Global conditions in IAM policies

Global conditions (with global: prefix) are conditions that can be applied to any policy statement because they are not service-specific. Service-specific conditions supported by each service are documented in service reference.

Date and time conditions

The following are simple examples of how to work with time-based conditions in IAM policy statements. For global:date, global:date-time, and global:time-of-day, the value needs to be specified with a time zone according to ISO/WD 8601-1. Following ISO/WD 8601-1, the character Z is used to designate that the date is in UTC.

Day of week

The policy is active on specific days of the week (GMT time zone).

Example:

ALLOW service:resource:permission WHERE global:week-day = "Monday";

Operators: =, IN

Date

The policy is active during a specified date range. The time zone must be specified.

Example:

ALLOW service:resource:permission WHERE global:date > "2022-05-03Z" AND global:date < "2022-05-05Z";

In this example the policy grants access on the 4th of May 2022 in UTC time zone.

Operators: <, >, =

Date and time

The policy is active according to a specified date and time. The time zone must be specified.

Example:

ALLOW service:resource:permission WHERE global:date-time > "2022-05-03T05:00:00+01:00";

Operators: <, >

Time of day

The policy is active each day during a specified time range. The time zone must be specified.

Example:

ALLOW service:resource:permission WHERE global:time-of-day > "09:00+01:00" AND global:time-of-day < "17:00+01:00";

Operators: <, >