Views
4 months ago

sqs-dg-2009-02-01

Amazon Simple Queue

Amazon Simple Queue Service Developer Guide Evaluation Logic Evaluation Logic The goal at evaluation time is to decide whether a given request from someone other than you (the resource owner) should be allowed or denied. The evaluation logic follows several basic rules: • By default, all requests to use your resource coming from anyone but you are denied • An allow overrides any default denies • An explicit deny overrides any allows • The order in which the policies are evaluated is not important The following flow chart and discussion describe in more detail how the decision is made. The decision starts with a default deny. API Version 2009-02-01 39

Amazon Simple Queue Service Developer Guide Evaluation Logic The enforcement code then evaluates all the policies that are applicable to the request (based on the resource, principal, action, and conditions). The order in which the enforcement code evaluates the policies is not important. In all those policies, the enforcement code looks for an explicit deny instruction that would apply to the request. If it finds even one, the enforcement code returns a decision of "deny" and the process is finished (this is an explicit deny; for more information, see Explicit Deny (p. 36)). If no explicit deny is found, the enforcement code looks for any "allow" instructions that would apply to the request. If it finds even one, the enforcement code returns a decision of "allow" and the process is done (the service continues to process the request). If no allow is found, then the final decision is "deny" (because there was no explicit deny or allow, this is considered a default deny (for more information, see Default Deny (p. 35)). The Interplay of Explicit and Default Denials A policy results in a default deny if it doesn't directly apply to the request. For example, if a user requests to use Amazon SQS, but the only policy that applies to the user states that the user can use Amazon SimpleDB, then that policy results in a default deny. A policy also results in a default deny if a condition in a statement isn't met. If all conditions in the statement are met, then the policy results in either an allow or an explicit deny, based on the value of the Effect element in the policy. Policies don't specify what to do if a condition isn't met, and so the default result in that case is a default deny. For example, let's say you want to prevent requests coming in from Antarctica. You write a policy (called Policy A1) that allows a request only if it doesn't come from Antarctica. The following diagram illustrates the policy. If someone sends a request from the U.S., the condition is met (the request is not from Antarctica). Therefore, the request is allowed. But, if someone sends a request from Antarctica, the condition isn't met, and the policy's result is therefore a default deny. You could turn the result into an explicit deny by rewriting the policy (named Policy A2) as in the following diagram. Here, the policy explicitly denies a request if it comes from Antarctica. API Version 2009-02-01 40

yumpu-insight-de with elements