I'm curious if it's possible to set up an IAM policy that allows access only at specific times, days of the week, or days of the month, similar to a cron job. I know I've seen references to "aws:CurrentTime" in conditions, but those seem to only allow basic comparisons like less than or greater than. Does anyone have insights on how to achieve this?
4 Answers
I'm not sure that's doable directly through IAM policies. Instead, what we do is have an on-call rotation synced to specific user groups. When someone new goes on-call, an automation tool adds them to the group, which has permission to assume a specific role. If you're using something like the IAM Identity Center, you can create a group and link it to a Permission Set. The catch is that syncing changes to users might take over an hour.
Thanks for all the insights, everyone!
For scenarios where access is limited to specific dates, you can use conditions like "DateGreaterThan" and "DateLessThan" in your policy. But if you need fine control, such as only allowing access from 9 AM to 5 PM, you'll likely need to automate the process to adjust permissions accordingly.
It seems like to have a cron-style trigger for IAM policies, you'd need some sort of automation to keep updating the policies. The good news is that changes in these policies replicate fairly quickly, so it could work with the right setup.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures