By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Does DateEquals compares both date and time?

0

Does the date condition operator compare both date and time? I remember it used to compare only date and used to work when I used it with "aws:CurrentTime" and date of the day, but now it's not working at all. Anybody has any idea?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
Mani
asked 24 days ago65 views
2 Answers
0

Hello.

I think "DateEquals" is only comparing dates.
If you want to include time in the comparison, I think you need to use "DateLessThan", "DateLessThanEquals", "DateGreaterThan", and "DateGreaterThanEquals".
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Date

For example, if you create a policy like the one below, it will be possible to allow EC2 operations from UTC 2024-05-21 to 2024-06-01 23:59.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*",
            "Condition": {
                "DateGreaterThan": {"aws:CurrentTime": "2024-05-21T00:00:00Z"},
                "DateLessThan": {"aws:CurrentTime": "2024-06-01T23:59:59Z"}
            }
        }
    ]
}
profile picture
EXPERT
Riku_Kobayashi
answered 24 days ago
profile picture
EXPERT
Osvaldo Marte
reviewed 20 days ago
  • Mani
    24 days ago

    Thanks Riku for your reply. The problem is DateEquals don't seem to be working correctly now, if I give today's date as condition value with "aws:CurrentTime" condition key, the condition evaluates to false and api gives AccessDenied

  • Riku_Kobayashi EXPERT
    24 days ago

    Perhaps "DateEquals" is also comparing times. I also configured my AWS account and confirmed that the operation was not possible. So, I think the current workaround is to combine "DateGreaterThan" and "DateLessThan".

0

The word "Date" in operators like "DateEquals" or "DateLessThanEquals" can be confusing. The "date" values being compared are full timestamps that contain both the date and time, technically represented as the number of seconds since the "epoch", which is a certain reference time in the past, such as Jan 1st ,1970.

Your conclusion is right, though: if you want to allow or deny an entire 24-hour day, you have to evaluate it as the range of timestamps between the second that starts the day (DateGreaterThanEquals) and the second that starts the next day (DateLessThan), or in other words, d ≤ x < d+1. Still to be clear, it isn't a matter of "working around" anything but simply that you are wanting to allow/deny a range of seconds instead of a single moment in time, and the timestamps you're comparing against always represent a single moment in time.

EXPERT
Leo K
answered 19 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content