IAM Policy Conditions

Could you please elaborate on what is the intent or what are you trying to achieve exactly with the policy? This will help answer the question more accurately.

"ForAllValues:StringEquals" in a condition simply means that all values have to be present (true) for the condition to take place, whereas for example "ForAnyValue:StringEquals" would accept any of the values given for the condition to take effect.

More info: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html

Hope this helps.

Thank you for your reply. Further to your question, since the IAM policies are just a matching mechanism, all I was interested was whether IAM allows substitutions of more than 1 variable in a conditional evaluation. What I had there was just an example: "${www.amazon.com:user_id}${aws:PrincipalTag/myCustomTag}". So if www.amazon.com:user_id="JOHN", and aws:PrincipalTag/myCustomTag="NEW YORK", will IAM concatenate this to "JOHNNEW WORK" and evaluate this?

So in this case, yes, however, because your operator is "ForAllValues:StringEquals" it will take 2 things for the condition to be active: that the userID is John, and also, that the PrincipalTag = NEWYORK. So both have to be true or present before the condition becomes "active" (whether it is for an Allow or Deny).

I believe in your use-case you would need 2 condition operators within the condition, something like this for example:

  "Condition": {
            "NotIpAddress": {
                "aws:SourceIp": [
                    "192.0.2.0/24"
                ]
            },
              "StringNotLike": {
                 "aws:RequestTag/Env": [
                        "Dev"
                    ]
            }

In the example above, it means the NopIPAddress operator AND the RequestTag operators both have to be "valid" before the condition is applied, meaning, the IP is not from the subnet 192.0.2.0/24, and also, that the RequestTag is not a DEV env, then the condition will apply