AWS IAM global condition keys
IAM policy conditions let you grant access only when request context matches.
Global condition keys are the aws:-prefixed keys available across nearly every
service — source IP, MFA state, request time, TLS, and request/principal tags.
This reference lists the most-used keys with their value type and the matching
operator family, plus a copyable example.
How it works
A Condition block maps an operator to a key and one or more values; the
statement only applies when the test passes. Pick the operator family from the
key’s value type:
"Condition": {
"IpAddress": { "aws:SourceIp": ["203.0.113.0/24"] },
"Bool": { "aws:MultiFactorAuthPresent": "true" },
"DateGreaterThan": { "aws:CurrentTime": "2026-01-01T00:00:00Z" }
}
- String keys (e.g.
aws:PrincipalTag/team) →StringEquals,StringLike. - IP keys (
aws:SourceIp) →IpAddress/NotIpAddresswith CIDR. - Bool keys (
aws:SecureTransport,aws:MultiFactorAuthPresent) →Bool. - Date keys (
aws:CurrentTime) →DateGreaterThanfamily. - Numeric keys (
aws:MultiFactorAuthAge) →NumericLessThanfamily.
Commonly used global keys
| Key | Type | Typical use |
|---|---|---|
aws:SourceIp | IP | Restrict to known office or data center CIDR ranges |
aws:VpcSourceIp | IP | Same as SourceIp but for requests routed through a VPC endpoint |
aws:SourceVpc | String | Require requests to originate from a specific VPC ID |
aws:SourceVpce | String | Require a specific VPC endpoint to be used |
aws:SecureTransport | Bool | Deny any request not using TLS (HTTPS); common on S3 bucket policies |
aws:MultiFactorAuthPresent | Bool | Require MFA for sensitive operations |
aws:MultiFactorAuthAge | Numeric | Require MFA to have been done within N seconds |
aws:CurrentTime | Date | Time-window access — grant access only during business hours |
aws:RequestedRegion | String | Prevent services from being used in unapproved regions |
aws:PrincipalOrgID | String | Limit a resource policy to all accounts in your AWS Organization |
aws:PrincipalTag/key | String | Check a tag on the calling principal (IAM user or role) |
aws:RequestTag/key | String | Check a tag that was passed in the API call (e.g. during resource creation) |
aws:ResourceTag/key | String | Check a tag already on the target resource |
aws:TagKeys | String (multi) | Restrict which tag keys can be set on a resource |
Practical patterns
Require TLS on S3 (bucket policy):
{ "Effect": "Deny", "Action": "s3:*", "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"],
"Principal": "*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } }
Require MFA for destructive IAM actions:
{ "Effect": "Deny", "NotAction": ["iam:CreateVirtualMFADevice", "iam:EnableMFADevice"],
"Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } }
Limit API calls to specific regions:
{ "Effect": "Deny", "Action": "*", "Resource": "*",
"Condition": { "StringNotEquals": { "aws:RequestedRegion": ["eu-west-1", "eu-west-2"] } } }
Tips and notes
- Pair tag keys:
aws:RequestTag/*checks tags in the request, whileaws:ResourceTag/*checks tags already on the target resource. - Use the
IfExistssuffix (e.g.BoolIfExists) so aDenydoes not accidentally block contexts where the key is absent — service-linked roles never carry MFA context. aws:SourceIpevaluates the apparent public IP and breaks for VPC-endpoint traffic — switch toaws:VpcSourceIpthere.aws:PrincipalOrgIDis the cleanest way to limit a resource policy to your whole AWS Organization without listing account IDs.