docs.aws.amazon.com Open in urlscan Pro
18.66.147.89  Public Scan

URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html
Submission: On January 17 via api from BR — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies


CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.


ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.




PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed


FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed


ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice

.

CancelSave preferences




UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss


Contact Us
English


Create an AWS Account
 1. AWS
 2. ...
    
    
 3. Documentation
 4. AWS Identity and Access Management
 5. User Guide

Feedback
Preferences


AWS IDENTITY AND ACCESS MANAGEMENT


USER GUIDE

 * What is IAM?
    * How IAM works
    * Users in AWS
    * Permissions and policies in IAM
    * What is ABAC?
    * Security features outside IAM
    * Quick links to common tasks
    * Working with AWS SDKs

 * Getting set up
 * Getting started
    * How IAM users sign in
    * IAM console search

 * Tutorials
    * Delegate access to the billing console
    * Delegate access across AWS accounts using roles
    * Create a customer managed policy
    * Use attribute-based access control (ABAC)
       * Use SAML session tags for ABAC
   
    * Permit users to manage their credentials and MFA settings

 * Signing in to AWS
    * Your AWS account ID and its alias
    * AWS sign-in issues

 * Identities
    * Users
       * Adding a user
       * Controlling user access to the console
       * How IAM users sign in to AWS
          * Using MFA devices with your IAM sign-in page
      
       * Managing users
       * Changing permissions for a user
       * Managing passwords
          * Changing the root user password
          * Setting a password policy
          * Managing user passwords
          * Permitting IAM users to change their own passwords
          * How an IAM user changes their own password
      
       * Access keys
       * Retrieving lost passwords or access keys
       * Multi-factor authentication (MFA)
          * Enabling MFA devices
             * Enabling a virtual MFA device (console)
             * Enabling a FIDO security key (console)
                * Supported configurations for using FIDO security keys
            
             * Enabling a hardware TOTP token (console)
             * Enabling and managing virtual MFA devices (AWS CLI or AWS API)
         
          * Checking MFA status
          * Resynchronizing virtual and hardware MFA devices
          * Deactivating MFA devices
          * What if an MFA device is lost or stops working?
          * Configuring MFA-protected API access
          * Sample code: MFA
      
       * Finding unused credentials
       * Getting credential reports
       * Using IAM with CodeCommit
       * Using IAM with Amazon Keyspaces
       * Managing server certificates
   
    * User groups
       * Creating user groups
       * Managing user groups
          * Listing IAM user groups
          * Adding and removing users in an IAM user group
          * Attaching a policy to an IAM user group
          * Renaming an IAM user group
          * Deleting a user group
   
    * Roles
       * Terms and concepts
       * Common scenarios
          * Providing access across AWS accounts
          * Providing access for non AWS workloads
          * Providing access to third-party AWS accounts
             * Using an external ID for third-party access
         
          * Providing access to AWS services
          * The confused deputy problem
          * Providing access through identity federation
      
       * Identity providers and federation
          * About web identity federation
             * Using Amazon Cognito for mobile apps
             * Using web identity federation API operations for mobile apps
             * Identifying users with web identity federation
             * Additional resources for web identity federation
         
          * About SAML 2.0 federation
          * Creating IAM identity providers
             * Creating OIDC identity providers
                * Obtaining the thumbprint for an OIDC Identity Provider
            
             * Creating IAM SAML identity providers
                * Configuring relying party trust and claims
                * Integrating third-party SAML solution providers with AWS
                * Configuring SAML assertions for the authentication response
         
          * Enable SAML 2.0 federated users to access the AWS console
          * Enabling custom identity broker access to the AWS console
      
       * Service-linked roles
       * Creating roles
          * Creating a role for an IAM user
          * Creating a role for an AWS service
          * Creating a role for identity federation
             * Creating a role for web Identity/OIDC federation
             * Creating a role for SAML 2.0 federation
         
          * Creating a role using custom trust policies
          * Examples of policies for delegating access
      
