Global conditions in IAM policies
Global conditions (with global:
prefix) are conditions that can be applied to any policy statement because they are not service-specific. Service-specific conditions supported by each service are documented in service reference.
Date and time conditions
The following are simple examples of how to work with time-based conditions in IAM policy statements.
For global:date
, global:date-time
, and global:time-of-day
, the value needs to be specified with a time zone according to ISO/WD 8601-1. Following ISO/WD 8601-1, the character Z
is used to designate that the date is in UTC.
Day of week
The policy is active on specific days of the week (GMT time zone).
Example:
ALLOW service:resource:permission WHERE global:week-day = "Monday";
Operators: =
, IN
Date
The policy is active during a specified date range. The time zone must be specified.
Example:
ALLOW service:resource:permission WHERE global:date > "2022-05-03Z" AND global:date < "2022-05-05Z";
In this example the policy grants access on the 4th of May 2022 in UTC time zone.
Operators: <
, >
, =
Date and time
The policy is active according to a specified date and time. The time zone must be specified.
Example:
ALLOW service:resource:permission WHERE global:date-time > "2022-05-03T05:00:00+01:00";
Operators: <
, >
Time of day
The policy is active each day during a specified time range. The time zone must be specified.
Example:
ALLOW service:resource:permission WHERE global:time-of-day > "09:00+01:00" AND global:time-of-day < "17:00+01:00";
Operators: <
, >