Specifying Conditions: Using Condition Keys Example Policies: Using Conditions for Fine-Grained Parameter Control

Using condition keys

You can specify conditions that determine how an IAM policy takes effect. In ElastiCache, you can use the Condition element of a JSON policy to compare keys in the request context with key values that you specify in your policy. For more information, see IAM JSON policy elements: Condition.

To see a list of ElastiCache condition keys, see Condition Keys for Amazon ElastiCache in the Service Authorization Reference.

For a list of global condition keys, see AWS global condition context keys.

Using ElastiCache With AWS Global Condition Keys

When using AWS Global condition keys that require ElastiCache's Principal, use an OR condition with both Principals: elasticache.amazonaws.com and ec.amazonaws.com.

Note

If you do not add both Principals for ElastiCache, the intended “Allow” or “Deny” action will not be enforced correctly for any resource listed in your policy.

Example of policy with aws:CalledVia global condition key:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:*", 
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringLike": {
          "aws:CalledVia": [
            "ec.amazonaws.com",
            "elasticache.amazonaws.com"
          ]
        }
      }
    }
  ]
}

Specifying Conditions: Using Condition Keys

To implement fine-grained control, you write an IAM permissions policy that specifies conditions to control a set of individual parameters on certain requests. You then apply the policy to IAM users, groups, or roles that you create using the IAM console.

To apply a condition, you add the condition information to the IAM policy statement. In the following example, you specify the condition that any self-designed cache cluster created will be of node type cache.r5.large.

Note

To construct Condition elements using condition keys of String type, use the case insensitive condition operators StringEqualsIgnoreCase or StringNotEqualsIgnoreCase to compare a key to a string value.
ElastiCache processes the input arguments for CacheNodeType and CacheParameterGroupName in a case insensitive manner. For this reason, the string condition operators StringEqualsIgnoreCase, and StringNotEqualsIgnoreCase should be used in permissions policies that reference them.

The following shows an example of this permissions policy when using Valkey or Redis OSS.

The following shows an example of this permissions policy when using Memcached.

For more information, see Tagging your ElastiCache resources.

For more information on using policy condition operators, see ElastiCache API permissions: Actions, resources, and conditions reference.

Example Policies: Using Conditions for Fine-Grained Parameter Control

This section shows example policies for implementing fine-grained access control on the previously listed ElastiCache parameters.

elasticache:MaximumDataStorage: Specify the maximum data storage of a serverless cache. Using the provided conditions, the customer can not create caches that can store more than a specific amount of data.

elasticache:MaximumECPUPerSecond: Specify the maximum ECPU per second value of a serverless cache. Using the provided conditions, the customer can not create caches that can execute more than a specific number of ECPUs per second.

elasticache:CacheNodeType: Specify which NodeType(s) a user can create. Using the provided conditions, the customer can specify a single or a range value for a node type.

elasticache:CacheNodeType: With Memcached, specify which NodeType(s) a user can create. Using the provided conditions, the customer can specify a single or a range value for a node type.

elasticache:NumNodeGroups: Create a replication group with fewer than 20 node groups.

elasticache:ReplicasPerNodeGroup: Specify the replicas per node between 5 and 10.

elasticache:EngineVersion: Specify usage of engine version 5.0.6.

elasticache:EngineVersion: Specify usage of Memcached engine version 1.6.6

elasticache:EngineType: Specify using a Valkey or Redis OSS engine only.

elasticache:AtRestEncryptionEnabled: Specify that replication groups would be created only with encryption enabled.

elasticache:TransitEncryptionEnabled

Set the elasticache:TransitEncryptionEnabled condition key to false for the CreateReplicationGroup action to specify that replication groups can only be created when TLS is not being used:

When the elasticache:TransitEncryptionEnabled condition key is set to false in a policy for the CreateReplicationGroup action, a CreateReplicationGroup request will be allowed only if TLS is not being used (that is, if the request does not include a TransitEncryptionEnabled parameter set to true or a TransitEncryptionMode parameter set to required.

Set the elasticache:TransitEncryptionEnabled conditon key to true for the CreateReplicationGroup action to specify that replication groups can only be created when TLS is being used:

When the elasticache:TransitEncryptionEnabled condition key is set to true in a policy for the CreateReplicationGroup action, a CreateReplicationGroup request will be allowed only if the request includes a TransitEncryptionEnabled parameter set to true and a TransitEncryptionMode parameter set to required.

Set elasticache:TransitEncryptionEnabled to true for the ModifyReplicationGroup action to specify that replication groups can only be modified when TLS is being used:
JSON
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticache:ModifyReplicationGroup" ], "Resource": [ "arn:aws:elasticache:*:*:replicationgroup:*" ], "Condition": { "BoolIfExists": { "elasticache:TransitEncryptionEnabled": "true" } } } ] }
When the elasticache:TransitEncryptionEnabled condition key is set to true in a policy for the ModifyReplicationGroup action, a ModifyReplicationGroup request will be allowed only if the request includes a TransitEncryptionMode parameter set to required. The TransitEncryptionEnabled parameter set to true may optionally be included as well, but is not needed in this case to enable TLS.

elasticache:AutomaticFailoverEnabled: Specify that replication groups would be created only with automatic failover enabled.

elasticache:MultiAZEnabled: Specify that replication groups cannot be created with Multi-AZ disabled.

elasticache:ClusterModeEnabled: Specify that replication groups can only be created with cluster mode enabled.

elasticache:AuthTokenEnabled: Specify that replication groups can only be created with AUTH token enabled.

elasticache:SnapshotRetentionLimit: Specify the number of days (or min/max) to keep the snapshot. Below policy enforces storing backups for at least 30 days.

elasticache:KmsKeyId: Specify usage of customer managed AWS KMS keys.

elasticache:CacheParameterGroupName: Specify a non default parameter group with specific parameters from an organization on your clusters. You could also specify a naming pattern for your parameter groups or block delete on a specific parameter group name. Following is an example constraining usage of only "my-org-param-group".

elasticache:CacheParameterGroupName: With Memcached, specify a non default parameter group with specific parameters from an organization on your clusters. You could also specify a naming pattern for your parameter groups or block delete on a specific parameter group name. Following is an example constraining usage of only "my-org-param-group".

elasticache:CreateCacheCluster: Denying CreateCacheCluster action if the request tag Project is missing or is not equal to Dev, QA or Prod.

elasticache:CacheNodeType: Allowing CreateCacheCluster with cacheNodeType cache.r5.large or cache.r6g.4xlarge and tag Project=XYZ.

Note

When creating polices to enforce tags and other condition keys together, the conditional IfExists may be required on condition key elements due to the extra elasticache:AddTagsToResource policy requirements for creation requests with the --tags parameter.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Resource-level permissions

Using Service-Linked Roles