IAM policies can include condition elements to apply fine-grained, context-aware access controls. Conditions evaluate specific request attributes before granting or denying access.
aws:SourceIp
- Restricts API calls to originate only from specific IP addresses or CIDR ranges.
- Commonly used to limit access to corporate networks or known static IPs.
aws:RequestedRegion
- Limits which AWS Regions can be targeted by API calls.
- Enforces compliance and data residency requirements by restricting actions to approved regions.
ec2:ResourceTag
- Controls access based on tags attached to EC2 resources.
- Useful for allowing or denying actions only on resources with matching key-value tags (e.g.,
Environment=Prod).
aws:MultiFactorAuthPresent
- Grants access only if the request is authenticated using MFA.
- Helps protect sensitive operations by requiring additional verification beyond passwords or access keys.