Maurice Amar
Reputation: 139
how to define one condition that validate at least one key in iam aws policy
I check a solution to define a policy that accept only one of both IP addresses as source IP "OR" a source VPC (pool of private IP addresses) - PSB
By definition, there is an "AND" between the keys in same condition (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"11.11.11.11/32",
"22.22.22.22/32"
]
},
"Bool": {
"aws:ViaAWSService": "false"
},
"StringNotEquals": {
"aws:SourceVpc": [
"vpc-00222222222222"
]
}
}
}
]
}
thanks
Upvotes: 0
Views: 244
Answers (1)
Marcin
Reputation: 238397
You have to duplicate your statements for OR. I know that's code duplication and its not "pretty", but this is how it is done (I'm not sure what you want to do with your Bool):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"11.11.11.11/32",
"22.22.22.22/32"
]
},
"Bool": {
"aws:ViaAWSService": "false"
}
}
},
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:ViaAWSService": "false"
},
"StringNotEquals": {
"aws:SourceVpc": [
"vpc-00222222222222"
]
}
}
},
]
}
Upvotes: 1
Related Questions
- How to provide multiple StringNotEquals conditions in AWS policy?
- AWS IAM multiple policies with conflicting conditions
- IAM user policy that can only triggered by a AWS service (Condition)
- Validate AWS IAM Policy programmatically
- IAM policy problem I want to attach only one policy and deny others
- how to add a condition when writing a aws policy via cloudformation?
- How to apply OR conditions between two conditions in IAM policy?
- IAM policy condition that request for key with any value
- AWS IAM Policy Grammar Error with Multiple Conditions
- AWS IAM: how to create a condition using global condition keys