AWS IAM Policy Condition Operators Explained
I can never remember how they all work, so I wrote it down
There are 27 basic condition operators you can use in an AWS IAM policy. Then you can add ForAllValues or
ForAnyValue to the beginning and IfExists to the end of almost all of them. That works
out to, well... a lot combinations that you can use in Allow or Deny statements.
You can create with a triple negative where one of the negatives is ignored, it's a good time. I've seen smart
people with years of experience on AWS scratch their heads at this.
We have documented the essential behavior of every possible operator with example policies showing
how they impact Allow and Deny statements. Many of the combinations
are not recommended because they are confusing or will literally never work; this page has all the combinations a
sane person will use. If you want to see every single possible operator, you can check out the
full list.
ARN Operators
Binary value Operators
Boolean Operators
Datetime Operators
String Operators
- StringEquals
- StringEqualsIfExists
- ForAllValues: StringEquals
- ForAnyValue: StringEquals
- StringEqualsIgnoreCase
- StringEqualsIgnoreCaseIfExists
- ForAllValues: StringEqualsIgnoreCase
- ForAnyValue: StringEqualsIgnoreCase
- StringLike
- StringLikeIfExists
- ForAllValues: StringLike
- ForAnyValue: StringLike
- StringNotEquals
- StringNotEqualsIfExists
- ForAllValues: StringNotEquals
- ForAnyValue: StringNotEquals
- StringNotEqualsIgnoreCase
- StringNotEqualsIgnoreCaseIfExists
- ForAllValues: StringNotEqualsIgnoreCase
- ForAnyValue: StringNotEqualsIgnoreCase
- StringNotLike
- StringNotLikeIfExists
- ForAllValues: StringNotLike
- ForAnyValue: StringNotLike