IAM Tools

Null

Null checks if a context key is absent in the request. If the policy value is "true", the key must not exist in the request. If the policy value is "false", the key must exist in the request. Yes, it's that not-unconfusing.

You can NOT use policy variables in the value of this operator.

Null in an Allow Statement

Simulate In Policy Tester

Policy Condition	Request Context	Result
"Null": { "aws:TokenIssueTime": "true" }	`aws:TokenIssueTime: null`	Allowed Assuming no explicit Deny elsewhere
"Null": { "aws:TokenIssueTime": "true" }	`aws:TokenIssueTime: 2011-05-03T00:00:00Z`	Not Allowed Statement does not apply
"Null": { "aws:TokenIssueTime": "false" }	`aws:TokenIssueTime: null`	Not Allowed Statement does not apply
"Null": { "aws:TokenIssueTime": "false" }	`aws:TokenIssueTime: 2011-05-03T00:00:00Z`	Allowed Assuming no explicit Deny elsewhere

Given the Policy Condition:

"Null": {
  "aws:TokenIssueTime": "true"
}

When the Request Context has:

aws:TokenIssueTime: null

Then the result is:

Allowed Assuming no explicit Deny elsewhere

Given the Policy Condition:

"Null": {
  "aws:TokenIssueTime": "true"
}

When the Request Context has:

aws:TokenIssueTime: 
    2011-05-03T00:00:00Z

Then the result is:

Not Allowed Statement does not apply

Given the Policy Condition:

"Null": {
  "aws:TokenIssueTime": "false"
}

When the Request Context has:

aws:TokenIssueTime: null

Then the result is:

Not Allowed Statement does not apply

Given the Policy Condition:

"Null": {
  "aws:TokenIssueTime": "false"
}

When the Request Context has:

aws:TokenIssueTime: 
    2011-05-03T00:00:00Z

Then the result is:

Allowed Assuming no explicit Deny elsewhere

Null in a Deny Statement

Simulate In Policy Tester

Policy Condition	Request Context	Result
"Null": { "aws:TokenIssueTime": "true" }	`aws:TokenIssueTime: null`	Denied
"Null": { "aws:TokenIssueTime": "true" }	`aws:TokenIssueTime: 2011-05-03T00:00:00Z`	Not Denied May be allowed by another statement
"Null": { "aws:TokenIssueTime": "false" }	`aws:TokenIssueTime: null`	Not Denied May be allowed by another statement
"Null": { "aws:TokenIssueTime": "false" }	`aws:TokenIssueTime: 2011-05-03T00:00:00Z`	Denied

Given the Policy Condition:

"Null": {
  "aws:TokenIssueTime": "true"
}

When the Request Context has:

aws:TokenIssueTime: null

Then the result is:

Denied

Given the Policy Condition:

"Null": {
  "aws:TokenIssueTime": "true"
}

When the Request Context has:

aws:TokenIssueTime: 
    2011-05-03T00:00:00Z

Then the result is:

Not Denied May be allowed by another statement

Given the Policy Condition:

"Null": {
  "aws:TokenIssueTime": "false"
}

When the Request Context has:

aws:TokenIssueTime: null

Then the result is:

Not Denied May be allowed by another statement

Given the Policy Condition:

"Null": {
  "aws:TokenIssueTime": "false"
}

When the Request Context has:

aws:TokenIssueTime: 
    2011-05-03T00:00:00Z

Then the result is:

Denied