AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-04-16 · Documentation low

File: IAM/latest/UserGuide/reference_policies_condition-logic-multiple-context-keys-or-values.md

Summary

Added detailed evaluation examples tables showing policy condition logic for StringEquals+ArnLike and StringEquals+ArnNotLike combinations with principal tags and ARNs

Security assessment

The changes provide clarification about IAM policy evaluation logic but do not address any specific security vulnerability. The examples demonstrate proper use of security-related condition keys (aws:PrincipalTag, aws:PrincipalArn) for access control, which is security documentation.

Diff

diff --git a/IAM/latest/UserGuide/reference_policies_condition-logic-multiple-context-keys-or-values.md b/IAM/latest/UserGuide/reference_policies_condition-logic-multiple-context-keys-or-values.md
index a8be854e5..818197b75 100644
--- a//IAM/latest/UserGuide/reference_policies_condition-logic-multiple-context-keys-or-values.md
+++ b//IAM/latest/UserGuide/reference_policies_condition-logic-multiple-context-keys-or-values.md
@@ -75,0 +76,147 @@ For example, the following S3 bucket policy illustrates how the previous figure
+The following table shows how AWS evaluates this policy based on the condition key values in your request.
+
+Policy Condition | Request Context | Result  
+---|---|---  
+      
+    
+    "StringEquals": {
+      "aws:PrincipalTag/department": [
+        "finance",
+        "hr",
+        "legal"
+      ],
+      "aws:PrincipalTag/role": [
+        "audit",
+        "security"
+      ]
+    },
+    "ArnLike": {
+      "aws:PrincipalArn": [
+          "arn:aws:iam::222222222222:user/Ana",
+          "arn:aws:iam::222222222222:user/Mary"
+      ]
+    }
+
+| 
+    
+    
+    aws:PrincipalTag/department: legal
+    aws:PrincipalTag/role: audit
+    aws:PrincipalArn: 
+      arn:aws:iam::222222222222:user/Mary
+
+|  **Match**  
+      
+    
+    "StringEquals": {
+      "aws:PrincipalTag/department": [
+        "finance",
+        "hr",
+        "legal"
+      ],
+      "aws:PrincipalTag/role": [
+        "audit",
+        "security"
+      ]
+    },
+    "ArnLike": {
+      "aws:PrincipalArn": [
+          "arn:aws:iam::222222222222:user/Ana",
+          "arn:aws:iam::222222222222:user/Mary"
+      ]
+    }
+
+| 
+    
+    
+    aws:PrincipalTag/department: hr
+    aws:PrincipalTag/role: audit
+    aws:PrincipalArn:
+      arn:aws:iam::222222222222:user/Nikki
+
+| **No match**  
+      
+    
+    "StringEquals": {
+      "aws:PrincipalTag/department": [
+        "finance",
+        "hr",
+        "legal"
+      ],
+      "aws:PrincipalTag/role": [
+        "audit",
+        "security"
+      ]
+    },
+    "ArnLike": {
+      "aws:PrincipalArn": [
+          "arn:aws:iam::222222222222:user/Ana",
+          "arn:aws:iam::222222222222:user/Mary"
+      ]
+    }
+
+| 
+    
+    
+    aws:PrincipalTag/department: hr
+    aws:PrincipalTag/role: payroll
+    aws:PrincipalArn:
+      arn:aws:iam::222222222222:user/Mary
+
+| **No match**  
+      
+    
+    "StringEquals": {
+      "aws:PrincipalTag/department": [
+        "finance",
+        "hr",
+        "legal"
+      ],
+      "aws:PrincipalTag/role": [
+        "audit",
+        "security"
+      ]
+    },
+    "ArnLike": {
+      "aws:PrincipalArn": [
+          "arn:aws:iam::222222222222:user/Ana",
+          "arn:aws:iam::222222222222:user/Mary"
+      ]
+    }
+
+|  No `aws:PrincipalTag/role` in the request context.
+    
+    
+    aws:PrincipalTag/department: hr
+    aws:PrincipalArn:
+      arn:aws:iam::222222222222:user/Mary
+
+| **No match**  
+      
+    
+    "StringEquals": {
+      "aws:PrincipalTag/department": [
+        "finance",
+        "hr",
+        "legal"
+      ],
+      "aws:PrincipalTag/role": [
+        "audit",
+        "security"
+      ]
+    },
+    "ArnLike": {
+      "aws:PrincipalArn": [
+          "arn:aws:iam::222222222222:user/Ana",
+          "arn:aws:iam::222222222222:user/Mary"
+      ]
+    }
+
+| No `aws:PrincipalTag` in the request context.
+    
+    
+    aws:PrincipalArn:
+      arn:aws:iam::222222222222:user/Mary
+
+| **No match**  
+  
@@ -120,0 +268,148 @@ For example, the following S3 bucket policy illustrates how the previous figure
+The following table shows how AWS evaluates this policy based on the condition key values in your request.
+
+Policy Condition | Request Context | Result  
+---|---|---  
+      
+    
+    "StringEquals": {
+      "aws:PrincipalTag/department": [
+        "finance",
+        "hr",
+        "legal"
+      ],
+      "aws:PrincipalTag/role": [
+        "audit",
+        "security"
+      ]
+    },
+    "ArnNotLike": {
+      "aws:PrincipalArn": [
+          "arn:aws:iam::222222222222:user/Ana",
+          "arn:aws:iam::222222222222:user/Mary"
+      ]
+    }
+
+| 
+    
+    
+    aws:PrincipalTag/department: legal
+    aws:PrincipalTag/role: audit
+    aws:PrincipalArn:
+      arn:aws:iam::222222222222:user/Nikki
+    
+
+|  **Match**  
+      
+    
+    "StringEquals": {
+      "aws:PrincipalTag/department": [
+        "finance",
+        "hr",
+        "legal"
+      ],
+      "aws:PrincipalTag/role": [
+        "audit",
+        "security"
+      ]
+    },