I'm unable to understand difference between Bool and BoolIfExists in AWS IAM policy condition. Can someone please explain?

ex: "Condition" : {"BoolIfExists" : {"aws:MutliFactorAuthPresent" : false}}

"Condition" : {"Bool" : {"aws:MutliFactorAuthPresent" : false}}

CodePudding user response：

First, there is no such condition as aws:MutliFactorAuthPresent. It should be aws:MultiFactorAuthPresent. Second, aws:MultiFactorAuthPresent is global key, so its always exists. There is no reason to use IfExists for it.

Anyway, ou need remember that IAM condition keys (except global ones), are resource specific. For example, ec2:InstanceType applies only to EC2 instances, while ec2:VolumeSize works only with EBS volumes.

In addition, some IAM actions (e.g. ec2:runinstance) require access to multiple resources, such as ec2 instance and ebs-volumes, etc.

Thus when you craft IAM statements with actions that operate on multiple resources, such as ec2:runinstance, and you want to make conditions, you may often get mismatch, because not all your condition keys apply to all resources that will be accessed.

For example, condition key ec2:VolumeSize does not apply to EC2 instance, but to EBS volumes. This fails because of the following:

A key that is not present in the request is considered a mismatch.

So you can use ...IfExists condition operator to make sure that the there is no failure in such cases.

An example of such IAM statement is:

        {
            "Sid": "RunInstance",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "*",
            "Condition": {
                "StringLikeIfExists": {
                    "ec2:InstanceType": [
                        "t1.*",
                        "t2.*",
                        "m3.*"
             ]}}
        }

Without IfExists, there will be a mismatch, because ec2:RunInstances requires access to EBS volumes, and the ec2:InstanceType key does not apply to the volumes.