Using condition keys - Amazon ElastiCache
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using condition keys

You can specify conditions that determine how an IAM policy takes effect. In ElastiCache, you can use the Condition element of a JSON policy to compare keys in the request context with key values that you specify in your policy. For more information, see IAM JSON policy elements: Condition.

To see a list of ElastiCache condition keys, see Condition Keys for Amazon ElastiCache in the Service Authorization Reference.

For a list of global condition keys, see Amazon global condition context keys.

Specifying Conditions: Using Condition Keys

To implement fine-grained control, you write an IAM permissions policy that specifies conditions to control a set of individual parameters on certain requests. You then apply the policy to IAM users, groups, or roles that you create using the IAM console.

To apply a condition, you add the condition information to the IAM policy statement. In the following example, you specify the condition that any self-designed cache cluster created will be of node type cache.r5.large.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEquals": { "elasticache:CacheNodeType": [ "cache.r5.large" ] } } } ] }

For more information, see Tag-Based access control policy examples.

For more information on using policy condition operators, see ElastiCache API permissions: Actions, resources, and conditions reference.

Example Policies: Using Conditions for Fine-Grained Parameter Control

This section shows example policies for implementing fine-grained access control on the previously listed ElastiCache parameters.

  1. elasticache:MaximumDataStorage:   Specify the maximum data storage of a serverless cache. Using the provided conditions, the customer can not create caches that can store more than a specific amount of data.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDependentResources", "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscachesnapshot:*", "arn:aws:elasticache:*:*:snapshot:*", "arn:aws:elasticache:*:*:usergroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "NumericLessThanEquals": { "elasticache:MaximumDataStorage": "30" }, "StringEquals": { "elasticache:DataStorageUnit": "GB" } } } ] }
  2. elasticache:MaximumECPUPerSecond:   Specify the maximum ECPU per second value of a serverless cache. Using the provided conditions, the customer can not create caches that can execute more than a specific number of ECPUs per second.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDependentResources", "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscachesnapshot:*", "arn:aws:elasticache:*:*:snapshot:*", "arn:aws:elasticache:*:*:usergroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "NumericLessThanEquals": { "elasticache:MaximumECPUPerSecond": "100000" } } } ] }
  3. elasticache:CacheNodeType:   Specify which NodeType(s) a user can create. Using the provided conditions, the customer can specify a single or a range value for a node type.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEquals": { "elasticache:CacheNodeType": [ "cache.t2.micro", "cache.t2.medium" ] } } } ] }
  4. elasticache:EngineVersion:   Specify usage of engine version 1.6.6

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEquals": { "elasticache:EngineVersion": "1.6.6" } } } ] }
  5. elasticache:KmsKeyId:   Specify usage of customer managed Amazon KMS keys.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDependentResources", "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscachesnapshot:*", "arn:aws:elasticache:*:*:snapshot:*", "arn:aws:elasticache:*:*:usergroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "StringEquals": { "elasticache:KmsKeyId": "my-key" } } } ] }
  6. elasticache:CacheParameterGroupName:   Specify a non default parameter group with specific parameters from an organization on your clusters. You could also specify a naming pattern for your parameter groups or block delete on a specific parameter group name. Following is an example constraining usage of only "my-org-param-group".

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEquals": { "elasticache:CacheParameterGroupName": "my-org-param-group" } } } ] }
  7. elasticache:CreateCacheCluster: Denying CreateCacheCluster action if the request tag Project is missing or is not equal to Dev, QA or Prod.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*", "arn:aws:elasticache:*:*:securitygroup:*", "arn:aws:elasticache:*:*:replicationgroup:*" ] }, { "Effect": "Deny", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "Null": { "aws:RequestTag/Project": "true" } } }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:AddTagsToResource" ], "Resource": "arn:aws:elasticache:*:*:cluster:*", "Condition": { "StringEquals": { "aws:RequestTag/Project": [ "Dev", "Prod", "QA" ] } } } ] }
  8. elasticache:CacheNodeType:   Allowing CreateCacheCluster with cacheNodeType cache.r5.large or cache.r6g.4xlarge and tag Project=XYZ.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEqualsIfExists": { "elasticache:CacheNodeType": [ "cache.r5.large", "cache.r6g.4xlarge" ] }, "StringEquals": { "aws:RequestTag/Project": "XYZ" } } } ] }
Note

When creating polices to enforce tags and other condition keys together, the conditional IfExists may be required on condition key elements due to the extra elasticache:AddTagsToResource policy requirements for creation requests with the --tags parameter.