       * Using roles
          * Granting a user permissions to switch roles
          * Granting permissions to pass a role to a service
          * Switching roles (console)
          * Switching roles (AWS CLI)
          * Switching roles (Tools for Windows PowerShell)
          * Switching roles (AWS API)
          * Using roles for applications on Amazon EC2
             * Using instance profiles
         
          * Revoking role temporary credentials
      
       * Managing roles
          * Modifying a role
             * Modifying a role (console)
             * Modifying a role (AWS CLI)
             * Modifying a role (AWS API)
         
          * Deleting roles or instance profiles
      
       * Roles vs. resource-based policies
   
    * Tagging IAM resources
       * Tagging IAM users
       * Tagging IAM roles
       * Tagging customer managed policies
       * Tagging IAM identity providers
          * Tagging OpenID Connect (OIDC) identity providers
          * Tagging IAM SAML identity providers
      
       * Tagging instance profiles
       * Tagging server certificates
       * Tagging virtual MFA devices
       * Session tags
   
    * Temporary security credentials
       * Requesting temporary security credentials
       * Using temporary credentials with AWS resources
       * Controlling permissions for temporary security credentials
          * Permissions for AssumeRole API operations
          * Monitor and control actions taken with assumed roles
          * Permissions for GetFederationToken
          * Permissions for GetSessionToken
          * Disabling permissions
          * Granting permissions to create credentials
      
       * Managing AWS STS in an AWS Region
       * Using AWS STS interface VPC endpoints
       * Using bearer tokens
       * Sample applications that use temporary credentials
       * Additional resources for temporary credentials
   
    * AWS account root user
    * Log events with CloudTrail

 * Access management
    * Policies and permissions
       * Managed policies and inline policies
          * Deprecated AWS managed policies
      
       * Permissions boundaries
       * Identity vs resource
       * Controlling access using policies
       * Control access to IAM users and roles using tags
       * Control access to AWS resources using tags
       * Example policies
          * AWS: Specific access during a date range
          * AWS: Enable or disable AWS Regions
          * AWS: Self-manage credentials with MFA (My security credentials)
          * AWS: Specific access with MFA during a date range
          * AWS: Self-manage credentials no MFA (My security credentials)
          * AWS: Self-manage MFA device (My security credentials)
          * AWS: Self-manage console password (My security credentials)
          * AWS: Self-manage password, access keys, & SSH public keys (My
            security credentials)
          * AWS: Deny access based on requested Region
          * AWS: Deny access based on source IP
          * AWS: Deny access to Amazon S3 resources outside your account except
            AWS Data Exchange
          * Data Pipeline: Deny access to pipelines not created by user
          * DynamoDB: Access specific table
          * DynamoDB: Allow access to specific attributes
          * DynamoDB: Allow item access based on a Amazon Cognito ID
          * EC2: Attach or detach volumes to an EC2 instance
          * EC2: Attach or detach tagged EBS volumes
          * EC2: Launch instances in a subnet (includes console)
          * EC2: Manage security groups with the same tags (includes console)
          * EC2: Start or stop instances a user has tagged (includes console)
          * EC2: Start or stop instances based on tags
          * EC2: Start or stop for matching tags
          * EC2: Full access within a Region (includes console)
          * EC2: Start or stop an instance, modify security group (includes
            console)
          * EC2: Requires MFA (GetSessionToken) for operations
          * EC2: Limit terminating instances to IP range
          * IAM: Access the policy simulator API
          * IAM: Access the policy simulator console
          * IAM: Assume tagged roles
          * IAM: Allows and denies multiple services (includes console)
          * IAM: Add specific tag to tagged user
          * IAM: Add a specific tag
          * IAM: Create only tagged users
          * IAM: Generate credential reports
          * IAM: Manage group membership (includes console)
          * IAM: Manage a tag
          * IAM: Pass a role to a service
          * IAM: Read-only console access (no reporting)
          * IAM: Read-only console access
          * IAM: Specific users manage group (includes console)
          * IAM: Setting account password requirements (includes console)
          * IAM: Access the policy simulator API based on user path
          * IAM: Access the policy simulator console based on user path
            (includes console)
          * IAM: MFA self-management
          * IAM: Rotate credentials (includes console)
          * IAM: View Organizations service last accessed information for a
            policy
          * IAM: Apply limited managed policies
          * AWS: Deny access to resources outside your account except AWS
            managed IAM policies
          * Lambda: Service access to DynamoDB
          * RDS: Full access within a Region
          * RDS: Restore databases (includes console)
          * RDS: Full access for tag owners
          * S3: Access bucket if cognito
          * S3: Access federated user home directory (includes console)
          * S3: Full access with recent MFA
          * S3: Access IAM user home directory (includes console)
          * S3: Restrict management to a specific bucket
          * S3: Read and write objects to a specific bucket
          * S3: Read and write to a specific bucket (includes console)
   
