9 months ago


Amazon Simple Queue

Amazon Simple Queue Service Developer Guide Amazon SQS Actions Example Following is an ARN for a queue named my_queue in the us-east-1 region, belonging to AWS Account 123456789012. arn:aws:sqs:us-east-1:123456789012:my_queue Example If you had a queue named my_queue in each of the different Regions that Amazon SQS supports, you could specify the queues with the following ARN. arn:aws:sqs:*:123456789012:my_queue You can use * and ? wildcards in the queue name. For example, the following could refer to all the queues Bob has created, which he has prefixed with bob_. arn:aws:sqs:*:123456789012:bob_* As a convenience to you, SQS has a queue attribute called Arn whose value is the queue's ARN. You can get the value by calling the SQS GetQueueAttributes action. Amazon SQS Actions All Amazon SQS actions that you specify in a policy must be prefixed with the lowercase string sqs:. For example, sqs:CreateQueue. Before the introduction of AWS IAM, you could use an SQS policy with a queue to specify which AWS Accounts have access to the queue.You could also specify the type of access (e.g., sqs:SendMessage, sqs:ReceiveMessage, etc.). The specific actions you could grant permission for were a subset of the overall set of SQS actions. When you wrote an SQS policy and specified * to mean "all the SQS actions", that meant all actions in that subset. That subset originally included: • sqs:SendMessage • sqs:ReceiveMessage • sqs:ChangeMessageVisibility • sqs:DeleteMessage • sqs:GetQueueAttributes (for all attributes except Policy) With the introduction of AWS IAM, that list of actions expanded to include the following actions: • sqs:CreateQueue • sqs:DeleteQueue • sqs:ListQueues The actions related to granting and removing permissions from a queue (sqs:AddPermission, etc.) are reserved and so don't appear in the preceding two lists. This means that Users in the AWS Account can't use those actions. However, the AWS Account can use those actions. API Version 2009-02-01 67

Amazon Simple Queue Service Developer Guide Amazon SQS Keys Amazon SQS Keys Amazon SQS implements the following policy keys, but no others. For more information about policy keys, see Condition (p. 50). AWS-Wide Policy Keys • aws:CurrentTime (for date/time conditions) • aws:EpochTime (the date in epoch or UNIX time, for use with date/time conditions) • aws:SecureTransport (Boolean representing whether the request was sent using SSL) • aws:SourceIp (the requester's IP address, for use with IP address conditions) • aws:UserAgent (information about the requester's client application, for use with string conditions) If you use aws:SourceIp, and the request comes from an Amazon EC2 instance, we evaluate the instance's public IP address to determine if access is allowed. For services that use only SSL, such as Amazon RDS and Amazon Route 53, the aws:SecureTransport key has no meaning. The key names are case insensitive. For example, aws:CurrentTime is equivalent to AWS:currenttime. Example AWS IAM Policies for Amazon SQS This section shows several simple AWS IAM policies for controlling User access to Amazon SQS. Note In the future, Amazon SQS might add new actions that should logically be included in one of the following policies, based on the policy’s stated goals. Example 1: Allow a User to create and use his or her own queues In this example, we create a policy for Bob that lets him access all Amazon SQS actions, but only with queues whose names begin with the literal string bob_queue. Note Amazon SQS doesn't automatically grant the creator of a queue permission to subsequently use the queue. Therefore, in our AWS IAM policy, we must explicitly grant Bob permission to use all the SQS actions in addition to CreateQueue. { } "Statement":[{ "Effect":"Allow", "Action":"sqs:*", "Resource":"arn:aws:sqs:*:123456789012:bob_queue*" } ] API Version 2009-02-01 68