Understanding Effective Conditions

Policy conditions, when they exist, are always restrictions on the scenarios in which a policy applies. Every PolicyShard object will have a EffectiveCondition object, even if the EffectiveCondition has no inclusions or exclusions specified.

What is an inclusion/exclusion?

An EffectiveCondition inclusion is a Condition which must be true, for a PolicyShard to apply. An EffectiveCondition exclusion is a Condition which must be false, for a PolicyShard to apply.

>>> from policyglass import PolicyShard, EffectiveAction, Action, EffectiveResource, Resource, EffectivePrincipal, Principal, EffectiveCondition, Condition
>>> effective_condition = EffectiveCondition(
...     inclusions=frozenset({
...         Condition("aws:PrincipalOrgId", "StringEquals", ["o-123456"]),
...     }),
...     exclusions=frozenset({
...         Condition(key="TestKey", operator="BinaryEquals", values=["QmluYXJ5VmFsdWVJbkJhc2U2NA=="])
...    }),
... )
>>> policy_shard = PolicyShard(
...     effect="Allow",
...     effective_action=EffectiveAction(Action("*")),
...     effective_resource=EffectiveResource(Resource("*")),
...     effective_principal=EffectivePrincipal(Principal("AWS", "*")),
...     effective_condition=effective_condition
... )

This effective_condition’s inclusions dictate that for Action, Resource and Principal to be allowed, then at the time the API call takes place the following be true:

  1. aws:PrincipalOrgId must StringEquals a value of o-123456.

  2. TestKey must NOT BinaryEquals a value of QmluYXJ5VmFsdWVJbkJhc2U2NA==

When would an exclusion occur?

An EffectiveCondition exclusion is quite a rare phenomenon. Normally when Deny PolicyShard conditions are folded into Allow PolicyShard objects, they are reversed using the reverse attribute.

For example StringNotEquals on a Deny PolicyShard will become StringEquals on an Allow PolicyShard. This simplifies the intelligibility of the Allow shards significantly.

When a Deny statement has a condition that cannot be reversed (e.g. BinaryEquals for which there is no corresponding BinaryNotEquals) then the condition must be placed into the exclusions of the effective_condition of the Allow PolicyShard.