Single-valued vs. multivalued condition keys - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Single-valued vs. multivalued condition keys

The potential number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued, not the number of values listed in the policy condition. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have more than one value in the request context of an API call.

You can use any available single-valued condition key as a policy variable. You cannot use a multivalued condition key as a policy variable. For more information about policy variables, see IAM policy elements: Variables and tags.

Multivalued condition keys require condition set operators ForAllValues or ForAnyValue. Condition keys that include key-value pairs such as aws:RequestTag/tag-key and aws:ResourceTag/tag-key can cause confusion because there can be multiple tag-key values. But since each tag-key can have only one value, aws:RequestTag and aws:ResourceTag are both single-valued condition keys. Using condition set operators with single-valued condition keys can lead to overly permissive policies.