Reputation: 737
To use AWS condition keys, is it mandatory that they are present in the Request Context?
When I look at a 'Request Context' in Cloudtrail, I see record contents listed here.
Is there a mapping between the 'Request Context' record contents and the Condition keys?
Or is it correct to say that it is not mandatory for a condition to be present in the 'Request Context' but a Condition Key corresponding to the condition may still be available (AWS magic) to be used in a policy to evaluate this request? Are AWS‐wide keys that use prefix aws: available in all Request Contexts?When I use a Condition Key in a policy, how can I be sure that the Condition key is present in the Request Context?
Of course, I can add an "ifexists" clause to check for the availability of a Condition key but that is a 'catch all' mechanism. How can I be certain that I need not use "Ifexists" clause when checking a Condition in a policy?
I have posted a different but related question here as well.
Upvotes: 0
Views: 1185
Answers (3)
Reputation: 737
Cloudtrail event only has a subset of information from the Request Context. We never get to see the whole (details of an) AWS Request Context - a subset of it is logged as Record Contents in the Cloudtrail Event.
Cloudtrail Event and Request Context are 2 different things. You can view some information about the Request Context as Record Contents in the Cloudtrail Event (only AWS sees the whole Request Context and checks it against permissions granted through policies to Allow / Deny the request).
Upvotes: 2
Reputation: 238397
I think you are confusing content of CT log event data:
with IAM condition keys for CloudTrial:
Also to check if policy key exist using ...IfExists or Null check.
If the key that you specify in a policy condition is not present in the request context, the values do not match.
The first one contains information about API calls in your CT trial, while the second is used in IAM policies to grant conditional permissions.
Upvotes: 0
Reputation: 1212
Check out the Condition Keys Table to find the condition context keys available for an AWS Service that can be used in an IAM policy statement's Condition element.
Upvotes: 1
Related Questions
- AWS IAM multiple policies with conflicting conditions
- IAM user policy that can only triggered by a AWS service (Condition)
- how to add a condition when writing a aws policy via cloudformation?
- how to define one condition that validate at least one key in iam aws policy
- AWS IAM: How does the condition context key "aws:RequestTag" work?
- AWS IAM Conditional Policies
- IAM policy condition that request for key with any value
- AWS IAM: how to create a condition using global condition keys
- Is custom condition supported in the AWS cloud front policy?
- Why does applying a condition to ec2:DescribeInstances in an IAM policy fail?