Skip to main content

Conditions

Conditions provide fine-grained control over when IAM policies apply. They allow you to specify additional constraints that must be met for a policy statement to take effect, such as time-based access, IP restrictions, or resource-specific attributes.

Condition Structure

Conditions are specified in the Condition element of a policy statement: 
{
  "Effect": "Allow",
  "Action": ["sp:ReadSession"],
  "Resource": ["ssrn:ss:sp::578:session/*"],
  "Condition": {
    "Equals": {
      "session:proctorAccountSid": "PA123456"
    }
  }
}

Condition Operators

String Conditions

Equals

Exact string match (case-sensitive). 
{
  "Condition": {
    "Equals": {
      "session:proctorAccountSid": "PA123456"
    }
  }
}

NotEquals

String does not match (case-sensitive). 
{
  "Condition": {
    "NotEquals": {
      "user:role": "guest"
    }
  }
}

StringLike

Pattern matching with wildcards (* and ?). 
{
  "Condition": {
    "StringLike": {
      "user:email": "*@university.edu"
    }
  }
}

StringNotLike

Pattern does not match. 
{
  "Condition": {
    "StringNotLike": {
      "user:department": "temp-*"
    }
  }
}

Numeric Conditions

NumericEquals

Exact numeric match. 
{
  "Condition": {
    "NumericEquals": {
      "session:duration": "120"
    }
  }
}

NumericLessThan

Numeric value is less than specified. 
{
  "Condition": {
    "NumericLessThan": {
      "user:loginAttempts": "5"
    }
  }
}

NumericGreaterThan

Numeric value is greater than specified. 
{
  "Condition": {
    "NumericGreaterThan": {
      "assessment:score": "80"
    }
  }
}

Date/Time Conditions

DateEquals

Exact date/time match. 
{
  "Condition": {
    "DateEquals": {
      "aws:CurrentTime": "2023-12-25T00:00:00Z"
    }
  }
}

DateGreaterThan

Current time is after specified date. 
{
  "Condition": {
    "DateGreaterThan": {
      "aws:CurrentTime": "2023-01-01T00:00:00Z"
    }
  }
}

DateLessThan

Current time is before specified date. 
{
  "Condition": {
    "DateLessThan": {
      "aws:CurrentTime": "2023-12-31T23:59:59Z"
    }
  }
}

Boolean Conditions

Bool

Boolean value match. 
{
  "Condition": {
    "Bool": {
      "aws:MultiFactorAuthPresent": "true"
    }
  }
}

IP Address Conditions

IpAddress

Request originates from specified IP range. 
{
  "Condition": {
    "IpAddress": {
      "aws:SourceIp": ["192.168.1.0/24", "10.0.0.0/16"]
    }
  }
}

NotIpAddress

Request does not originate from specified IP range. 
{
  "Condition": {
    "NotIpAddress": {
      "aws:SourceIp": "192.168.1.100/32"
    }
  }
}

Condition Keys

Global Condition Keys

These keys are available in all contexts:

aws:CurrentTime

Current date and time of the request. 
{
  "Condition": {
    "DateGreaterThan": {
      "aws:CurrentTime": "2023-01-01T09:00:00Z"
    }
  }
}

aws:SourceIp

IP address of the request source. 
{
  "Condition": {
    "IpAddress": {
      "aws:SourceIp": "192.168.1.0/24"
    }
  }
}

aws:UserAgent

User agent string of the request. 
{
  "Condition": {
    "StringLike": {
      "aws:UserAgent": "SmarterServices-*"
    }
  }
}

aws:MultiFactorAuthPresent

Whether multi-factor authentication was used. 
{
  "Condition": {
    "Bool": {
      "aws:MultiFactorAuthPresent": "true"
    }
  }
}

Service-Specific Condition Keys

Session Namespace (session:)

session:proctorAccountSid
Proctor account assigned to the session. 
{
  "Condition": {
    "Equals": {
      "session:proctorAccountSid": "PA123456"
    }
  }
}
session:schedulingModule
Scheduling system used for the session. 
{
  "Condition": {
    "Equals": {
      "session:schedulingModule": "register-blast"
    }
  }
}
session:status
Current status of the session. 
{
  "Condition": {
    "Equals": {
      "session:status": "active"
    }
  }
}
session:examType
Type of exam being proctored. 
{
  "Condition": {
    "StringLike": {
      "session:examType": "final-*"
    }
  }
}

User Namespace (user:)

user:role
User’s role in the system. 
{
  "Condition": {
    "Equals": {
      "user:role": "instructor"
    }
  }
}
user:department
User’s department affiliation. 
{
  "Condition": {
    "StringLike": {
      "user:department": "engineering-*"
    }
  }
}
user:accountType
Type of user account. 
{
  "Condition": {
    "NotEquals": {
      "user:accountType": "trial"
    }
  }
}

Assessment Namespace (assessment:)

assessment:type
Type of assessment. 
{
  "Condition": {
    "Equals": {
      "assessment:type": "placement"
    }
  }
}
assessment:status
Current status of the assessment. 
{
  "Condition": {
    "NotEquals": {
      "assessment:status": "draft"
    }
  }
}

Multiple Conditions

AND Logic (Multiple Operators)

All conditions must be true. 
{
  "Condition": {
    "Equals": {
      "session:proctorAccountSid": "PA123456"
    },
    "DateGreaterThan": {
      "aws:CurrentTime": "2023-01-01T00:00:00Z"
    },
    "IpAddress": {
      "aws:SourceIp": "192.168.1.0/24"
    }
  }
}

