AWS - IAM
IAM Policies Federation STS and MFA
Demo Policy with Conditions
Demo Policy with IP and Time-Based Conditions
In this tutorial, you’ll learn how to create an AWS IAM policy that restricts administrative actions to:
- Two specific source IP address ranges
- A strict time window between 09:00 – 17:00 UTC
This approach is ideal for junior administrators or use cases requiring both network- and time-based controls.
Prerequisites
- An AWS account with IAM permissions to create policies
- Familiarity with JSON policy syntax
Step 1: Open the IAM Console
- Sign in to the AWS Management Console.
- Navigate to IAM → Policies → Create policy.
- Select the JSON tab.
Step 2: Define the Policy JSON
Paste the following JSON into the editor. This policy uses a single Deny
statement with three conditions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"200.200.200.0/24",
"200.200.201.0/24"
]
},
"DateLessThan": {
"aws:CurrentTime": "2023-10-08T09:00:00Z"
},
"DateGreaterThan": {
"aws:CurrentTime": "2023-10-08T17:00:00Z"
}
}
}
]
}
Note
Modify the aws:CurrentTime
ISO 8601 values to reflect your desired UTC time window.
Common IAM Condition Keys
Condition Key | Purpose | Example Value |
---|---|---|
NotIpAddress | Deny if source IP is outside allowed CIDRs | ["200.200.200.0/24", "200.200.201.0/24"] |
DateLessThan | Deny if current time is before this UTC timestamp | "2023-10-08T09:00:00Z" |
DateGreaterThan | Deny if current time is after this UTC timestamp | "2023-10-08T17:00:00Z" |
Step 3: Review and Create
- Click Next.
- Provide a Name (e.g.,
JuniorAdminsPolicy
) and an optional Description. - Review the settings, then choose Create policy.
Search for your newly created policy by name in the IAM console to confirm that your IP and time-based restrictions are in place.
Links and References
Watch Video
Watch video content
Practice Lab
Practice lab