sqs-dg-2009-02-01
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Amazon Simple Queue Service Developer Guide<br />
Evaluation Logic<br />
The enforcement code then evaluates all the policies that are applicable to the request (based<br />
on the resource, principal, action, and conditions).<br />
The order in which the enforcement code evaluates the policies is not important.<br />
In all those policies, the enforcement code looks for an explicit deny instruction that would apply<br />
to the request.<br />
If it finds even one, the enforcement code returns a decision of "deny" and the process is finished<br />
(this is an explicit deny; for more information, see Explicit Deny (p. 36)).<br />
If no explicit deny is found, the enforcement code looks for any "allow" instructions that would<br />
apply to the request.<br />
If it finds even one, the enforcement code returns a decision of "allow" and the process is done<br />
(the service continues to process the request).<br />
If no allow is found, then the final decision is "deny" (because there was no explicit deny or allow,<br />
this is considered a default deny (for more information, see Default Deny (p. 35)).<br />
The Interplay of Explicit and Default Denials<br />
A policy results in a default deny if it doesn't directly apply to the request. For example, if a user requests<br />
to use Amazon SQS, but the only policy that applies to the user states that the user can use Amazon<br />
SimpleDB, then that policy results in a default deny.<br />
A policy also results in a default deny if a condition in a statement isn't met. If all conditions in the statement<br />
are met, then the policy results in either an allow or an explicit deny, based on the value of the Effect<br />
element in the policy. Policies don't specify what to do if a condition isn't met, and so the default result in<br />
that case is a default deny.<br />
For example, let's say you want to prevent requests coming in from Antarctica. You write a policy (called<br />
Policy A1) that allows a request only if it doesn't come from Antarctica. The following diagram illustrates<br />
the policy.<br />
If someone sends a request from the U.S., the condition is met (the request is not from Antarctica).<br />
Therefore, the request is allowed. But, if someone sends a request from Antarctica, the condition isn't<br />
met, and the policy's result is therefore a default deny.<br />
You could turn the result into an explicit deny by rewriting the policy (named Policy A2) as in the following<br />
diagram. Here, the policy explicitly denies a request if it comes from Antarctica.<br />
API Version <strong>2009</strong>-<strong>02</strong>-<strong>01</strong><br />
40