3

What is the difference between two conditions below? This condition is being append to a customer managed policy which is attached to an user. The policy will enable the user to perform any operation on EC2 instance, but the user could stop/terminate an EC2 instance when only authenticated through MFA device. 

"Effect": "Allow"
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}

"Effect": "Allow"
"Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": "true"}}

PS: AWS docs has the same example and the syntax has been copied from there. I posted this question since I could not understand what difference does "IfExists" make overall.

Sergey Kovalev
  • 353
  • 1
  • 6
Amit Baid
  • 41
  • 2

1 Answers1

1

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_IfExists

If I understand it correctly, this has to do when the policy is used for many resources. Some of those resources may not have that condition as an option, and can fail the policy check. So this additional option adjusts it to only those resources that have that as an option, or it "exists".

Chris_Work
  • 56
  • 5