Advanced IAM policy conditions

Conditions provide the granular control that many organizations need. They allow you to specify the circumstances under which the policy statement is in effect. These conditions can be:

• Global conditions: Apply these universally across AWS services, such as using aws:MultiFactorAuthPresent to verify MFA status for resource access
• Service-specific conditions: These are unique to certain AWS services, such as s3:prefix, to restrict access to specific folders (prefixes) in an S3 bucket
• Conditions based on tags: Utilize resource tags, such as restricting actions to EC2 instances tagged with “Environment:Production”

Building on our previous example, let’s say you want the IAM user to access the S3 bucket only if they are logging in from a specific IP address, during business hours, and have MFA enabled. Here, the policy might evolve into the following:

{
  “Version”: “2012-10-17”,
  “Statement”: [
    {
      “Effect”: “Allow”,
      “Action”: “s3:GetObject”,
      “Resource”: “arn:aws:s3:::example-bucket/*”,
      “Condition”: {
        “IpAddress”: {“aws:SourceIp”: “22.3.111.9/32”},
        “DateGreaterThan”: {“aws:CurrentTime”: “09:00:00Z”},
        “DateLessThan”: {“aws:CurrentTime”: “17:00:00Z”},
        “Bool”: {“aws:MultiFactorAuthPresent”: “true”}
      }
    }
  ]
}

This policy uses global conditions (aws:SourceIp, aws:CurrentTime, and aws:MultiFactorAuthPresent) to restrict access based on the user’s IP address, the time of their request, and whether they have used MFA for authentication.

Testing IAM policies

Once you have crafted an IAM policy, it is imperative to test it to ensure it behaves as expected. AWS’s IAM policy simulator is a valuable tool for this purpose, allowing you to validate your policies’ effects without making actual AWS service calls. However, while the simulator is a great starting point, real-world testing in a controlled environment, such as a development or staging setup, is also invaluable. This hands-on approach ensures that the policy works as intended in all scenarios, capturing nuances that the simulator might miss.

IAM policy versions and rollbacks

As AWS environments evolve, IAM policies may need adjustments. AWS facilitates this by allowing policies to have versions. When you modify a customer-managed policy, AWS automatically creates a new version, enabling you to roll back to previous policy versions if required. Periodically reviewing policy versions and retaining only necessary ones helps maintain a clean policy environment and facilitates quick rollbacks during emergencies. It is worth noting that inline policies do not support versioning, which is another reason to avoid using them altogether.