Using condition keys
You can specify conditions that determine how an IAM policy takes effect. In ElastiCache, you can use the Condition
element of a JSON policy to compare keys in the request context with key values that you specify in your policy.
For more information, see IAM JSON policy elements: Condition.
To see a list of ElastiCache condition keys, see Condition Keys for Amazon ElastiCache in the Service Authorization Reference.
For a list of global condition keys, see Amazon global condition context keys.
Specifying Conditions: Using Condition Keys
To implement fine-grained control, you write an IAM permissions policy that specifies conditions to control a set of individual parameters on certain requests. You then apply the policy to IAM users, groups, or roles that you create using the IAM console.
To apply a condition, you add the condition information to the IAM policy statement. In the following example, you specify the condition that any self-designed cache cluster created will be of node type cache.r5.large
.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEquals": { "elasticache:CacheNodeType": [ "cache.r5.large" ] } } } ] }
For more information, see Tag-Based access control policy examples.
For more information on using policy condition operators, see ElastiCache API permissions: Actions, resources, and conditions reference.
Example Policies: Using Conditions for Fine-Grained Parameter Control
This section shows example policies for implementing fine-grained access control on the previously listed ElastiCache parameters.
elasticache:MaximumDataStorage: Specify the maximum data storage of a serverless cache. Using the provided conditions, the customer can not create caches that can store more than a specific amount of data.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDependentResources", "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscachesnapshot:*", "arn:aws:elasticache:*:*:snapshot:*", "arn:aws:elasticache:*:*:usergroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "NumericLessThanEquals": { "elasticache:MaximumDataStorage": "30" }, "StringEquals": { "elasticache:DataStorageUnit": "GB" } } } ] }
elasticache:MaximumECPUPerSecond: Specify the maximum ECPU per second value of a serverless cache. Using the provided conditions, the customer can not create caches that can execute more than a specific number of ECPUs per second.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDependentResources", "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscachesnapshot:*", "arn:aws:elasticache:*:*:snapshot:*", "arn:aws:elasticache:*:*:usergroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "NumericLessThanEquals": { "elasticache:MaximumECPUPerSecond": "100000" } } } ] }
elasticache:CacheNodeType: Specify which NodeType(s) a user can create. Using the provided conditions, the customer can specify a single or a range value for a node type.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEquals": { "elasticache:CacheNodeType": [ "cache.t2.micro", "cache.t2.medium" ] } } } ] }
elasticache:EngineVersion: Specify usage of engine version 1.6.6
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEquals": { "elasticache:EngineVersion": "1.6.6" } } } ] }
elasticache:KmsKeyId: Specify usage of customer managed Amazon KMS keys.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDependentResources", "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscachesnapshot:*", "arn:aws:elasticache:*:*:snapshot:*", "arn:aws:elasticache:*:*:usergroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateServerlessCache" ], "Resource": [ "arn:aws:elasticache:*:*:serverlesscache:*" ], "Condition": { "StringEquals": { "elasticache:KmsKeyId": "my-key" } } } ] }
elasticache:CacheParameterGroupName: Specify a non default parameter group with specific parameters from an organization on your clusters. You could also specify a naming pattern for your parameter groups or block delete on a specific parameter group name. Following is an example constraining usage of only "my-org-param-group".
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEquals": { "elasticache:CacheParameterGroupName": "my-org-param-group" } } } ] }
-
elasticache:CreateCacheCluster: Denying
CreateCacheCluster
action if the request tagProject
is missing or is not equal toDev
,QA
orProd
.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*", "arn:aws:elasticache:*:*:securitygroup:*", "arn:aws:elasticache:*:*:replicationgroup:*" ] }, { "Effect": "Deny", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "Null": { "aws:RequestTag/Project": "true" } } }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster", "elasticache:AddTagsToResource" ], "Resource": "arn:aws:elasticache:*:*:cluster:*", "Condition": { "StringEquals": { "aws:RequestTag/Project": [ "Dev", "Prod", "QA" ] } } } ] }
elasticache:CacheNodeType: Allowing
CreateCacheCluster
withcacheNodeType
cache.r5.large or cache.r6g.4xlarge and tagProject=XYZ
.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:parametergroup:*", "arn:aws:elasticache:*:*:subnetgroup:*" ] }, { "Effect": "Allow", "Action": [ "elasticache:CreateCacheCluster" ], "Resource": [ "arn:aws:elasticache:*:*:cluster:*" ], "Condition": { "StringEqualsIfExists": { "elasticache:CacheNodeType": [ "cache.r5.large", "cache.r6g.4xlarge" ] }, "StringEquals": { "aws:RequestTag/Project": "XYZ" } } } ] }
Note
When creating polices to enforce tags and other condition keys together, the conditional IfExists
may be required on condition key elements due to the extra elasticache:AddTagsToResource
policy requirements for creation requests with the --tags
parameter.