Skip to content

Instantly share code, notes, and snippets.

@houey

houey/Iamcheetsheet.md

Last active October 26, 2024 13:34
Show Gist options
  • Save houey/b97359738fb1d302129e04fcb5821e22 to your computer and use it in GitHub Desktop.
Save houey/b97359738fb1d302129e04fcb5821e22 to your computer and use it in GitHub Desktop.
Download ZIP
IAM conditions and operators Cheet Sheet
Raw
Iamcheetsheet.md

Complete AWS IAM Conditions and Operators Cheat Sheet

Table of Contents

  1. String Operators
  2. Numeric Operators
  3. Date Operators
  4. Boolean Operators
  5. IP Address Operators
  6. ARN Operators
  7. Set Operators (Multiple Value)
  8. Null Check Operators
  9. Common Combined Patterns
  10. Best Practices

1. String Operators

StringEquals and Variants

// ALLOW: Exact match
{
    "Effect": "Allow",
    "Action": "ec2:RunInstances",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "aws:RequestTag/Environment": "production"
        }
    }
}

// DENY: Non-matching environments
{
    "Effect": "Deny",
    "Action": "ec2:RunInstances",
    "Resource": "*",
    "Condition": {
        "StringNotEquals": {
            "aws:RequestTag/Environment": "production"
        }
    }
}

// ALLOW: Match if exists
{
    "Effect": "Allow",
    "Action": "ec2:RunInstances",
    "Resource": "*",
    "Condition": {
        "StringEqualsIfExists": {
            "aws:RequestTag/Environment": "production"
        }
    }
}

// DENY: If exists and matches
{
    "Effect": "Deny",
    "Action": "ec2:RunInstances",
    "Resource": "*",
    "Condition": {
        "StringEqualsIfExists": {
            "aws:RequestTag/Environment": ["dev", "test"]
        }
    }
}

StringLike and Variants

// ALLOW: Wildcard match
{
    "Effect": "Allow",
    "Action": "s3:GetObject",
    "Resource": "*",
    "Condition": {
        "StringLike": {
            "s3:prefix": ["backup/*", "archive/*"]
        }
    }
}

// DENY: Wildcard block
{
    "Effect": "Deny",
    "Action": "s3:GetObject",
    "Resource": "*",
    "Condition": {
        "StringLike": {
            "s3:prefix": "confidential/*"
        }
    }
}

// ALLOW: Wildcard match if exists
{
    "Effect": "Allow",
    "Action": "s3:GetObject",
    "Resource": "*",
    "Condition": {
        "StringLikeIfExists": {
            "s3:prefix": ["public/*", "shared/*"]
        }
    }
}

// DENY: If exists and matches pattern
{
    "Effect": "Deny",
    "Action": "s3:GetObject",
    "Resource": "*",
    "Condition": {
        "StringLikeIfExists": {
            "s3:prefix": ["secret/*", "private/*"]
        }
    }
}

StringEqualsIgnoreCase and Variants

// ALLOW: Case-insensitive match
{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "StringEqualsIgnoreCase": {
            "aws:RequestTag/Environment": ["Prod", "Production", "PROD"]
        }
    }
}

// DENY: Case-insensitive block
{
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "StringEqualsIgnoreCase": {
            "aws:RequestTag/Environment": ["Dev", "Test", "UAT"]
        }
    }
}

// ALLOW: Case-insensitive if exists
{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "StringEqualsIgnoreCaseIfExists": {
            "aws:RequestTag/Environment": ["Prod", "DR"]
        }
    }
}

2. Numeric Operators

NumericEquals and Variants

// ALLOW: Exact number match
{
    "Effect": "Allow",
    "Action": "ec2:CreateVolume",
    "Resource": "*",
    "Condition": {
        "NumericEquals": {
            "ec2:VolumeSize": "100"
        }
    }
}

// DENY: Specific sizes
{
    "Effect": "Deny",
    "Action": "ec2:CreateVolume",
    "Resource": "*",
    "Condition": {
        "NumericEquals": {
            "ec2:VolumeSize": ["1000", "2000"]
        }
    }
}

// ALLOW: If size exists and matches
{
    "Effect": "Allow",
    "Action": "ec2:CreateVolume",
    "Resource": "*",
    "Condition": {
        "NumericEqualsIfExists": {
            "ec2:VolumeSize": ["50", "100", "200"]
        }
    }
}

NumericGreaterThan/LessThan and Variants

// ALLOW: Size range
{
    "Effect": "Allow",
    "Action": "ec2:CreateVolume",
    "Resource": "*",
    "Condition": {
        "NumericGreaterThan": {
            "ec2:VolumeSize": "10"
        },
        "NumericLessThan": {
            "ec2:VolumeSize": "1000"
        }
    }
}

// DENY: Outside range
{
    "Effect": "Deny",
    "Action": "ec2:CreateVolume",
    "Resource": "*",
    "Condition": {
        "NumericLessThan": {
            "ec2:VolumeSize": "10"
        }
    }
}

// ALLOW: Range if exists
{
    "Effect": "Allow",
    "Action": "ec2:CreateVolume",
    "Resource": "*",
    "Condition": {
        "NumericGreaterThanIfExists": {
            "ec2:VolumeSize": "10"
        },
        "NumericLessThanIfExists": {
            "ec2:VolumeSize": "500"
        }
    }
}

3. Date Operators

DateEquals and Variants

// ALLOW: Specific date
{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "DateEquals": {
            "aws:CurrentTime": "2024-12-25T00:00:00Z"
        }
    }
}