OR Logic (Multiple Values)

Any value can match. 
{
  "Condition": {
    "Equals": {
      "user:role": ["instructor", "admin", "proctor"]
    }
  }
}

Complex Logic

Combining AND and OR logic. 
{
  "Condition": {
    "Equals": {
      "user:role": ["instructor", "admin"]
    },
    "StringLike": {
      "user:department": ["math-*", "science-*"]
    },
    "DateGreaterThan": {
      "aws:CurrentTime": "2023-01-01T00:00:00Z"
    }
  }
}

Common Use Cases

Time-Based Access

Business Hours Only

{
  "Version": "2023-01-01",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["sm:*"],
      "Resource": ["ssrn:ss:sm::578:*"],
      "Condition": {
        "DateGreaterThan": {
          "aws:CurrentTime": "09:00:00Z"
        },
        "DateLessThan": {
          "aws:CurrentTime": "17:00:00Z"
        }
      }
    }
  ]
}

Exam Period Access

{
  "Condition": {
    "DateGreaterThan": {
      "aws:CurrentTime": "2023-05-01T00:00:00Z"
    },
    "DateLessThan": {
      "aws:CurrentTime": "2023-05-15T23:59:59Z"
    }
  }
}

Location-Based Access

Campus Network Only

{
  "Condition": {
    "IpAddress": {
      "aws:SourceIp": [
        "192.168.0.0/16",
        "10.0.0.0/8",
        "172.16.0.0/12"
      ]
    }
  }
}

Block Specific Locations

{
  "Effect": "Deny",
  "Action": ["*"],
  "Resource": ["*"],
  "Condition": {
    "IpAddress": {
      "aws:SourceIp": ["192.168.100.0/24"]
    }
  }
}

Role-Based Conditions

Department-Specific Access

{
  "Condition": {
    "Equals": {
      "user:department": "mathematics"
    },
    "StringLike": {
      "assessment:subject": "math-*"
    }
  }
}

Instructor-Only Features

{
  "Condition": {
    "Equals": {
      "user:role": "instructor"
    },
    "Bool": {
      "user:verified": "true"
    }
  }
}

Session-Specific Conditions

Assigned Proctor Only

{
  "Condition": {
    "Equals": {
      "session:assignedProctor": "${user.proctorId}"
    }
  }
}

Specific Scheduling Systems

{
  "Condition": {
    "Equals": {
      "session:schedulingModule": ["register-blast", "canvas-integration"]
    }
  }
}

Security Conditions

MFA Required for Sensitive Actions

{
  "Effect": "Allow",
  "Action": ["sm:DeleteUser", "sp:DeleteSession"],
  "Resource": ["*"],
  "Condition": {
    "Bool": {
      "aws:MultiFactorAuthPresent": "true"
    }
  }
}

Trusted User Agents Only

{
  "Condition": {
    "StringLike": {
      "aws:UserAgent": [
        "SmarterServices-Web/*",
        "SmarterServices-Mobile/*"
      ]
    }
  }
}

Advanced Patterns

Conditional Deny

Deny access unless conditions are met. 
{
  "Effect": "Deny",
  "Action": ["sp:ViewRecording"],
  "Resource": ["*"],
  "Condition": {
    "NotEquals": {
      "session:assignedProctor": "${user.proctorId}"
    }
  }
}

Time-Window Access

Allow access only during specific time windows. 
{
  "Condition": {
    "DateGreaterThan": {
      "aws:CurrentTime": "${exam.startTime}"
    },
    "DateLessThan": {
      "aws:CurrentTime": "${exam.endTime}"
    }
  }
}

Dynamic Resource Access

Access based on resource attributes. 
{
  "Condition": {
    "Equals": {
      "assessment:createdBy": "${user.id}"
    }
  }
}

Best Practices

1. Use Specific Conditions

// ✅ Specific condition
{
  "Condition": {
    "Equals": {
      "user:department": "engineering"
    }
  }
}

// ❌ Too broad
{
  "Condition": {
    "StringLike": {
      "user:department": "*"
    }
  }
}

2. Combine Multiple Conditions

{
  "Condition": {
    "Equals": {
      "user:role": "proctor"
    },
    "Bool": {
      "user:verified": "true"
    },
    "IpAddress": {
      "aws:SourceIp": "192.168.1.0/24"
    }
  }
}

3. Use Deny for Security

{
  "Effect": "Deny",
  "Action": ["*"],
  "Resource": ["*"],
  "Condition": {
    "NotIpAddress": {
      "aws:SourceIp": ["192.168.0.0/16"]
    }
  }
}

4. Test Conditions Thoroughly

Always test conditions in a development environment before deploying to production.

Troubleshooting

Common Issues

  1. Case Sensitivity: String conditions are case-sensitive
  2. Date Formats: Use ISO 8601 format for dates
  3. IP Ranges: Use CIDR notation for IP addresses
  4. Multiple Values: Use arrays for OR logic
  5. Variable Substitution: Ensure variables are properly formatted

Debugging Tips

  1. Log Condition Evaluations: Enable detailed logging
  2. Test Individual Conditions: Test each condition separately
  3. Validate Syntax: Use JSON validators for policy syntax
  4. Check Variable Values: Verify variable substitution works correctly