DEV Community

Raj Murugan
Raj Murugan

Posted on

Guide: Single-Value and Multi-Value Contexts in AWS Policies

#aws #iam #builder #awscommunitybuilders

Guide: Single-Value and Multi-Value Contexts in AWS Policies

This comprehensive guide delves into the fundamental concepts of single-value and multi-value contexts in AWS IAM and SCP policies, offering insights on how to design flexible and secure access controls. These contexts define how condition keys are evaluated to enforce fine-grained access control. Additionally, constructs like ForAnyValue and ForAllValues provide flexibility in defining conditions for both simple and complex requests. This guide explores the key concepts, provides practical examples, and offers actionable insights for designing secure and flexible policies.

Single-Value vs Multi-Value Contexts

Single-Value Context Keys

Single-value context keys represent a single attribute in the request, such as a specific VPC or IP address. These are straightforward and typically involve one-to-one matching.

  • Example Key: aws:SourceVpc
  • Example Request Context: 
  {
    "aws:SourceVpc": "vpc-111bbccc"
  }
Enter fullscreen mode Exit fullscreen mode

Multi-Value Context Keys

Multi-value context keys, on the other hand, represent attributes that may contain multiple values, such as tags, security groups, or organization paths.

  • Example Key: aws:RequestTag
  • Example Request Context: 
  {
    "aws:RequestTag/Environment": ["Dev", "Prod"]
  }
Enter fullscreen mode Exit fullscreen mode

How ForAnyValue and ForAllValues Work

ForAnyValue

The ForAnyValue condition matches if at least one value in the request satisfies the condition in the policy.

Example Policy:

Allow access if at least one Environment tag matches the allowed values.

{
  "Effect": "Allow",
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::example-bucket/*",
  "Condition": {
    "ForAnyValue:StringEquals": {
      "aws:RequestTag/Environment": ["Dev", "Prod"]
    }
  }
}
Enter fullscreen mode Exit fullscreen mode
  • Request Context: { "aws:RequestTag/Environment": ["Dev", "QA"] }
  • Evaluation: Allowed because Dev matches.

ForAllValues

The ForAllValues condition matches only if all values in the request satisfy the condition in the policy.

Example Policy:

Allow access only if all Environment tags match the allowed values.

{
  "Effect": "Allow",
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::example-bucket/*",
  "Condition": {
    "ForAllValues:StringEquals": {
      "aws:RequestTag/Environment": ["Dev", "Prod"]
    }
  }
}
Enter fullscreen mode Exit fullscreen mode
  • Request Context: { "aws:RequestTag/Environment": ["Dev", "QA"] }
  • Evaluation: Denied because QA is not allowed.

Using Wildcards in Conditions

Wildcards can simplify condition matching when patterns are involved. For example:

Example Policy:

Deny access if any Environment tag does not match *Prod*.

{
  "Effect": "Deny",
  "Action": "s3:*",
  "Resource": "*",
  "Condition": {
    "ForAnyValue:StringLike": {
      "aws:RequestTag/Environment": ["*Prod*"]
    }
  }
}
Enter fullscreen mode Exit fullscreen mode
  • Matches values such as Production or Prod-QA.

Comparison Tables

Multiple Context Keys in Allow Statements

Context Type Policy Condition Request Context Evaluation
Single-Value "Condition": { "StringEquals": { "aws:SourceVpc": "vpc-111bbccc" } } { "aws:SourceVpc": "vpc-111bbccc" } Allowed. Matches the specific VPC.
Multi-Value "Condition": { "ForAnyValue:StringEquals": { "aws:RequestTag/Environment": ["Dev", "Prod"] } } { "aws:RequestTag/Environment": ["Dev", "QA"] } Allowed. At least one tag matches.
Multi-Value "Condition": { "ForAllValues:StringEquals": { "aws:RequestTag/Environment": ["Dev", "Prod"] } } { "aws:RequestTag/Environment": ["Dev", "QA"] } Denied. Not all tags match.
Wildcards "Condition": { "ForAnyValue:StringLike": { "aws:RequestTag/Environment": ["*Prod*"] } } { "aws:RequestTag/Environment": ["Prod-QA", "Dev"] } Allowed. At least one tag matches.

Multiple Context Keys in Deny Statements

Context Type Policy Condition Request Context Evaluation
Single-Value "Condition": { "StringNotEquals": { "aws:SourceVpc": "vpc-111bbccc" } } { "aws:SourceVpc": "vpc-222ddddd" } Denied. Does not match the allowed VPC.
Multi-Value "Condition": { "ForAnyValue:StringNotEquals": { "aws:RequestTag/Environment": ["Dev", "Prod"] } } { "aws:RequestTag/Environment": ["Dev", "QA"] } Denied. At least one tag does not match.
Multi-Value "Condition": { "ForAllValues:StringNotEquals": { "aws:RequestTag/Environment": ["Dev", "Prod"] } } { "aws:RequestTag/Environment": ["QA", "Test"] } Denied. All tags do not match.
Wildcards "Condition": { "ForAnyValue:StringNotLike": { "aws:RequestTag/Environment": ["*Prod*"] } } { "aws:RequestTag/Environment": ["Dev", "Prod-Test"] } Denied. At least one tag does not match.

Key Takeaways

  1. Single-Value Contexts deal with individual attributes, while Multi-Value Contexts evaluate multiple attributes in a request.
  2. ForAnyValue grants access if at least one value matches.
  3. ForAllValues grants access only if all values match.
  4. Use wildcards to add pattern-based flexibility in conditions.
  5. Test your policies thoroughly to ensure they meet your security and compliance needs.

By understanding these principles, you can create precise and effective AWS policies that protect your resources while enabling operational flexibility.

Tags: AWS Policies, IAM, SCP, ForAnyValue, ForAllValues, Access Control, Security

Top comments (0)

Read next

sumsuzzaman profile image

Harnessing AWS Cloud for Seamless DeepSeek R1 Operations

Sumsuzzaman Chowdhury -

shaik_muskansultana_f054 profile image

Mastering AWS DevOps: A Complete Guide for Beginners

Shaik muskan Sultana -

imsushant12 profile image

Real-Time Applications with DynamoDB Streams and AWS Lambda

Sushant Gaurav -

cristofima profile image

Generating Images with Amazon Bedrock

Cristopher Coronado -