Search code examples

How to provide multiple StringNotEquals conditions in AWS policy?

I am trying to write AWS S3 bucket policy that denies all traffic except when it comes from two VPCs. The policy I'm trying to write looks like the one below, with a logical AND between the two StringNotEquals (except it's an invalid policy):

   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
       "Sid": "Allow-access-only-from-two-VPCs",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::my-bucket",
       "Condition": {
         "StringNotEquals": {
           "aws:sourceVpc": "vpc-111bbccc"
         "StringNotEquals": {
           "aws:sourceVpc": "vpc-111bbddd"
       "Principal": "*"

If I use this:

"StringNotEquals": {
       "aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"]

then at least one of the string comparisons returns true and the S3 bucket is not accessible from anywhere.


  • Never tried this before.But the following should work. From: Using IAM Policy Conditions for Fine-Grained Access Control

        "Condition": {
            "ForAllValues:StringNotEquals": {
                "aws:sourceVpc": [