AWS access control policy conditions are contained in {@link Statement}objects, and affect when a statement is applied. For example, a statement that allows access to an Amazon SQS queue could use a condition to only apply the effect of that statement for requests that are made before a certain date, or that originate from a range of IP addresses.
Multiple conditions can be included in a single statement, and all conditions must evaluate to true in order for the statement to take effect.
The set of conditions is D in the statement "A has permission to do B to C where D applies."
A condition is composed of three parts:
- Condition Key - The condition key declares which value of a request to pull in and compare against when a policy is evaluated by AWS. For example, using {@link ConditionFactory#SOURCE_IP_CONDITION_KEY} will causeAWS to pull in the current request's source IP as the first value to compare against every time your policy is evaluated.
- Comparison Type - Most condition types allow several ways to compare the value obtained from the condition key and the comparison value. For example, the {@link NumericComparisonType} enumerates the ways a{@link NumericCondition} can be evaluated (less than, greater than, equals,etc).
- Comparison Value - This is a static value used as the second value in the comparison when your policy is evaluated. Depending on the comparison type, this value can optionally use wildcards. See the documentation for individual comparison types for more information.
There are many expressive conditions available in the com.amazonaws.auth.policy.conditions package to use in access control policy statements.
This class is not intended to be directly subclassed by users, instead users should use the many available conditions and condition factories in the com.amazonaws.auth.policy.conditions package.