[Yandex Cloud documentation](../../../../index.md) > [Yandex Object Storage](../../../index.md) > API reference > [AWS S3 REST](../../index.md) > [REST](../index.md) > Bucket Policy > Conditions

# Conditions

Conditions determine the cases when the rule applies.

## Condition keys {#keys}

Condition key | Description
----- | -----
`aws:principaltype` | States the type of entity the request is sent to.
`aws:referer` | Compares the request’s Referer with the one specified in the policy.
`aws:securetransport` | Indicates whether the request was sent using SSL encryption.
`aws:sourceip` | Compares the IP address the request came from and the IP addresses of [reverse proxy servers](https://en.wikipedia.org/wiki/Reverse_proxy), e.g., the ones provided in the [X-Forwarded-For](https://en.wikipedia.org/wiki/X-Forwarded-For) header, with the IP addresses specified in the policy.<br/><br/>The condition is satisfied if at least one IP address matches those in the policy. For more information, see [Bucket access via a chain of reverse proxy servers](../../../concepts/policy.md#access-via-reverse-proxy).<br/><br/>If you only need to check the client's original IP address while ignoring the proxy servers, use the `yc:originip` condition. Use this option for improved access security.
`aws:useragent` | Compares the request's UserAgent values with those specified in the policy.
`aws:userid` | Compares the user ID in IAM with the one specified in the policy.
`s3:authtype` | Restricts incoming requests to use a specific authentication method.
`s3:delimiter` | Sets the delimiter that user requests must contain.
`s3:if-match` | Checks if the request contains the `If-Match` header to perform a [conditional write](../../../concepts/object.md#conditional-writes) of the object. Used to enforce ETag validation when overwriting an existing object.
`s3:if-none-match` | Checks if the request contains the `If-None-Match` header to perform a [conditional write](../../../concepts/object.md#conditional-writes) of the object. Used to ensure that the object does not exist when creating a new one.
`s3:max-keys` | Sets the maximum number of keys returned per [ListBucket](../bucket/list.md) request.
`s3:prefix` | Restricts access by key name prefix.
`s3:signatureage` | Sets the length of time that a signature is valid in an authenticated request.
`s3:signatureversion` | Identifies the version of AWS Signature for authenticated requests.
`s3:versionid` | Filters access by a specific object version.
`s3:x-amz-acl` | Requires the request to contain the `X-Amz-Acl` header with the specified ACL.
`s3:x-amz-content-sha256` | Prohibits unsigned content in a request.
`s3:x-amz-copy-source` | Restricts the copy source to a specific bucket, prefix, or object.
`s3:x-amz-grant-full-control` | Requires the request to contain the `X-Amz-Grant-Full-Control` (full access) header.
`s3:x-amz-grant-read` | Requires the request to contain the `X-Amz-Grant-Read` (read access) header.
`s3:x-amz-grant-read-acp` | Requires the request to contain the `X-Amz-Grant-Read` (ACL read access) header.
`s3:x-amz-grant-write` | Requires the request to contain the `X-Amz-Grant-Write` (write access) header.
`s3:x-amz-grant-write-acp` | Requires the request to contain the `X-Amz-Grant-Write` (ACL write access) header.
`s3:x-amz-metadata-directive` | Sets the forced choice of COPY or REPLACE behavior when copying objects.
`s3:x-amz-server-side-encryption` | Requires server-side encryption.
`s3:x-amz-server-side-encryption-aws-kms-key-id` | Requires a specific key for server-side encryption.
`s3:x-amz-storage-class` | Filters access by [storage class](../../../concepts/storage-class.md).
`s3:x-amz-website-redirect-location` | Allows you to redirect requests to an object to another object or URL if the website is static.
`yc:access-key-id` | Compares the [static access key](../../../../iam/concepts/authorization/access-key.md) ID with the one specified in the policy.<br/><br/>For example, you can use different static keys issued to a single [service account](../../../../iam/concepts/users/service-accounts.md) to segregate access to specific buckets or prefixes within a bucket.
`yc:originip` | Compares the source IP address the request came from with the one specified in the policy.<br/><br/>Unlike the `aws:sourceip` condition, this one _ignores_ any reverse proxy server IP addresses, e.g., those provided in the `X-Forwarded-For` header.<br/><br/>Use the `yc:originip` condition for a higher level of access security.
`yc:private-endpoint-id` | Sets access via [VPC service connections](../../../../vpc/concepts/private-endpoint.md). Contains a service connection ID.

You can set multiple conditions for a rule and specify multiple keys for each condition. These conditions and their keys will be checked using the logical `AND`, i.e., the request must meet all the specified criteria at once.

