Conditional keys support per endpoint (interface or gateway)

[philuxe]

Hi,

I was wondering whether there is a doc that provides supported conditions per endpoint service and by endpoint type (interface vs gateway) ?
AWS Policy Generator supports only S3 and DynamoDB Gateway endpoints and I'm not sure suggested (those in the drop down menu) conditions are all supported.
Also it looks like I can push an endpoint policies with unsupported conditions or with typos.

thanks for your help

[liwadman]

Hello. The policy generator tool you're talking about, https://awspolicygen.s3.amazonaws.com/policygen.html, is not up to date with condition keys, interface types, or service actions.

For support of global condition keys, the condition keys are supported except where otherwise noted here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html . We've actually recently updated that document to try to more clearly explain the different properties (role session, network, resource, principal) to give more information about the condition keys and their usecases.

For service-specific condition key support, the service authorization references are the right place to look: https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html . Condition keys are supported on specific resources by specific actions, and are not limited to specific policy type except where noted otherwise.

Working with this interactively, the policy editor for VPC endpoints in the AWS console was also updated recently and now features integrations out an in interactive syntax checker and access analyzer's policy validation's and can identify errors such as unsupported condition keys with actions and resources, and more findings as documented here: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html .

Hope this helps!