Expand description
Constants defines in the AWS Documentation.
Condition Context Keys
When a principal makes a request to AWS, AWS gathers the request information into a request context. You can use the Condition element of a JSON policy to compare the request context with values that you specify in your policy. To learn more about the circumstances under which a global key is included in the request context, see the Availability information for each global condition key.
Constants
Use this key to compare the date and time of the request with the date and time that you specify in the policy.
Use this key to compare the date and time of the request in epoch or Unix time with the value that you specify in the policy. This key also accepts the number of seconds since January 1, 1970.
Use this key to compare the number of seconds since the requesting principal was authorized using MFA with the number that you specify in the policy.
Use this key to check whether multi-factor authentication (MFA) was used to validate the temporary security credentials that made the request.
Use this key to compare the account to which the requesting principal belongs with the account identifier that you specify in the policy.
Use this key to compare the Amazon Resource Name (ARN) of the principal that made the request with the ARN that you specify in the policy. For IAM roles, the request context returns the ARN of the role, not the ARN of the user that assumed the role.
Use this key to compare the identifier of the organization in AWS Organizations to which the requesting principal belongs with the identifier specified in the policy.
Use this key to compare the tag attached to the principal making the request with the tag that you specify in the policy. If the principal has more than one tag attached, the request context includes one aws:PrincipalTag key for each attached tag key.
Use this key to compare the type of principal making the request with the principal type that you specify in the policy.
Use this key to compare who referred the request in the client browser with the referer that you specify in the policy. The aws:referer request context value is provided by the caller in an HTTP header.
Use this key to compare the AWS Region that was called in the request with the region that you specify in the policy. You can use this global condition key to control which Regions can be requested.
Use this key to compare the tag key-value pair that was passed in the request with the tag pair that you specify in the policy. For example, you could check whether the request includes the tag key “Dept” and that it has the value “Accounting”.
Use this key to compare the tag key-value pair that you specify in the policy with the key-value pair that is attached to the resource. For example, you could require that access to a resource is allowed only if the resource has the attached tag key “Dept” with the value “Marketing”.
Use this key to check whether the request was sent using SSL. The request context returns true or false. In a policy, you can allow specific actions only if the request is sent using SSL.
Use this key to compare the source of the request with the account ID that you specify in the policy.
Use this key to compare the source of the request with the Amazon Resource Name (ARN) that you specify in the policy.
Use this key to compare the requester’s IP address with the IP address that you specify in the policy.
Use this key to check whether the request comes from the VPC that you specify in the policy. In a policy, you can use this key to allow access to only a specific VPC.
.Use this key to compare the VPC endpoint identifier of the request with the endpoint ID that you specify in the policy. In a policy, you can use this key to restrict access to a specific VPC endpoint
Use this key to compare the tag keys in a request with the keys that you specify in the policy. As a best practice when you use policies to control access using tags, use the aws:TagKeys condition key to define what tag keys are allowed.
Use this key to compare the date and time that temporary security credentials were issued with the date and time that you specify in the policy.
Use this key to compare the requester’s client application with the application that you specify in the policy.
Use this key to compare the requester’s principal identifier with the ID that you specify in the policy. For IAM users, the request context value is the user ID. For IAM roles, this value format can vary.
Use this key to compare the requester’s user name with the user name that you specify in the policy.
Use this key to compare the IP address from which a request was made with the IP address that you specify in the policy. In a policy, the key matches only if the request originates from the specified IP address and it goes through a VPC endpoint.