    * Managing IAM policies
       * Creating IAM policies
          * Creating IAM policies (console)
          * Creating IAM policies (CLI)
          * Creating IAM policies (API)
      
       * Validating policies
       * Generating policies
       * Testing IAM policies
       * Add or remove identity permissions
       * Versioning IAM policies
       * Editing IAM policies
       * Deleting IAM policies
       * Refining permissions using access information
          * View IAM access information
          * View access information for Organizations
          * Example scenarios
   
    * Understanding policies
       * Policy summary (list of services)
          * Access levels in policy summaries
      
       * Service summary (list of actions)
       * Action summary (list of resources)
       * Example policy summaries
   
    * Permissions required
       * Example policies for IAM

 * Code examples
    * IAM examples
       * Actions
          * Attach a policy to a role
          * Attach a policy to a user
          * Attach an inline policy to a role
          * Create a policy
          * Create a policy version
          * Create a role
          * Create a service-linked role
          * Create a user
          * Create an access key
          * Create an alias for an account
          * Create an inline policy for a user
          * Delete a policy
          * Delete a role
          * Delete a role policy
          * Delete a server certificate
          * Delete a service-linked role
          * Delete a user
          * Delete an access key
          * Delete an account alias
          * Delete an inline policy from a user
          * Detach a policy from a role
          * Detach a policy from a user
          * Generate a credential report
          * Get a credential report
          * Get a detailed authorization report for your account
          * Get a policy
          * Get a policy version
          * Get a role
          * Get a server certificate
          * Get a summary of account usage
          * Get a user
          * Get data about the last use of an access key
          * Get the account password policy
          * List SAML providers
          * List a user's access keys
          * List account aliases
          * List groups
          * List inline policies for a role
          * List inline policies for a user
          * List policies
          * List policies attached to a role
          * List roles
          * List server certificates
          * List users
          * Update a server certificate
          * Update a user
          * Update an access key
      
       * Scenarios
          * Create a user and assume a role
          * Create read-only and read-write users
          * Manage access keys
          * Manage policies
          * Manage roles
          * Manage your account
          * Roll back a policy version
      
       * Cross-service examples
          * Create a long-lived Amazon EMR cluster and run several steps
          * Create a short-lived Amazon EMR cluster and run a step
   
    * AWS STS examples
       * Actions
          * Assume a role
          * Get a session token
      
       * Scenarios
          * Assume an IAM role that requires an MFA token
          * Construct a URL for federated users
          * Get a session token that requires an MFA token

 * Security
    * Data protection
    * Logging and monitoring
    * Compliance validation
    * Resilience
    * Infrastructure security
    * Configuration and vulnerability analysis
    * Security best practices and use cases
       * Security best practices
       * Business use cases
   
    * AWS managed policies

 * IAM Access Analyzer
    * Findings for public and cross-account access
       * How IAM Access Analyzer findings work
       * Getting started with IAM Access Analyzer findings
       * Working with findings
       * Reviewing findings
       * Filtering findings
       * Archiving findings
       * Resolving findings
       * Supported resource types
       * Settings
       * Archive rules
       * Monitoring with EventBridge
       * Security Hub integration
       * Logging with CloudTrail
       * IAM Access Analyzer filter keys
       * Using service-linked roles
   
    * Preview access
       * Previewing access in Amazon S3 console
       * Previewing access with IAM Access Analyzer APIs
   
    * IAM Access Analyzer policy validation
       * Policy check reference
   
    * IAM Access Analyzer policy generation
       * IAM Access Analyzer policy generation and action last accessed support
   
