Demo Policy with Conditions

Demo Policy with IP and Time-Based Conditions

In this tutorial, you’ll learn how to create an AWS IAM policy that restricts administrative actions to:

Two specific source IP address ranges
A strict time window between 09:00 – 17:00 UTC

This approach is ideal for junior administrators or use cases requiring both network- and time-based controls.

Prerequisites

An AWS account with IAM permissions to create policies
Familiarity with JSON policy syntax

Step 1: Open the IAM Console

Sign in to the AWS Management Console.
Navigate to IAM → Policies → Create policy.
Select the JSON tab.

Step 2: Define the Policy JSON

Paste the following JSON into the editor. This policy uses a single Deny statement with three conditions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": [
            "200.200.200.0/24",
            "200.200.201.0/24"
          ]
        },
        "DateLessThan": {
          "aws:CurrentTime": "2023-10-08T09:00:00Z"
        },
        "DateGreaterThan": {
          "aws:CurrentTime": "2023-10-08T17:00:00Z"
        }
      }
    }
  ]
}

Note

Modify the aws:CurrentTime ISO 8601 values to reflect your desired UTC time window.

Common IAM Condition Keys

Condition Key	Purpose	Example Value
NotIpAddress	Deny if source IP is outside allowed CIDRs	`["200.200.200.0/24", "200.200.201.0/24"]`
DateLessThan	Deny if current time is before this UTC timestamp	`"2023-10-08T09:00:00Z"`
DateGreaterThan	Deny if current time is after this UTC timestamp	`"2023-10-08T17:00:00Z"`

Step 3: Review and Create

Click Next.
Provide a Name (e.g., JuniorAdminsPolicy) and an optional Description.
Review the settings, then choose Create policy.

Search for your newly created policy by name in the IAM console to confirm that your IP and time-based restrictions are in place.