{% cut "Examples of policies in which conditions are checked with the logical `AND`" %}

{% list tabs %}

- Multiple conditions in one rule

  ```json
  {
    "Version": "2012-10-17",
    "Statement": {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::sample-bucket/*",
      "Condition": {
        "Bool": {
          "aws:sourceip": "192.168.1.1"
        }
      },
      "Condition": {
        "Bool": {
          "aws:userid": "ajelcjkv67ar********"
        }
      }
    }
  }
  ```

- Multiple keys in one condition

  ```json
  {
    "Version": "2012-10-17",
    "Statement": {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::sample-bucket/*",
      "Condition": {
        "Bool": {
          "aws:sourceip": "192.168.1.1",
          "aws:userid": "ajelcjkv67ar********"
        }
      }
    }
  }
  ```

{% endlist %}

{% endcut %}

You can set multiple values for each condition key at the same time. These values will be checked using the logical `OR`, i.e., the request must match any of the specified condition key values.

{% cut "Example of policies in which conditions are checked with the logical `OR`" %}

```json
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::sample-bucket/*",
    "Condition": {
      "Bool": {
        "aws:sourceip": [
          "192.168.1.1",
          "192.168.1.2"
        ]
      }
    }  
  }
}
```

{% endcut %}

## Condition operators {#condition-operators}

Condition operators help verify the match between the key value in the policy condition and the its value in the request context.

### Logical operators {#bool}

Logical operators allow you to create conditions for comparing a key against a Boolean value of `true` or `false`.

Condition operator | Description
----- | -----
`Bool` | Matches the specified Boolean value.

### Date and time operators {#date}

Date and time operators allow you to create conditions for comparing the key with the date and time value.

Condition operator | Description
----- | -----
`DateEquals` | Matches the specified date.
`DateGreaterThan` | The date and time value is greater than the one specified.
`DateGreaterThanEquals` | The date and time value is equal to or greater than the one specified.
`DateLessThan` | The date and time value is less than the one specified.
`DateLessThanEquals` | The date and time value is equal to or less than the one specified.
`DateNotEquals` | Does not match the specified date.

### IP address operators {#ip-address}

IP address operators allow you to create conditions for comparing the key with the host IP address or a range of IP addresses in [CIDR](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) format.

Condition operator | Description
----- | -----
`IPAddress` | Specific IP address or a range of IP addresses.
`NotIPAddress` | All IP addresses except the specified one or range.

### Numeric operators {#numeric}

Numeric operators allow you to create conditions for comparing the key with an integer or decimal numeric value.

Condition operator | Description
----- | -----
`NumericEquals` | The value is equal to the one specified.
`NumericGreaterThan` | The value is greater than the one specified.
`NumericGreaterThanEquals` | The value is greater than or equal to the one specified.
`NumericLessThan` | The value is less than the one specified.
`NumericLessThanEquals` | The value is less than or equal to the one specified.
`NumericNotEquals` | The value is not equal to the one specified.

### String operators {#string}

String operators allow you to create conditions for comparing the key with a string value.

Condition operator | Description
----- | -----
`StringEquals` | Match, case sensitive.
`StringEqualsIgnoreCase` | Match, ignore case.
`StringLike` | Match. You can use wildcards in values:<br/>- `*`: Multiple characters.<br/>- `?`: One character.
`StringNotEquals` | No match, case sensitive.
`StringNotEqualsIgnoreCase` | No match, ignore case.
`StringNotLike` | No match. You can use wildcards in values:<br/>- `*`: Multiple characters.<br/>- `?`: One character.

### IfExists operator {#ifexists}

You can append `IfExists` to any operator name (except [Null](#null)), e.g., `BoolIfExists`. Using this operator in the condition element means:

- If the policy key is present in the request context, the key will be processed as specified in the policy.
- If the key is missing, the element will set to `true`.

### Null operator {#null}

The `Null` operator sets to `true` if a condition key is missing in the request at the time of authorization. If the key exists and its value is not null, the operator returns `false`.

#### Related articles {#related-articles}

* [Bucket policy](../../../concepts/policy.md)

#### Useful links {#see-also}

* [Getting started with the AWS S3 API in Yandex Object Storage](../../s3-api-quickstart.md)

* [Debugging requests using the AWS CLI](../../signing-requests.md#debugging)

* [Example of sending a signed request using curl](../../../api-ref/authentication.md#s3-api-example)

* [Code example for generating a signature](../../../concepts/pre-signed-urls.md#code-examples)