Views
8 months ago

sqs-dg-2009-02-01

Amazon Simple Queue

Amazon Simple Queue Service Developer Guide AWS IAM and SQS Policies Together It's up to you how you use both of the systems together to manage your permissions, based on your needs. The following examples show how the two policy systems work together. Example 1 In this example, Bob has both an AWS IAM policy and an SQS policy that apply to him. The AWS IAM policy gives him permission to use ReceiveMessage on queue_xyz, whereas the SQS policy gives him permission to use SendMessage on the same queue. The following diagram illustrates the concept. If Bob were to send a request to receive a message from queue_xyz, the AWS IAM policy would allow the action. If Bob were to send a request to send a message to queue_xyz, the SQS policy would allow the action. API Version 2009-02-01 65

Amazon Simple Queue Service Developer Guide Amazon SQS ARNs Example 2 In this example, we build on example 1 (where Bob has two policies that apply to him). Let's say that Bob abuses his access to queue_xyz, so you want to remove his entire access to that queue. The easiest thing to do is add a policy that denies him access to all actions on the queue. This third policy overrides the other two, because an explicit deny always overrides an allow (for more information about policy evaluation logic, see Evaluation Logic (p. 39)). The following diagram illustrates the concept. Alternatively, you could add an additional statement to the SQS policy that denies Bob any type of access to the queue. It would have the same effect as adding a AWS IAM policy that denies him access to the queue. For examples of policies that cover Amazon SQS actions and resources, see Example AWS IAM Policies for Amazon SQS (p. 68). For more information about writing SQS policies, go to the Amazon Simple Queue Service Developer Guide. Amazon SQS ARNs For Amazon SQS, queues are the only resource type you can specify in a policy. Following is the Amazon Resource Name (ARN) format for queues: arn:aws:sqs:region:account_ID:queue_name For more information about ARNs, go to ARNs in Using Identity and Access Management. API Version 2009-02-01 66

bmw-7er