02.02.2018 Views

sqsputapi

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

Amazon Simple Queue Service Developer Guide<br />

Evaluation Logic<br />

The enforcement code then evaluates all the policies that are applicable to the request (based<br />

on the resource, principal, action, and conditions).<br />

The order in which the enforcement code evaluates the policies is not important.<br />

In all those policies, the enforcement code looks for an explicit deny instruction that would apply<br />

to the request.<br />

If it finds even one, the enforcement code returns a decision of "deny" and the process is finished<br />

(this is an explicit deny; for more information, see Explicit Deny (p. 36)).<br />

If no explicit deny is found, the enforcement code looks for any "allow" instructions that would<br />

apply to the request.<br />

If it finds even one, the enforcement code returns a decision of "allow" and the process is done<br />

(the service continues to process the request).<br />

If no allow is found, then the final decision is "deny" (because there was no explicit deny or allow,<br />

this is considered a default deny (for more information, see Default Deny (p. 35)).<br />

The Interplay of Explicit and Default Denials<br />

A policy results in a default deny if it doesn't directly apply to the request. For example, if a user requests<br />

to use Amazon SQS, but the only policy that applies to the user states that the user can use Amazon<br />

SimpleDB, then that policy results in a default deny.<br />

A policy also results in a default deny if a condition in a statement isn't met. If all conditions in the statement<br />

are met, then the policy results in either an allow or an explicit deny, based on the value of the Effect<br />

element in the policy. Policies don't specify what to do if a condition isn't met, and so the default result in<br />

that case is a default deny.<br />

For example, let's say you want to prevent requests coming in from Antarctica. You write a policy (called<br />

Policy A1) that allows a request only if it doesn't come from Antarctica. The following diagram illustrates<br />

the policy.<br />

If someone sends a request from the U.S., the condition is met (the request is not from Antarctica).<br />

Therefore, the request is allowed. But, if someone sends a request from Antarctica, the condition isn't<br />

met, and the policy's result is therefore a default deny.<br />

You could turn the result into an explicit deny by rewriting the policy (named Policy A2) as in the following<br />

diagram. Here, the policy explicitly denies a request if it comes from Antarctica.<br />

API Version 2009-02-01<br />

40

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!