- Newest
- Most votes
- Most comments
Hello.
I think "DateEquals" is only comparing dates.
If you want to include time in the comparison, I think you need to use "DateLessThan", "DateLessThanEquals", "DateGreaterThan", and "DateGreaterThanEquals".
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Date
For example, if you create a policy like the one below, it will be possible to allow EC2 operations from UTC 2024-05-21 to 2024-06-01 23:59.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"DateGreaterThan": {"aws:CurrentTime": "2024-05-21T00:00:00Z"},
"DateLessThan": {"aws:CurrentTime": "2024-06-01T23:59:59Z"}
}
}
]
}
The word "Date" in operators like "DateEquals" or "DateLessThanEquals" can be confusing. The "date" values being compared are full timestamps that contain both the date and time, technically represented as the number of seconds since the "epoch", which is a certain reference time in the past, such as Jan 1st ,1970.
Your conclusion is right, though: if you want to allow or deny an entire 24-hour day, you have to evaluate it as the range of timestamps between the second that starts the day (DateGreaterThanEquals) and the second that starts the next day (DateLessThan), or in other words, d ≤ x < d+1. Still to be clear, it isn't a matter of "working around" anything but simply that you are wanting to allow/deny a range of seconds instead of a single moment in time, and the timestamps you're comparing against always represent a single moment in time.
Relevant content
- asked 4 months ago
- asked a year ago
- asked 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Thanks Riku for your reply. The problem is DateEquals don't seem to be working correctly now, if I give today's date as condition value with "aws:CurrentTime" condition key, the condition evaluates to false and api gives AccessDenied
Perhaps "DateEquals" is also comparing times. I also configured my AWS account and confirmed that the operation was not possible. So, I think the current workaround is to combine "DateGreaterThan" and "DateLessThan".