    * IAM Access Analyzer quotas

 * Troubleshooting IAM
    * General issues
    * Access denied error messages
    * IAM policies
    * FIDO security keys
    * IAM roles
    * IAM and Amazon EC2
    * IAM and Amazon S3
    * SAML 2.0 federation
       * Viewing a SAML response in your browser

 * Reference
    * IAM identifiers
    * Quotas, name requirements, and character limits
    * Services that work with IAM
    * Policy reference
       * JSON element reference
          * Version
          * Id
          * Statement
          * Sid
          * Effect
          * Principal
          * NotPrincipal
          * Action
          * NotAction
          * Resource
          * NotResource
          * Condition
             * Condition operators
             * Conditions with multiple keys or values
             * Single-valued vs. multivalued condition keys
         
          * Variables and tags
          * Supported data types
      
       * Policy evaluation logic
          * Cross-account policy evaluation logic
      
       * Policy grammar
       * AWS managed policies for job functions
          * Creating roles and attaching policies (console)
      
       * Global condition keys
       * IAM condition keys
       * Actions, resources, and condition keys

 * Resources
 * Making HTTP query requests
 * Document history

Grammar of the IAM JSON policy language - AWS Identity and Access Management
AWSDocumentationAWS Identity and Access ManagementUser Guide
The policy language and JSONConventions used in this grammarGrammarPolicy
grammar notes


GRAMMAR OF THE IAM JSON POLICY LANGUAGE

PDFRSS

This page presents a formal grammar for the language used to create JSON
policies in IAM. We present this grammar so that you can understand how to
construct and validate policies.

For examples of policies, see the following topics:

 * Policies and permissions in IAM

 * Example IAM identity-based policies

 * Example Policies for Working in the Amazon EC2 Console and Example Policies
   for Working With the AWS CLI, the Amazon EC2 CLI, or an AWS SDK in the Amazon
   EC2 User Guide for Linux Instances.

 * Bucket Policy Examples and User Policy Examples in the Amazon Simple Storage
   Service User Guide.

For examples of policies used in other AWS services, go to the documentation for
those services.

Topics

 * The policy language and JSON
 * Conventions used in this grammar
 * Grammar
 * Policy grammar notes


THE POLICY LANGUAGE AND JSON

Policies are expressed in JSON. When you create or edit a JSON policy, IAM can
perform policy validation to help you create an effective policy. IAM identifies
JSON syntax errors, while IAM Access Analyzer provides additional policy checks
with recommendations to help you further refine your policies. To learn more
about policy validation, see Validating IAM policies. To learn more about IAM
Access Analyzer policy checks and actionable recommendations, see IAM Access
Analyzer policy validation.

In this document, we do not provide a complete description of what constitutes
valid JSON. However, here are some basic JSON rules:

 * White space between individual entities is allowed.

 * Values are enclosed in quotation marks. Quotation marks are optional for
   numeric and Boolean values.

 * Many elements (for example, action_string_list and resource_string_list) can
   take a JSON array as a value. Arrays can take one or more values. If more
   than one value is included, the array is in square brackets ([ and ]) and
   comma-delimited, as in the following example:
   
   "Action" : ["ec2:Describe*","ec2:List*"]

 * Basic JSON data types (Boolean, number, and string) are defined in RFC 7159.


CONVENTIONS USED IN THIS GRAMMAR

The following conventions are used in this grammar:

 * The following characters are JSON tokens and are included in policies:
   
   { } [ ] " , :

 * The following characters are special characters in the grammar and are not
   included in policies:
   
   = < > ( ) |

 * If an element allows multiple values, it is indicated using repeated values,
   a comma delimiter, and an ellipsis (...). Examples:
   
   [<action_string>, <action_string>, ...]
   
   <principal_map> = { <principal_map_entry>, <principal_map_entry>, ... }
   
   If multiple values are allowed, it is also valid to include only one value.
   For only one value, the trailing comma must be omitted. If the element takes
   an array (marked with [ and ]) but only one value is included, the brackets
   are optional. Examples:
   
   "Action": [<action_string>]
   
   "Action": <action_string>

 * A question mark (?) following an element indicates that the element is
   optional. Example:
   
   <version_block?>
   
   However, be sure to refer to the notes that follow the grammar listing for
   details about optional elements.