// DENY: Blackout date
{
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "DateEquals": {
            "aws:CurrentTime": "2024-12-31T00:00:00Z"
        }
    }
}

// ALLOW: If date exists
{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "DateEqualsIfExists": {
            "aws:CurrentTime": "2024-12-25T00:00:00Z"
        }
    }
}

DateGreaterThan/LessThan and Variants

// ALLOW: Date range (business hours)
{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "DateGreaterThan": {
            "aws:CurrentTime": "2024-10-26T09:00:00Z"
        },
        "DateLessThan": {
            "aws:CurrentTime": "2024-10-26T17:00:00Z"
        }
    }
}

// DENY: Outside business hours
{
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "DateLessThan": {
            "aws:CurrentTime": "2024-10-26T09:00:00Z"
        }
    }
}

// ALLOW: Time range if exists
{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "DateGreaterThanIfExists": {
            "aws:CurrentTime": "2024-10-26T09:00:00Z"
        },
        "DateLessThanIfExists": {
            "aws:CurrentTime": "2024-10-26T17:00:00Z"
        }
    }
}

4. Boolean Operators

Bool and Variants

// ALLOW: With MFA
{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "Bool": {
            "aws:MultiFactorAuthPresent": "true"
        }
    }
}

// DENY: Without SSL
{
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "Bool": {
            "aws:SecureTransport": "false"
        }
    }
}

// ALLOW: MFA if present
{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "BoolIfExists": {
            "aws:MultiFactorAuthPresent": "true"
        }
    }
}

5. IP Address Operators

IpAddress and Variants

// ALLOW: Corporate ranges
{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "IpAddress": {
            "aws:SourceIp": [
                "10.0.0.0/8",
                "172.16.0.0/12"
            ]
        }
    }
}

// DENY: External ranges
{
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "NotIpAddress": {
            "aws:SourceIp": [
                "10.0.0.0/8",
                "172.16.0.0/12"
            ]
        }
    }
}

// ALLOW: If IP exists in range
{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "IpAddressIfExists": {
            "aws:SourceIp": [
                "10.0.0.0/8",
                "172.16.0.0/12"
            ]
        }
    }
}

6. ARN Operators

ArnEquals/ArnLike and Variants

// ALLOW: Specific role
{
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "*",
    "Condition": {
        "ArnEquals": {
            "aws:SourceArn": "arn:aws:iam::123456789012:role/service-role"
        }
    }
}

// DENY: Pattern match
{
    "Effect": "Deny",
    "Action": "sts:AssumeRole",
    "Resource": "*",
    "Condition": {
        "ArnLike": {
            "aws:SourceArn": "arn:aws:iam::*:role/blocked-*"
        }
    }
}

// ALLOW: If ARN exists and matches
{
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "*",
    "Condition": {
        "ArnEqualsIfExists": {
            "aws:SourceArn": [
                "arn:aws:iam::123456789012:role/allowed-*",
                "arn:aws:iam::123456789012:role/service-*"
            ]
        }
    }
}

7. Set Operators

ForAllValues and Variants

// ALLOW: All tags from approved list
{
    "Effect": "Allow",
    "Action": "ec2:CreateTags",
    "Resource": "*",
    "Condition": {
        "ForAllValues:StringEquals": {
            "aws:TagKeys": [
                "Environment",
                "Project",
                "Owner"
            ]
        }
    }
}

// DENY: If any tag not approved
{
    "Effect": "Deny",
    "Action": "ec2:CreateTags",
    "Resource": "*",
    "Condition": {
        "ForAllValues:StringNotEquals": {
            "aws:TagKeys": [
                "Environment",
                "Project",
                "Owner"
            ]
        }
    }
}

// ALLOW: All existing tags match
{
    "Effect": "Allow",
    "Action": "ec2:CreateTags",
    "Resource": "*",
    "Condition": {
        "ForAllValues:StringEqualsIfExists": {
            "aws:TagKeys": [
                "Environment",
                "Project",
                "Owner"
            ]
        }
    }
}

ForAnyValue and Variants

// ALLOW: Any matching region
{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "ForAnyValue:StringEquals": {
            "aws:RequestedRegion": [
                "us-east-1",
                "us-west-2"
            ]
        }
    }
}

// DENY: Any matching blocked region
{
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "ForAnyValue:StringEquals": {
            "aws:RequestedRegion": [
                "ap-southeast-1",
                "ap-southeast-2"
            ]
        }
    }
}

8. Null Check Operators

Null Operator

// ALLOW: If tag exists
{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "Null": {
            "aws:RequestTag/Environment": "false"
        }
    }
}

// DENY: If tag missing
{
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "Null": {
            "aws:RequestTag/Environment": "true"
        }
    }
}

9. Common Combined Patterns

Multiple Controls

// ALLOW: Production access with multiple controls
{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "aws:RequestTag/Environment": "production"
        },
        "Bool": {
            "aws:MultiFactorAuthPresent": "true"
        },
        "IpAddress": {
            "aws:SourceIp": "10.0.0.0/8"
        },
        "DateGreaterThanEquals": {
            "aws:CurrentTime": "2024-10-26T09:00:00Z"
        },
        "DateLessThanEquals": {
            "aws:CurrentTime": "2024-10-26T17:00:00Z"
        }
    }
}

// DENY: Multiple restrictions
{
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "aws:RequestTag/Environment": ["dev", "test"]
        },
        "Bool": {
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment