sqs-dg-2009-02-01
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Amazon Simple Queue Service Developer Guide<br />
AWS IAM and SQS Policies Together<br />
You can specify the resource using the Amazon Resource Name (ARN), which is how you must<br />
specify resources in AWS IAM policies. For information about the ARN format for SQS queues,<br />
see Amazon SQS ARNs (p. 66).<br />
You can still use the original format instead (/).<br />
So for example, according to the SQS policy shown in the preceding figure, anyone possessing the root<br />
account's security credentials for AWS Account 1 or AWS Account 2 could access queue_xyz. Also,<br />
Users Bob and Susan in your own AWS Account (with ID 123456789<strong>01</strong>2) can access the queue.<br />
Also, before the introduction of AWS IAM, SQS automatically gave the creator of a queue full control over<br />
the queue (e.g., access to all possible SQS actions with that queue). This is no longer true, unless the<br />
creator is using the AWS Account's credentials. Any User who has permission to create a queue must<br />
also have permission to use other SQS actions in order to do anything with the queues they create.<br />
AWS IAM and SQS Policies Together<br />
There are two ways you can give your Users permissions for your SQS resources: through the SQS policy<br />
system or the AWS IAM policy system.You can use one or the other, or both. For the most part, you can<br />
achieve the same results with either. For example, the following diagram shows an IAM policy and an<br />
SQS policy that are equivalent. The IAM policy allows the SQS ReceiveMessage and SendMessage<br />
actions for the queue called queue_xyz in your AWS Account, and it's attached to the Users Bob and<br />
Susan (which means Bob and Susan have the permissions stated in the policy). The SQS policy also<br />
gives Bob and Susan permission to access ReceiveMessage and SendMessage for the same queue.<br />
Note<br />
The preceding example shows simple policies with no conditions. You could specify a particular<br />
condition in either policy and get the same result.<br />
There is one difference between IAM and SQS policies: the SQS policy system lets you grant permission<br />
to other AWS Accounts, whereas AWS IAM doesn't.<br />
API Version <strong>2009</strong>-<strong>02</strong>-<strong>01</strong><br />
64