 * A vertical line (|) between elements indicates alternatives. In the grammar,
   parentheses define the scope of the alternatives. Example:
   
   ("Principal" | "NotPrincipal")

 * Elements that must be literal strings are enclosed in double quotation marks
   ("). Example:
   
   <version_block> = "Version" : ("2008-10-17" | "2012-10-17")

For additional notes, see Policy grammar notes following the grammar listing.


GRAMMAR

The following listing describes the policy language grammar. For conventions
used in the listing, see the preceding section. For additional information, see
the notes that follow.

Note

This grammar describes policies marked with a version of 2008-10-17 and
2012-10-17. A Version policy element is different from a policy version. The
Version policy element is used within a policy and defines the version of the
policy language. A policy version, on the other hand, is created when you make
changes to a customer managed policy in IAM. The changed policy doesn't
overwrite the existing policy. Instead, IAM creates a new version of the managed
policy. To learn more about the Version policy element see IAM JSON policy
elements: Version. To learn more about policy versions, see Versioning IAM
policies.

policy  = {
     <version_block?>
     <id_block?>
     <statement_block>
}

<version_block> = "Version" : ("2008-10-17" | "2012-10-17")

<id_block> = "Id" : <policy_id_string>

<statement_block> = "Statement" : [ <statement>, <statement>, ... ]

<statement> = { 
    <sid_block?>,
    <principal_block?>,
    <effect_block>,
    <action_block>,
    <resource_block>,
    <condition_block?>
}

<sid_block> = "Sid" : <sid_string>

<effect_block> = "Effect" : ("Allow" | "Deny")  

<principal_block> = ("Principal" | "NotPrincipal") : ("*" | <principal_map>)

<principal_map> = { <principal_map_entry>, <principal_map_entry>, ... }

<principal_map_entry> = ("AWS" | "Federated" | "Service" | "CanonicalUser") :   
    [<principal_id_string>, <principal_id_string>, ...]

<action_block> = ("Action" | "NotAction") : 
    ("*" | [<action_string>, <action_string>, ...])

<resource_block> = ("Resource" | "NotResource") : 
    ("*" | [<resource_string>, <resource_string>, ...])

<condition_block> = "Condition" : { <condition_map> }
<condition_map> = { 
  <condition_type_string> : { <condition_key_string> : <condition_value_list> },
  <condition_type_string> : { <condition_key_string> : <condition_value_list> }, ...
}  
<condition_value_list> = [<condition_value>, <condition_value>, ...]
<condition_value> = ("string" | "number" | "Boolean")


POLICY GRAMMAR NOTES

 * A single policy can contain an array of statements.

 * Policies have a maximum size between 2048 characters and 10,240 characters,
   depending on what entity the policy is attached to. For more information, see
   IAM and AWS STS quotas, name requirements, and character limits. Policy size
   calculations do not include white space characters.

 * Individual elements must not contain multiple instances of the same key. For
   example, you cannot include the Effect block twice in the same statement.

 * Blocks can appear in any order. For example, version_block can follow
   id_block in a policy. Similarly, effect_block, principal_block, action_block
   can appear in any order within a statement.

 * The id_block is optional in resource-based policies. It must not be included
   in identity-based policies.

 * The principal_block element is required in resource-based policies (for
   example, in Amazon S3 bucket policies) and in trust policies for IAM roles.
   It must not be included in identity-based policies.

 * The principal_map element in Amazon S3 bucket policies can include the
   CanonicalUser ID. Most resource-based policies do not support this mapping.
   To learn more about using the canonical user ID in a bucket policy, see
   Specifying a Principal in a Policy in the Amazon Simple Storage Service User
   Guide.

 * Each string value (policy_id_string, sid_string, principal_id_string,
   action_string, resource_string, condition_type_string, condition_key_string,
   and the string version of condition_value) can have its own minimum and
   maximum length restrictions, specific allowed values, or required internal
   format.


