AWS IAM documentation change
Summary
Enhanced documentation for multi-valued context keys with new examples, policy evaluation tables, and clarification of ForAllValues operator behavior. Added guidance about using Null condition operator to check key existence.
Security assessment
Changes improve documentation about secure policy configuration (tagging controls and condition operators) but do not address a specific disclosed vulnerability. The added Null operator guidance helps prevent permissive policies but is general security best practice documentation.
Diff
diff --git a/IAM/latest/UserGuide/reference_policies_condition_examples-multi-valued-context-keys.md b/IAM/latest/UserGuide/reference_policies_condition_examples-multi-valued-context-keys.md index 29d0b112a..11739ba3d 100644 --- a//IAM/latest/UserGuide/reference_policies_condition_examples-multi-valued-context-keys.md +++ b//IAM/latest/UserGuide/reference_policies_condition_examples-multi-valued-context-keys.md @@ -13 +13 @@ The following set of policy examples demonstrate how to create policy conditions -The following example identity-based policy denies the use of IAM tagging actions when specific tag key prefixes are included in the request. Each value for context key `aws:TagKeys` includes a wildcard (*) for partial string matching. The policy includes the `ForAllValues` set operator with context key `aws:TagKeys` because the request context key can include multiple values. In order for context key `aws:TagKeys` to return true, every value in the request must match at least one value in the policy. +The following examples show how to use an identity-based policy to deny the use of IAM tagging actions when specific tag key prefixes are included in the request. The values for [aws:TagKeys](./reference_policies_condition-keys.html#condition-keys-tagkeys) include a wildcard (*) for partial string matching. The policy includes the `ForAllValues` set operator with context key `aws:TagKeys` because the request context key can include multiple values. In order for context key `aws:TagKeys` to match, every value in the request context must match at least one value in the policy. @@ -15 +15,3 @@ The following example identity-based policy denies the use of IAM tagging action -The `ForAllValues` set operator also returns true if there are no context keys in the request, or if the context key value resolves to a null dataset, such as an empty string. To prevent missing context keys or context keys with empty values from evaluating to true, include the `Null` condition operator in your policy with a value of `false` to check if the context key in the request exists and its value is not null. +The `ForAllValues` set operator also returns true if there are no context keys in the request. + +You can prevent missing context keys or context keys with empty values from evaluating to true by including a `Null` condition operator in your policy with a value of `false` to check if the context key in the request exists and its value is not null. For more information, see [Condition operator to check existence of condition keys ](./reference_policies_elements_condition_operators.html#Conditions_Null). @@ -20,0 +23,4 @@ This policy does not allow any actions. Use this policy in combination with othe +###### Example Deny a single policy condition value for a multivalued context key + +In the following example, the policy denies requests where the values for `aws:TagKeys` in the request do not include the prefix **key1**. The request context can have multiple values, but because of the `ForAllValues` condition set operator, all the tag key values in the request context must start with the prefix **key1**. + @@ -36,4 +42,80 @@ This policy does not allow any actions. Use this policy in combination with othe - "Null": { - "aws:TagKeys": "false" - }, - "ForAllValues:StringLike": { + "ForAllValues:StringNotLike": { + "aws:TagKeys": "key1*" + } + } + } + ] + } + +The following table shows how AWS evaluates this policy based on the condition key values in your request. For a Deny statement, Match is Denied and No match is Not denied, so it may be allowed by another statement. + +Policy Condition | Request Context | Result +---|---|--- + + + "ForAllValues:StringNotLike": { + "aws:TagKeys": "key1*" + } + +| + + + aws:TagKeys: + – key1:legal + +| **No match** May be allowed by another statement. + + + "ForAllValues:StringNotLike": { + "aws:TagKeys": "key1*" + } + +| + + + aws:TagKeys: + – key1:hr + – key1:personnel + +| **No match** May be allowed by another statement. + + + "ForAllValues:StringNotLike": { + "aws:TagKeys": "key1*" + } + +| + + + aws:TagKeys: + – key2:audit + +| **Match** + + + "ForAllValues:StringNotLike": { + "aws:TagKeys": "key1*" + } + +| No `aws:TagKeys` in the request context. | **Match** + +###### Example Deny multiple policy condition values for a multivalued context key + +In the following example, the policy denies requests where the values for `aws:TagKeys` in the request do not include the prefix **key1** or **key2**. The request context can have multiple values, but because of the `ForAllValues` condition set operator, all the tag key values in the request context must start with the prefix **key1** or **key2**. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyRestrictedTags", + "Effect": "Deny", + "Action": [ + "iam:Tag*", + "iam:UnTag*" + ], + "Resource": [ + "*" + ], + "Condition": { + "ForAllValues:StringNotLike": { @@ -42,2 +124 @@ This policy does not allow any actions. Use this policy in combination with othe - "key2*", - "key3*" + "key2*" @@ -50,0 +132,81 @@ This policy does not allow any actions. Use this policy in combination with othe +The following table shows how AWS evaluates this policy based on the condition key values in your request. For a Deny statement, Match is Denied and No match is Not denied, so it may be allowed by another statement. + +Policy Condition | Request Context | Result +---|---|--- + + + "ForAllValues:StringNotLike": { + "aws:TagKeys": [ + "key1*", + "key2*" + ] + } + +| + + + aws:TagKeys: + – key1:legal + +| **No match** May be allowed by another statement. + + + "ForAllValues:StringNotLike": { + "aws:TagKeys": [ + "key1*", + "key2*" + ] + } + +| + + + aws:TagKeys: + – key1:hr + – key1:personnel + +| **No match** May be allowed by another statement. + + + "ForAllValues:StringNotLike": { + "aws:TagKeys": [ + "key1*", + "key2*" + ] + } + +| + + + aws:TagKeys: + – key1:hr + – key2:audit + +| **No match** May be allowed by another statement. + + + "ForAllValues:StringNotLike": { + "aws:TagKeys": [ + "key1*", + "key2*" + ] + } + +| + + + aws:TagKeys: + – key3:legal + +| **Match** + + + "ForAllValues:StringNotLike": { + "aws:TagKeys": [ + "key1*", + "key2*" + ] + } + +| No `aws:TagKeys` in the request context. | **Match** + @@ -72 +234 @@ This policy does not allow any actions. Use this policy in combination with othe - "aws:TagKeys": ["environment", "webserver"] + "aws:TagKeys": "webserver" @@ -78,0 +241,54 @@ This policy does not allow any actions. Use this policy in combination with othe +The following table shows how AWS evaluates this policy based on the condition key values in your request. For a Deny statement, Match is Denied and No match is Not denied, so it may be allowed by another statement. + +Policy Condition | Request Context | Result +---|---|--- + + + "ForAnyValue:StringEquals": { + "aws:TagKeys": "webserver"