have the value
persistent ,
transient , or consist of the full
Format URI from the
Subject and
NameID elements used in your SAML assertion. A value of
persistent indicates that the value in
saml:sub is the same for a user between sessions. If the value is transient , the user has a different
saml:sub value for each session.
S3 condition keys
Description
s3:x-amz-acl
Specifies the canned ACL in the request.
s3:x-amz-grant-
permission
Specifies
permission for the following access.
read
write
read-acp
write-acp
full-control
s3:x-amz-copy-source
Enables restricting copy source to a specific bucket, folder, or object.
s3:x-amz-metadata-directive
Specifies certain behavior to be enforced during object uploads (COPY vs REPLACE).
s3:x-amz-server-side-encryption
Specifies that the request should contain this header to ensure that the uploads are stored encrypted.
s3:VersionId
Limits access to specific versions of object.
s3:LocationConstraint
Using this condition key, you can restrict a user to create a bucket in a specific AWS Region.
s3:delimiter
Used to require the requester to specify delimiter parameter.
s3:max-keys
Limits ListBucket requests to the set s3:max-keys value.
s3:prefix
Limits ListBucket and ListBucketVersions to specific prefix.
s3:ExistingObjectTag/
<tag-key>
Using this condition key, you can limit the permission for the
s3:PutObjectAcl action to only on objects that have a specific tag key and value.
s3:RequestObjectTagKeys
Using this condition key, you can limit permission for the
s3:PutObject action by restricting the object tags allowed in the request.
s3:RequestObjectTag/
<tag-key>
Using this condition key, you can limit permission for the
s3:PutObject action by restricting the object tags allowed in the request.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\