NOTES ABOUT STRING VALUES

This section provides additional information about string values that are used
in different elements in a policy.

action_string

Consists of a service namespace, a colon, and the name of an action. Action
names can include wildcards. Examples:

"Action":"ec2:StartInstances"

"Action":[
  "ec2:StartInstances",
  "ec2:StopInstances"
]

"Action":"cloudformation:*"

"Action":"*"

"Action":[
  "s3:Get*",
  "s3:List*"
]

policy_id_string

Provides a way to include information about the policy as a whole. Some
services, such as Amazon SQS and Amazon SNS, use the Id element in reserved
ways. Unless otherwise restricted by an individual service, policy_id_string can
include spaces. Some services require this value to be unique within an AWS
account.

Note

The id_block is allowed in resource-based policies, but not in identity-based
policies.

There is no limit to the length, although this string contributes to the overall
length of the policy, which is limited.

"Id":"Admin_Policy"

"Id":"cd3ad3d9-2776-4ef1-a904-4c229d1642ee"


sid_string

Provides a way to include information about an individual statement. For IAM
policies, basic alphanumeric characters (A-Z,a-z,0-9) are the only allowed
characters in the Sid value. Other AWS services that support resource policies
may have other requirements for the Sid value. For example, some services
require this value to be unique within an AWS account, and some services allow
additional characters such as spaces in the Sid value.

"Sid":"1" 

"Sid": "ThisStatementProvidesPermissionsForConsoleAccess"

principal_id_string

Provides a way to specify a principal using the Amazon Resource Name (ARN) of
the AWS account, IAM user, IAM role, federated user, or assumed-role user. For
an AWS account, you can also use the short form AWS:accountnumber instead of the
full ARN. For all of the options including AWS services, assumed roles, and so
on, see Specifying a principal.

Note that you can use * only to specify "everyone/anonymous." You cannot use it
to specify part of a name or ARN.

resource_string

In most cases, consists of an Amazon Resource Name (ARN).

"Resource":"arn:aws:iam::123456789012:user/Bob"

"Resource":"arn:aws:s3:::examplebucket/*"

condition_type_string

Identifies the type of condition being tested, such as StringEquals, StringLike,
NumericLessThan, DateGreaterThanEquals, Bool, BinaryEquals, IpAddress,
ArnEquals, etc. For a complete list of condition types, see IAM JSON policy
elements: Condition operators.

"Condition": {
  "NumericLessThanEquals": {
    "s3:max-keys": "10"
  }
}

"Condition": {
  "Bool": {
    "aws:SecureTransport": "true"
  }
}

"Condition": {
  "StringEquals": {
      "s3:x-amz-server-side-encryption": "AES256"
   }
}

condition_key_string

Identifies the condition key whose value will be tested to determine whether the
condition is met. AWS defines a set of condition keys that are available in all
AWS services, including aws:PrincipalType, aws:SecureTransport, and aws:userid.

For a list of AWS condition keys, see AWS global condition context keys. For
condition keys that are specific to a service, see the documentation for that
service such as the following:

 * Specifying Conditions in a Policy in the Amazon Simple Storage Service User
   Guide

 * IAM Policies for Amazon EC2 in the Amazon EC2 User Guide for Linux Instances.

"Condition":{
  "Bool": {
      "aws:SecureTransport": "true"
   }
}

"Condition": {
  "StringNotEquals": {
      "s3:x-amz-server-side-encryption": "AES256"
   }
}

"Condition": {
  "StringEquals": {
    "aws:ResourceTag/purpose": "test"
  }
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
Cross-account policy evaluation logic
AWS managed policies for job functions
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.



Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.




Did this page help you?
Yes
No
Provide feedback
Edit this page on GitHub 
Next topic:AWS managed policies for job functions
Previous topic:Cross-account policy evaluation logic
Need help?
 * Try AWS re:Post 
 * Connect with an AWS IQ expert 

PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On this page

--------------------------------------------------------------------------------

 * The policy language and JSON
 * Conventions used in this grammar
 * Grammar
 * Policy grammar notes





DID THIS PAGE HELP YOU? - NO



Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.



Feedback