AWS IAM documentation change
Summary
Added detailed evaluation examples tables showing policy condition logic for StringEquals+ArnLike and StringEquals+ArnNotLike combinations with principal tags and ARNs
Security assessment
The changes provide clarification about IAM policy evaluation logic but do not address any specific security vulnerability. The examples demonstrate proper use of security-related condition keys (aws:PrincipalTag, aws:PrincipalArn) for access control, which is security documentation.
Diff
diff --git a/IAM/latest/UserGuide/reference_policies_condition-logic-multiple-context-keys-or-values.md b/IAM/latest/UserGuide/reference_policies_condition-logic-multiple-context-keys-or-values.md index a8be854e5..818197b75 100644 --- a//IAM/latest/UserGuide/reference_policies_condition-logic-multiple-context-keys-or-values.md +++ b//IAM/latest/UserGuide/reference_policies_condition-logic-multiple-context-keys-or-values.md @@ -75,0 +76,147 @@ For example, the following S3 bucket policy illustrates how the previous figure +The following table shows how AWS evaluates this policy based on the condition key values in your request. + +Policy Condition | Request Context | Result +---|---|--- + + + "StringEquals": { + "aws:PrincipalTag/department": [ + "finance", + "hr", + "legal" + ], + "aws:PrincipalTag/role": [ + "audit", + "security" + ] + }, + "ArnLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::222222222222:user/Ana", + "arn:aws:iam::222222222222:user/Mary" + ] + } + +| + + + aws:PrincipalTag/department: legal + aws:PrincipalTag/role: audit + aws:PrincipalArn: + arn:aws:iam::222222222222:user/Mary + +| **Match** + + + "StringEquals": { + "aws:PrincipalTag/department": [ + "finance", + "hr", + "legal" + ], + "aws:PrincipalTag/role": [ + "audit", + "security" + ] + }, + "ArnLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::222222222222:user/Ana", + "arn:aws:iam::222222222222:user/Mary" + ] + } + +| + + + aws:PrincipalTag/department: hr + aws:PrincipalTag/role: audit + aws:PrincipalArn: + arn:aws:iam::222222222222:user/Nikki + +| **No match** + + + "StringEquals": { + "aws:PrincipalTag/department": [ + "finance", + "hr", + "legal" + ], + "aws:PrincipalTag/role": [ + "audit", + "security" + ] + }, + "ArnLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::222222222222:user/Ana", + "arn:aws:iam::222222222222:user/Mary" + ] + } + +| + + + aws:PrincipalTag/department: hr + aws:PrincipalTag/role: payroll + aws:PrincipalArn: + arn:aws:iam::222222222222:user/Mary + +| **No match** + + + "StringEquals": { + "aws:PrincipalTag/department": [ + "finance", + "hr", + "legal" + ], + "aws:PrincipalTag/role": [ + "audit", + "security" + ] + }, + "ArnLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::222222222222:user/Ana", + "arn:aws:iam::222222222222:user/Mary" + ] + } + +| No `aws:PrincipalTag/role` in the request context. + + + aws:PrincipalTag/department: hr + aws:PrincipalArn: + arn:aws:iam::222222222222:user/Mary + +| **No match** + + + "StringEquals": { + "aws:PrincipalTag/department": [ + "finance", + "hr", + "legal" + ], + "aws:PrincipalTag/role": [ + "audit", + "security" + ] + }, + "ArnLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::222222222222:user/Ana", + "arn:aws:iam::222222222222:user/Mary" + ] + } + +| No `aws:PrincipalTag` in the request context. + + + aws:PrincipalArn: + arn:aws:iam::222222222222:user/Mary + +| **No match** + @@ -120,0 +268,148 @@ For example, the following S3 bucket policy illustrates how the previous figure +The following table shows how AWS evaluates this policy based on the condition key values in your request. + +Policy Condition | Request Context | Result +---|---|--- + + + "StringEquals": { + "aws:PrincipalTag/department": [ + "finance", + "hr", + "legal" + ], + "aws:PrincipalTag/role": [ + "audit", + "security" + ] + }, + "ArnNotLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::222222222222:user/Ana", + "arn:aws:iam::222222222222:user/Mary" + ] + } + +| + + + aws:PrincipalTag/department: legal + aws:PrincipalTag/role: audit + aws:PrincipalArn: + arn:aws:iam::222222222222:user/Nikki + + +| **Match** + + + "StringEquals": { + "aws:PrincipalTag/department": [ + "finance", + "hr", + "legal" + ], + "aws:PrincipalTag/role": [ + "audit", + "security" + ] + },