{ "id": "d984d24c-d0f5-41fa-8aef-8d1ddb4b37fd", "created_at": "2026-04-06T01:30:32.126335Z", "updated_at": "2026-04-10T03:35:21.427036Z", "deleted_at": null, "sha1_hash": "472c4199aae15abc4f8d50e391f771c56f0ce48c", "title": "IAM JSON policy elements: Condition", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 96692, "plain_text": "IAM JSON policy elements: Condition\r\nArchived: 2026-04-06 00:13:41 UTC\r\nThe Condition element (or Condition block) lets you specify conditions for when a policy is in effect. The\r\nCondition element is optional. In the Condition element, you build expressions in which you use condition\r\noperators (equal, less than, and others) to match the context keys and values in the policy against keys and values\r\nin the request context. To learn more about the request context, see Components of a request.\r\n\"Condition\" : { \" {condition-operator} \" : { \" {condition-key} \" : \" {condition-value} \" }}\r\nThe context key that you specify in a policy condition can be a global condition context key or a service-specific\r\ncontext key. Global condition context keys have the aws: prefix. Service-specific context keys have the service's\r\nprefix. For example, Amazon EC2 lets you write a condition using the ec2:InstanceType context key, which is\r\nunique to that service. To view service-specific IAM context keys with the iam: prefix, see IAM and AWS STS\r\ncondition context keys.\r\nContext key names are not case-sensitive. For example, including the aws:SourceIP context key is equivalent to\r\ntesting for AWS:SourceIp . Case-sensitivity of context key values depends on the condition operator that you use.\r\nFor example, the following condition includes the StringEquals operator to make sure that only requests made\r\nby john match. Users named John are denied access.\r\n\"Condition\" : { \"StringEquals\" : { \"aws:username\" : \"john\" }}\r\nThe following condition uses the StringEqualsIgnoreCase operator to match users named john or John .\r\n\"Condition\" : { \"StringEqualsIgnoreCase\" : { \"aws:username\" : \"john\" }}\r\nSome context keys support key–value pairs that allow you to specify part of the key name. Examples include the\r\naws:RequestTag/tag-key context key, the AWS KMS kms:EncryptionContext: encryption_context_key , and the\r\nResourceTag/tag-key context key supported by multiple services.\r\nIf you use the ResourceTag/ tag-key context key for a service such as Amazon EC2, then you must\r\nspecify a key name for the tag-key .\r\nKey names are not case-sensitive. This means that if you specify \"aws:ResourceTag/TagKey1\":\r\n\"Value1\" in the condition element of your policy, then the condition matches a resource tag key named\r\neither TagKey1 or tagkey1 , but not both.\r\nAWS services that support these attributes might allow you to create multiple key names that differ only by\r\ncase. For example, you might tag an Amazon EC2 instance with ec2=test1 and EC2=test2 . When you\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html\r\nPage 1 of 4\n\nuse a condition such as \"aws:ResourceTag/EC2\": \"test1\" to allow access to that resource, the key name\r\nmatches both tags, but only one value matches. This can result in unexpected condition failures.\r\nImportant\r\nAs a best practice, make sure that members of your account follow a consistent naming convention when naming\r\nkey–value pair attributes. Examples include tags or AWS KMS encryption contexts. You can enforce this using the\r\naws:TagKeys context key for tagging, or the kms:EncryptionContextKeys for the AWS KMS encryption context.\r\nFor a list of all of the condition operators and a description of how they work, see Condition operators.\r\nUnless otherwise specified, all context keys can have multiple values. For a description of how to handle\r\ncontext keys that have multiple values, see Set operators for multivalued context keys.\r\nFor a list of all of the globally available context keys, see AWS global condition context keys.\r\nFor condition context keys that are defined by each service, see Actions, Resources, and Condition Keys\r\nfor AWS Services.\r\nThe request context\r\nWhen a principal makes a request to AWS, AWS gathers the request information into a request context. The\r\nrequest context includes information about the principal, resources, actions, and other environmental properties.\r\nPolicy evaluation matches the properties in the policy against the properties sent in the request to evaluate and\r\nauthorize actions you can perform in AWS.\r\nYou can use the Condition element of a JSON policy to test specific context keys against the request context.\r\nFor example, you can create a policy that uses the aws:CurrentTime context key to allow a user to perform actions\r\nwithin only a specific range of dates.\r\nThe following example shows a representation of the request context when Martha Rivera sends a request to\r\ndeactivate her MFA device.