By using AWS re:Post, you agree to the Terms of Use

IAM Policy Conditions

0

Hi,

Just like to know in general, does IAM allow conditions where the value is a concatenation of > 1 variable? Eg. Specifically:

"Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${www.amazon.com:user_id}${aws:PrincipalTag/myCustomTag}" ]

The above is for DynamoDB, but in general is concatenation allowed?

Thank you

3 Answers
0

Could you please elaborate on what is the intent or what are you trying to achieve exactly with the policy? This will help answer the question more accurately.

"ForAllValues:StringEquals" in a condition simply means that all values have to be present (true) for the condition to take place, whereas for example "ForAnyValue:StringEquals" would accept any of the values given for the condition to take effect.

More info: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html

Hope this helps.

answered 3 months ago
0

Thank you for your reply. Further to your question, since the IAM policies are just a matching mechanism, all I was interested was whether IAM allows substitutions of more than 1 variable in a conditional evaluation. What I had there was just an example: "${www.amazon.com:user_id}${aws:PrincipalTag/myCustomTag}". So if www.amazon.com:user_id="JOHN", and aws:PrincipalTag/myCustomTag="NEW YORK", will IAM concatenate this to "JOHNNEW WORK" and evaluate this?

answered 3 months ago
0

So in this case, yes, however, because your operator is "ForAllValues:StringEquals" it will take 2 things for the condition to be active: that the userID is John, and also, that the PrincipalTag = NEWYORK. So both have to be true or present before the condition becomes "active" (whether it is for an Allow or Deny).

I believe in your use-case you would need 2 condition operators within the condition, something like this for example:

  "Condition": {
            "NotIpAddress": {
                "aws:SourceIp": [
                    "192.0.2.0/24"
                ]
            },
              "StringNotLike": {
                 "aws:RequestTag/Env": [
                        "Dev"
                    ]
            }

In the example above, it means the NopIPAddress operator AND the RequestTag operators both have to be "valid" before the condition is applied, meaning, the IP is not from the subnet 192.0.2.0/24, and also, that the RequestTag is not a DEV env, then the condition will apply

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions