Skip to main content

Demo Policy with IP and Time-Based Conditions

In this tutorial, you’ll learn how to create an AWS IAM policy that restricts administrative actions to:
  • Two specific source IP address ranges
  • A strict time window between 09:00 – 17:00 UTC
This approach is ideal for junior administrators or use cases requiring both network- and time-based controls.

Prerequisites

  • An AWS account with IAM permissions to create policies
  • Familiarity with JSON policy syntax

Step 1: Open the IAM Console

  1. Sign in to the AWS Management Console.
  2. Navigate to IAMPoliciesCreate policy.
  3. Select the JSON tab.

Step 2: Define the Policy JSON

Paste the following JSON into the editor. This policy uses a single Deny statement with three conditions: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": [
            "200.200.200.0/24",
            "200.200.201.0/24"
          ]
        },
        "DateLessThan": {
          "aws:CurrentTime": "2023-10-08T09:00:00Z"
        },
        "DateGreaterThan": {
          "aws:CurrentTime": "2023-10-08T17:00:00Z"
        }
      }
    }
  ]
}
Modify the aws:CurrentTime ISO 8601 values to reflect your desired UTC time window.

Common IAM Condition Keys

Condition KeyPurposeExample Value
NotIpAddressDeny if source IP is outside allowed CIDRs["200.200.200.0/24", "200.200.201.0/24"]
DateLessThanDeny if current time is before this UTC timestamp"2023-10-08T09:00:00Z"
DateGreaterThanDeny if current time is after this UTC timestamp"2023-10-08T17:00:00Z"

Step 3: Review and Create

  1. Click Next.
  2. Provide a Name (e.g., JuniorAdminsPolicy) and an optional Description.
  3. Review the settings, then choose Create policy.
Search for your newly created policy by name in the IAM console to confirm that your IP and time-based restrictions are in place.

Watch Video

Practice Lab