What are global condition keys?

They are condition keys prefixed with aws: that are available across most AWS services, unlike service-specific keys like s3:prefix. They let you constrain a policy by request context such as source IP, whether MFA was used, the request time, or whether TLS was used.

What is the difference between aws:SourceIp and aws:VpcSourceIp?

aws:SourceIp is the public IP the request appears to come from and does not work for requests routed through a VPC endpoint. For traffic through a VPC endpoint use aws:VpcSourceIp, which is the private source IP, or aws:SourceVpc / aws:SourceVpce to scope by VPC or endpoint.

How do I require MFA in a policy?

Add a condition with aws:MultiFactorAuthPresent set to the boolean true using the Bool operator, or use aws:MultiFactorAuthAge with a numeric comparison to require recent MFA. Use IfExists or a Deny with BoolIfExists to avoid blocking service-linked calls that never carry MFA context.

Which operator goes with aws:CurrentTime?

Use the date operators DateGreaterThan, DateLessThan, DateGreaterThanEquals or DateLessThanEquals with an ISO 8601 timestamp. aws:CurrentTime is a Date type, so string operators will not work as expected.

What does aws:SecureTransport do?

It is a boolean that is true when the request was sent over TLS (HTTPS). A common hardening pattern is a Deny statement with aws:SecureTransport false to refuse any plaintext request, often applied to S3 bucket policies.

AWS IAM Global Condition Keys

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

AWS IAM global condition keys

IAM policy conditions let you grant access only when request context matches. Global condition keys are the aws:-prefixed keys available across nearly every service — source IP, MFA state, request time, TLS, and request/principal tags. This reference lists the most-used keys with their value type and the matching operator family, plus a copyable example.

How it works

A Condition block maps an operator to a key and one or more values; the statement only applies when the test passes. Pick the operator family from the key’s value type:

"Condition": {
  "IpAddress": { "aws:SourceIp": ["203.0.113.0/24"] },
  "Bool": { "aws:MultiFactorAuthPresent": "true" },
  "DateGreaterThan": { "aws:CurrentTime": "2026-01-01T00:00:00Z" }
}

String keys (e.g. aws:PrincipalTag/team) → StringEquals, StringLike.
IP keys (aws:SourceIp) → IpAddress / NotIpAddress with CIDR.
Bool keys (aws:SecureTransport, aws:MultiFactorAuthPresent) → Bool.
Date keys (aws:CurrentTime) → DateGreaterThan family.
Numeric keys (aws:MultiFactorAuthAge) → NumericLessThan family.

Tips and notes

Pair tag keys: aws:RequestTag/* checks tags in the request, while aws:ResourceTag/* checks tags already on the target resource.
Use the IfExists suffix (e.g. BoolIfExists) so a Deny does not accidentally block contexts where the key is absent.
aws:SourceIp evaluates the apparent public IP and breaks for VPC-endpoint traffic — switch to aws:VpcSourceIp there.
aws:PrincipalOrgID is the cleanest way to limit a resource policy to your whole AWS Organization without listing account IDs.