sqs-dg-2009-02-01
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Amazon Simple Queue Service Developer Guide<br />
Basic Use Cases for Access Control<br />
Use Case 1<br />
Let's say you have a set of queues in the Amazon SQS system. In the simplest case, you want to allow<br />
one or more AWS accounts a particular type of access to a queue (e.g., SendMessage, ReceiveMessage).<br />
You can do this by simply using the Amazon SQS API action AddPermission. It takes a few input<br />
parameters and automatically creates a policy in the SQS system for that queue. For this use case, you<br />
don't need to read this appendix or learn how to write a policy yourself, because SQS can automatically<br />
create the policy for you.<br />
The following example shows a policy that gives AWS account ID 1234-5678-9<strong>01</strong>2 permission to send<br />
and receive from a queue you own named queue2. In this example, your AWS account ID is<br />
9876-5432-1000.<br />
{<br />
}<br />
"Version":"2008-10-17",<br />
"Id":"UseCase1",<br />
"Statement" : [<br />
{<br />
"Sid":"1",<br />
"Effect":"Allow",<br />
"Principal" : {<br />
"AWS": "123456789<strong>01</strong>2"<br />
},<br />
"Action":["<strong>sqs</strong>:SendMessage","<strong>sqs</strong>:ReceiveMessage"],<br />
"Resource": "/987654321000/queue2",<br />
}<br />
]<br />
Use Case 2<br />
In this use case, you want to allow one or more AWS accounts access to your queues only for a specific<br />
time period.<br />
You need to know how to write your own policy for the queue because the SQS AddPermission action<br />
doesn't let you specify a time restriction when granting someone access to your queue. In this case, you<br />
would write your own policy and then upload it to the AWS system with the SetQueueAttributes action.<br />
Effectively the action sets your policy as an attribute of the queue.<br />
The following example is the same as in use case 1, except it also includes a condition that restricts<br />
access to before June 30, <strong>2009</strong>, at noon (UTC).<br />
{<br />
"Version":"2008-10-17",<br />
"Id":"UseCase2",<br />
"Statement" : [<br />
{<br />
"Sid":"1",<br />
"Effect":"Allow",<br />
"Principal" : {<br />
"AWS": "123456789<strong>01</strong>2"<br />
},<br />
"Action":["<strong>sqs</strong>:SendMessage","<strong>sqs</strong>:ReceiveMessage"],<br />
"Resource": "/987654321000/queue2",<br />
"Condition" : {<br />
API Version <strong>2009</strong>-<strong>02</strong>-<strong>01</strong><br />
43