IAM Policy Conditions



Just like to know in general, does IAM allow conditions where the value is a concatenation of > 1 variable? Eg. Specifically:

"Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${www.amazon.com:user_id}${aws:PrincipalTag/myCustomTag}" ]

The above is for DynamoDB, but in general is concatenation allowed?

Thank you

asked 2 years ago422 views
3 Answers

Could you please elaborate on what is the intent or what are you trying to achieve exactly with the policy? This will help answer the question more accurately.

"ForAllValues:StringEquals" in a condition simply means that all values have to be present (true) for the condition to take place, whereas for example "ForAnyValue:StringEquals" would accept any of the values given for the condition to take effect.

More info: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html

Hope this helps.

answered 2 years ago

Thank you for your reply. Further to your question, since the IAM policies are just a matching mechanism, all I was interested was whether IAM allows substitutions of more than 1 variable in a conditional evaluation. What I had there was just an example: "${www.amazon.com:user_id}${aws:PrincipalTag/myCustomTag}". So if www.amazon.com:user_id="JOHN", and aws:PrincipalTag/myCustomTag="NEW YORK", will IAM concatenate this to "JOHNNEW WORK" and evaluate this?

answered 2 years ago

So in this case, yes, however, because your operator is "ForAllValues:StringEquals" it will take 2 things for the condition to be active: that the userID is John, and also, that the PrincipalTag = NEWYORK. So both have to be true or present before the condition becomes "active" (whether it is for an Allow or Deny).

I believe in your use-case you would need 2 condition operators within the condition, something like this for example:

  "Condition": {
            "NotIpAddress": {
                "aws:SourceIp": [
              "StringNotLike": {
                 "aws:RequestTag/Env": [

In the example above, it means the NopIPAddress operator AND the RequestTag operators both have to be "valid" before the condition is applied, meaning, the IP is not from the subnet, and also, that the RequestTag is not a DEV env, then the condition will apply

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions