sqs-dg-2009-02-01
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Amazon Simple Queue Service Developer Guide<br />
Overview<br />
Overview<br />
Topics<br />
• When to Use Access Control (p. 33)<br />
• Key Concepts (p. 33)<br />
• Architectural Overview (p. 36)<br />
• Using the Access Policy Language (p. 38)<br />
• Evaluation Logic (p. 39)<br />
• Basic Use Cases for Access Control (p. 42)<br />
This section describes basic concepts you need to understand to use the access policy language to write<br />
policies. It also describes the general process for how access control works with the access policy<br />
language, and how policies are evaluated.<br />
When to Use Access Control<br />
You have a great deal of flexibility in how you grant or deny access to a resource. However, the typical<br />
use cases are fairly simple:<br />
• You want to grant another AWS account a particular type of access to your queue (e.g., SendMessage).<br />
For more information, see Use Case 1 (p. 43).<br />
• You want to grant another AWS account access to your queue for a specific period of time. For more<br />
information, see Use Case 2 (p. 43).<br />
• You want to grant another AWS account access to your queue only if the requests come from your<br />
EC2 instances. For more information, see Use Case 3 (p. 44).<br />
• You want to deny another AWS account access to your queue. For more information, see Use Case<br />
4 (p. 44).<br />
Key Concepts<br />
The following sections describe the concepts you need to understand to use the access policy language.<br />
They're presented in a logical order, with the first terms you need to know at the top of the list.<br />
Permission<br />
A permission is the concept of allowing or disallowing some kind of access to a particular resource.<br />
Permissions essentially follow this form: "A is/isn't allowed to do B to C where D applies." For example,<br />
Jane (A) has permission to receive messages (B) from John's Amazon SQS queue (C), as long as she<br />
asks to receive them before midnight on May 30, <strong>2009</strong> (D). Whenever Jane sends a request to Amazon<br />
SQS to use John's queue, the service checks to see if she has permission and if the request satisfies the<br />
conditions John set forth in the permission.<br />
Statement<br />
A statement is the formal description of a single permission, written in the access policy language. You<br />
always write a statement as part of a broader container document known as a policy (see the next concept).<br />
Policy<br />
A policy is a document (written in the access policy language) that acts as a container for one or more<br />
statements. For example, a policy could have two statements in it: one that states that Jane can use<br />
API Version <strong>2009</strong>-<strong>02</strong>-<strong>01</strong><br />
33