hello123
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Amazon Simple Queue Service Developer Guide<br />
Key Concepts<br />
John's queue, and another that states that Bob cannot use John's queue. As shown in the following figure,<br />
an equivalent scenario would be to have two policies, one containing the statement that Jane can use<br />
John's queue, and another containing the statement that Bob cannot use John's queue.<br />
The AWS service implementing access control (e.g., Amazon SQS) uses the information in the statements<br />
(whether they're contained in a single policy or multiple) to determine if someone requesting access to a<br />
resource should be granted that access. We often use the term policy interchangeably with statement,<br />
as they generally represent the same concept (an entity that represents a permission).<br />
Issuer<br />
The issuer is the person who writes a policy to grant permissions for a resource. The issuer (by definition)<br />
is always the resource owner. AWS does not permit AWS service users to create policies for resources<br />
they don't own. If John is the resource owner, AWS authenticates John's identity when he submits the<br />
policy he's written to grant permissions for that resource.<br />
Principal<br />
The principal is the person or persons who receive the permission in the policy. The principal is A in the<br />
statement "A has permission to do B to C where D applies." In a policy, you can set the principal to<br />
"anyone" (i.e., you can specify a wildcard to represent all people). You might do this, for example, if you<br />
don't want to restrict access based on the actual identity of the requester, but instead on some other<br />
identifying characteristic such as the requester's IP address.<br />
Action<br />
The action is the activity the principal has permission to perform. The action is B in the statement "A has<br />
permission to do B to C where D applies." Typically, the action is just the operation in the request to AWS.<br />
For example, Jane sends a request to Amazon SQS with Action=ReceiveMessage. You can specify<br />
one or multiple actions in a policy.<br />
Resource<br />
The resource is the object the principal is requesting access to. The resource is C in the statement "A<br />
has permission to do B to C where D applies."<br />
Conditions and Keys<br />
The conditions are any restrictions or details about the permission. The condition is D in the statement<br />
"A has permission to do B to C where D applies." The part of the policy that specifies the conditions can<br />
be the most detailed and complex of all the parts. Typical conditions are related to:<br />
API Version 2009-02-01<br />
34