Time Frame based IAM User Restriction

Question

I have a requirement where I have to allow AWS IAM users access to AWS console only on particular days during particular time frames. Can anyone tell me how this can be implemented in a policy

Answer 1

The optional Condition element within an IAM Policy lets you specify conditions for when a policy is in effect:

In the Condition element, you build expressions in which you use Boolean operators (equal, less than, etc.) to match your condition against values in the request. Condition values can include date, time, the IP address of the requester, the ARN of the request source, the user name, user ID, and the user agent of the requester. [...] [emphasis mine]

A provided example uses the DateLessThan condition with the aws:CurrentTime key to specify that the request must be received before June 30, 2013:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "iam:*AccessKey*",
    "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/*",
    "Condition": {"DateLessThan": {"aws:CurrentTime": "2013-06-30T00:00:00Z"}}
  }
}

As shown here, this unfortunately only works with conditions relative to absolute dates, rather than say a cron expression or something similar for specifying particular hours of a day or days in a week:

Date conditions let you restrict access based on comparing a key to a date/time value. You use these conditions with the aws:CurrentTime key or aws:EpochTime keys. You must specify date/time values with one of the W3C implementations of the ISO 8601 date formats or in epoch (UNIX) time.

Assuming this to be your use case in fact, you would need to wrap the condition management with some automation that updates the absolute ISO 8601 dates in your policy in a rolling fashion based on your requirements.