Become an AWS pro by understanding IAM, learning to write policies, and configuring access. Get hands-on with realistic examples, developed by AWS Solution Certified Architects. No setup, no cleanup, no hassle.

A Practical Guide to AWS IAM by Tamás Sallai_468 x 60 .png

This course is about how AWS IAM works and how to write policies to control access in an AWS account. In this course, you will learn how AWS APIs work, explore different parts of the requests made to the APIs and elaborates on how access is determined. Additionally, you will dive into how to configure access inside AWS by describing the policy structure and the 5 policy types AWS supports.

Further, you will become familiar with how the elements in the request and the policies fit together. You will also determine whether the operation is allowed or denied by demonstrating through several step-by-step realistic examples that show exactly how IAM evaluates access, thus providing templates for how to apply these protections to AWS environments.

Lastly, this course offers you some practical tips on how to secure an account both as an administrator and as a developer. It explains the best practices and the usual pitfalls of AWS security.

AWS Security Fundamentals: A Practical Guide to AWS IAM

# Condition
The last filter element is the `Condition` that matches additional data attached to the request, as we've discussed in the [Metadata](https://www.educative.io/courses/aws-security-iam/access-elements-resource-action-and-metadata) lesson. This allows powerful fine-grained control over when the policy matches the request.

## Strings
There are multiple types of metadata that IAM policies support, but the most common is the *String* type, which is a simple text format.  With the [String operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String), we can specify what the value needs to be for the policy to match.

For example, this condition matches when the value of the `s3:ExistingObjectTag/access` is `projectA`:
```JSON
{
    "Condition": {
        "StringEquals": {
            "s3:ExistingObjectTag/access": "projectA"
        }
    },
    // ...
}
```

> **s3:ExistingObjectTag:** The `s3:ExistingObjectTag/<key>` is the tag attached to the S3 object. It is defined when the resource in the request targets the object, such as for the `s3:GetObject` action. It is not effective when the target of the operation is the bucket, such as for the `s3:DeleteObject` or `s3:PutObject` actions.
<br> The name of the tag is in the key of the condition, so the `s3:ExistingObjectTag/access` is the value for the `access` tag. This way we can target different tags by specifying multiple `s3:ExistingObjectTag` keys.

Conditions also support **multiple values**. The following condition matches when the object has the `access` tag as either `projectA` or `projectB`:
```JSON
{
    "Condition": {
        "StringEquals": {
            "s3:ExistingObjectTag/access": [
                "projectA",
                "projectB"
            ]
        }
    },
    // ...
}
```
The `StringEquals` is for strict equality check, but we can also use `StringLike` that **supports wildcards**. The following condition matches all `access` tags that start with `project`:
```JSON
{
    "Condition": {
        "StringLike": {
            "s3:ExistingObjectTag/access": "project*"
        }
    },
    // ...
}
```
**Multiple values** inside an operator, such as `StringEquals`, *are all needed to pass* for the policy to match. This policy matches only when the S3 object is tagged with `projectA` *and* the user with `admin`:
```JSON
{
    "Condition": {
        "StringEquals": {
            "s3:ExistingObjectTag/access": "projectA",
            "aws:PrincipalTag/access": "admin"
        }
    },
    // ...
}
```
It works the same *across* different operators. This condition matches when the object's `access` tag starts with `project` *and* the user's `access` tag is `admin`:
```JSON
{
    "Condition": {
        "StringLike": {
            "s3:ExistingObjectTag/access": "project*"
        },
        "StringEquals": {
            "aws:PrincipalTag/access": "admin"
        }
    },
    // ...
}
```
> **aws:PrincipalTag:** The `aws:PrincipalTag/<key>` is a tag attached to the Principal, for example, the IAM user making the request. It works similar to the `s3:ExistingObjectTag`, as different tags are accessible using different keys.

Apart from checking for equality, the operators have **Not** counterparts too. These work like `NotPrincipal`, `NotAction`, and `NotResource` and they match when the value in the metadata does not equal the provided value or values. For example, this condition tests the `aws:RequestedRegion` and matches if it is outside the predefined values:
```JSON
{
    "Condition": {
        "StringNotEquals": {
            "aws:RequestedRegion": [
                "eu-west-1", "eu-central-1"
            ]
        }
    },
    // ...
}
```
> **aws:RequestedRegion:** The `aws:RequestedRegion` contains the region the request is made to. Most services are regional, but there are some global ones, such as IAM, that need all their requests to go to the `us-east-1` region. 

This is especially useful with 'Deny' policies, where we can ensure that anything other than the allowed values are denied.

Let's test your knowledge of **strings**!

Learn about the final filter element for IAM policies.

Introduction

Access Control Basics

User Management using IAM

IAM Policies

Request Evaluation Flow and Examples

Role Management Using Identity and Access Management (IAM)

How to Secure an AWS Account

Conclusion

Appendix

Filters: Condition

Condition

Strings