Condition operators
Use condition operators in the Condition element to match the condition key and value in the policy against values in the request context. For more information about the Condition element, see Condition.
The condition operator that you can use in a policy depends on the condition key you choose. You can choose a global condition key or a service-specific condition key. To learn which condition operator you can use for a global condition key, see condition context keys.
If the key that you specify in a policy condition is not present in the request context, the values do not match and the condition is false. If the policy condition requires that the key is not matched, such as StringNotLike or ArnNotLike, and the right key is not present, the condition is true. This logic applies to all condition operators. These operators test whether the key is present (exists) in the request context.
String condition operators
String condition operators let you construct Condition elements that restrict access based on comparing a key to a string value.
Policy variables – Supported
Wildcards – Supported
| Condition operator | Description |
|---|---|
| StringEquals | Exact matching, case sensitive |
| StringNotEquals | Negated matching |
| StringEqualsIgnoreCase | Exact matching, ignoring case |
| StringNotEqualsIgnoreCase | Negated matching, ignoring case |
| StringLike | Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string. You must specify wildcards to achieve partial string matches. |
| StringNotLike | Negated case-sensitive matching. The values can include multi-character match wildcards (*) or single-character match wildcards (?) anywhere in the string. |
Multivalued string condition operators
If a key in the request contains multiple values, string operators can be qualified with set operators ForAllValues and ForAnyValue. For more information on the evaluation logic of multiple context keys or values, see Multivalued context keys.
| Condition operator | Description |
|---|---|
| ForAllValues:StringEquals ForAllValues:StringEqualsIgnoreCase | All of the values for the condition key in the request must match at least one of the values in your policy. |
| ForAnyValue:StringEquals ForAnyValue:StringEqualsIgnoreCase | At least one condition key value in the request must match one of the values in your policy. |
| ForAllValues:StringNotEquals ForAllValues:StringNotEqualsIgnoreCase | Negated matching. None of the values of the context key in the request can match any of the context key values in your policy. |
| ForAnyValue:StringNotEquals ForAnyValue:StringNotEqualsIgnoreCase | Negated matching. At least one context key value in the request must NOT match any of values in the context key in your policy. |
| ForAllValues:StringLike | All of the values for the condition key in the request must match at least one of the values in your policy. |
| ForAnyValue:StringLike | At least one condition key value in the request must match one of the values in your policy. |
| ForAllValues:StringNotLike | Negated matching. None of the values of the context key in the request can match any of the context key values in your policy. |
| ForAnyValue:StringNotLike | Negated matching. At least one context key value in the request must NOT match any of values in the context key in your policy. |
Numeric condition operators
Numeric condition operators let you construct Condition elements that restrict access based on comparing a key to an integer or decimal value.
Policy variables – Supported
Wildcards – Not supported
| Condition operator | Description |
|---|---|
| NumericEquals | Matching |
| NumericNotEquals | Negated matching |
| NumericLessThan | "Less than" matching |
| NumericLessThanEquals | "Less than or equals" matching |
| NumericGreaterThan | "Greater than" matching |
| NumericGreaterThanEquals | "Greater than or equals" matching |
Date condition operators
Date condition operators let you construct Condition elements that restrict access based on comparing a key to a date/time value. You use these condition operators with aws:CurrentTime key or aws:EpochTime key. You must specify date/time values with one of the W3C implementations of the ISO 8601 date formats.
Policy variables – Supported
Wildcards – Not supported
| Condition operator | Description |
|---|---|
| DateEquals | Matching a specific date |
| DateNotEquals | Negated matching |
| DateLessThan | Matching before a specific date and time |
| DateLessThanEquals | Matching at or before a specific date and time |
| DateGreaterThan | Matching after a specific a date and time |
| DateGreaterThanEquals | Matching at or after a specific date and time |
Boolean condition operators
Boolean conditions let you construct Condition elements that restrict access based on comparing a key to true or false.
If a key contains multiple values, boolean operators can be qualified with set operators ForAllValues and ForAnyValue. For more information on the evaluation logic of multiple context keys or values, see Multivalued context keys.
Policy variables – Supported
Wildcards – Not supported
| Condition operator | Description |
|---|---|
| Bool | Boolean matching |
| ForAllValues:Bool | Use with the Array of Bool data type. All of the booleans in the context key values must match the boolean values in your policy. To prevent ForAllValues operators from evaluating missing context keys or context keys with empty values as Allowed, you can include the Null condition operator in your policy. |
| ForAnyValue:Bool | Use with the Array of Bool data type. At least one of the booleans in the context key values must match the boolean values in your policy. |
Binary condition operators
The BinaryEquals condition operator lets you construct Condition elements that test key values that are in binary format. It compares the value of the specified key byte for byte against a base-64 encoded representation of the binary value in the policy. If the key that you specify in a policy condition is not present in the request context, the values do not match.
Policy variables – Supported
Wildcards – Not supported
| Condition operator | Description |
|---|---|
| BinaryEquals | Compares the value of the specified key byte for byte against a base-64 encoded representation of the binary value in the policy |
IP address condition operators
IP address condition operators let you construct Condition elements that restrict access based on comparing a key to an IPv4 or IPv6 address or range of IP addresses. The value must be in the standard CIDR format (for example, 203.0.113.0/24 or 2001:DB8:1234:5678::/64). If you specify an IP address without the associated routing prefix, IAM uses the default prefix value of /32.
Policy variables – Supported
Wildcards – Not supported
| Condition operator | Description |
|---|---|
| IpAddress | The specified IP address or range |
| NotIpAddress | All IP addresses except the specified IP address or range |
Amazon Resource Name (ARN) condition operators
Amazon Resource Name (ARN) condition operators let you construct Condition elements that restrict access based on comparing a key to an ARN. The ARN is considered a string.
Policy variables – Supported
Wildcards – Supported
| Condition operator | Description |
|---|---|
| ArnEquals ArnLike | Case-sensitive matching of the ARN. Each of the six colon-delimited components of the ARN is checked separately and each can include multi-character match wildcards (*) or single-character match wildcards (?). The ArnEquals and ArnLike condition operators behave identically. |
| ArnNotEquals ArnNotLike | Negated matching for ARN. The ArnNotEquals and ArnNotLike condition operators behave identically. |
Multivalued ARN condition operators
If a key in the request contains multiple values, ARN operators can be qualified with set operators ForAllValues and ForAnyValue. For more information on the evaluation logic of multiple context keys or values, see Multivalued context keys.
| Condition operator | Description |
|---|---|
| ForAllValues:ArnEquals ForAllValues:ArnLike | All of the ARNs in the request context must match at least one of the ARN patterns in your policy. |
| ForAnyValue:ArnEquals ForAnyValue:ArnLike | At least one ARN in the request context must match one of the ARN patterns in your policy. |
| ForAllValues:ArnNotEquals ForAllValues:ArnNotLike | Negated matching. None of the ARNs in the request context can match any string ARN patterns in your policy. |
| ForAnyValue:ArnNotEquals ForAnyValue:ArnNotLike | Negated matching. At least one ARN in the request context must NOT match any of ARN patterns in your policy. |
The ForAllValues qualifier returns true if there are no context keys in the request or if the context key value resolves to a null dataset, such as an empty string. To prevent missing context keys or context keys with empty values from evaluating to true, you can include the Null condition operator in your policy with a false value to check if the context key exists and its value is not null.
Condition operator to check existence of condition keys
Use a Null condition operator to check if a condition key is absent at the time of authorization. In the policy statement, use either true (the key doesn't exist — it is null) or false (the key exists and its value is not null).