What is IAM Condition Keys?
Condition keys let you add requirements to a policy statement so it only applies when specific context values match — source IP, MFA, account, encryption, and more.
The Condition element is how a broad-looking statement becomes safe. It tests context keys from the request against values you specify, using operators like StringEquals, ArnLike, Bool, and IpAddress. Global keys (prefixed aws:) such as aws:SourceArn, aws:PrincipalOrgID, aws:MultiFactorAuthPresent, and aws:SecureTransport apply across services; each service also has its own keys.
Conditions are central to least privilege and to closing cross-account gaps. The ExternalId on a trust policy, the aws:SourceArn that prevents the confused-deputy problem, and the requirement that S3 requests use TLS are all conditions.
Example
"Condition": {
"Bool": { "aws:MultiFactorAuthPresent": "true" },
"StringEquals": { "aws:PrincipalOrgID": "o-exampleorgid" }
}Common mistake
Assuming a condition tightens access when the operator is wrong — for example using StringLike with a wildcard, or applying a condition to the wrong statement, can silently leave the broad grant in place.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.