\r\nPrincipal: AROA123456789EXAMPLE\r\nAction: iam:DeactivateMFADevice\r\nResource: arn:aws:iam::user/martha\r\nContext:\r\n – aws:UserId=AROA123456789EXAMPLE:martha\r\n – aws:PrincipalAccount=1123456789012\r\n – aws:PrincipalOrgId=o-example\r\n – aws:PrincipalARN=arn:aws:iam::1123456789012:assumed-role/TestAR\r\n – aws:MultiFactorAuthPresent=true\r\n – aws:MultiFactorAuthAge= 2800\r\n – aws:CurrentTime=...\r\n – aws:EpochTime=...\r\n – aws:SourceIp=...\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html\r\nPage 2 of 4\n\nThe request context is matched against a policy that allows users to remove their own multi-factor authentication\r\n(MFA) device, but only if they have signed in using MFA in the last hour (3,600 seconds).\r\n{\r\n \"Version\":\"2012-10-17\",\r\n \"Statement\": {\r\n \"Sid\": \"AllowRemoveMfaOnlyIfRecentMfa\",\r\n \"Effect\": \"Allow\",\r\n \"Action\": [\r\n \"iam:DeactivateMFADevice\"\r\n ],\r\n \"Resource\": \"arn:aws:iam::*:user/${aws:username}\",\r\n \"Condition\": {\r\n \"NumericLessThanEquals\": {\"aws:MultiFactorAuthAge\": \" 3600 \"}\r\n }\r\n }\r\n}\r\nIn this example, the policy matches the request context: the action is the same, the resource matches the “*”\r\nwildcard, and the value for aws:MultiFactorAuthAge is 2800, which is less than 3600, so the policy allows this\r\nauthorization request.\r\nAWS evaluates each context key in the policy and returns a value of true or false. A context key that is not present\r\nin the request is considered a mismatch.\r\nThe request context can return the following values:\r\nTrue – If the requester signed in using MFA in the last one hour or less, then the condition returns true.\r\nFalse – If the requester signed in using MFA more than one hour ago, then the condition returns false.\r\nNot present – If the requester made a request using their IAM user access keys in the AWS CLI or\r\nAWS API, the key is not present. In this case, the key is not present, and it won't match.\r\nNote\r\nIn some cases, when the condition key value is not present, the condition can still return true. For example, if you\r\nadd the ForAllValues qualifier, the request returns true if the context key is not in the request. To prevent\r\nmissing context keys or context keys with empty values from evaluating to true, you can include the Null\r\ncondition operator in your policy with a false value to check if the context key exists and its value is not null.\r\nThe condition block\r\nThe following example shows the basic format of a Condition element:\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html\r\nPage 3 of 4\n\n\"Condition\": {\"StringLike\": {\"s3:prefix\": [\"jane/*\"]}}\r\nA value from the request is represented by a context key, in this case s3:prefix . The context key value is\r\ncompared to a value that you specify as a literal value, such as jane/* . The type of comparison to make is\r\nspecified by the condition operator (here, StringLike ). You can create conditions that compare strings, dates,\r\nnumbers, and more using typical Boolean comparisons such as equals, greater than, and less than. When you use\r\nstring operators or ARN operators, you can also use a policy variable in the context key value. The following\r\nexample includes the aws:username variable.\r\n\"Condition\": {\"StringLike\": {\"s3:prefix\": [\"${aws:username}/*\"]}}\r\nUnder some circumstances, context keys can contain multiple values. For example, a request to Amazon\r\nDynamoDB might ask to return or update multiple attributes from a table. A policy for access to DynamoDB\r\ntables can include the dynamodb:Attributes context key, which contains all the attributes listed in the request.\r\nYou can test the multiple attributes in the request against a list of allowed attributes in a policy by using set\r\noperators in the Condition element. For more information, see Set operators for multivalued context keys.\r\nWhen the policy is evaluated during a request, AWS replaces the key with the corresponding value from the\r\nrequest. (In this example, AWS would use the date and time of the request.) The condition is evaluated to return\r\ntrue or false, which is then factored into whether the policy as a whole allows or denies the request.\r\nMultiple values in a condition\r\nA Condition element can contain multiple condition operators, and each condition operator can contain multiple\r\ncontext key-value pairs. The following figure illustrates this.\r\nFor more information, see Set operators for multivalued context keys.\r\nSource: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html\r\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html" ], "report_names": [ "reference_policies_elements_condition.html" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439032, "ts_updated_at": 1775792121, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/472c4199aae15abc4f8d50e391f771c56f0ce48c.pdf", "text": "https://archive.orkl.eu/472c4199aae15abc4f8d50e391f771c56f0ce48c.txt", "img": "https://archive.orkl.eu/472c4199aae15abc4f8d50e391f771c56f0ce48c.jpg" } }