10.10.2018 Views

sqs-dg-2009-02-01

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

Amazon Simple Queue Service Developer Guide<br />

Amazon SQS ARNs<br />

Example 2<br />

In this example, we build on example 1 (where Bob has two policies that apply to him). Let's say that Bob<br />

abuses his access to queue_xyz, so you want to remove his entire access to that queue. The easiest<br />

thing to do is add a policy that denies him access to all actions on the queue. This third policy overrides<br />

the other two, because an explicit deny always overrides an allow (for more information about policy<br />

evaluation logic, see Evaluation Logic (p. 39)). The following diagram illustrates the concept.<br />

Alternatively, you could add an additional statement to the SQS policy that denies Bob any type of access<br />

to the queue. It would have the same effect as adding a AWS IAM policy that denies him access to the<br />

queue.<br />

For examples of policies that cover Amazon SQS actions and resources, see Example AWS IAM Policies<br />

for Amazon SQS (p. 68). For more information about writing SQS policies, go to the Amazon Simple<br />

Queue Service Developer Guide.<br />

Amazon SQS ARNs<br />

For Amazon SQS, queues are the only resource type you can specify in a policy. Following is the Amazon<br />

Resource Name (ARN) format for queues:<br />

arn:aws:<strong>sqs</strong>:region:account_ID:queue_name<br />

For more information about ARNs, go to ARNs in Using Identity and Access Management.<br />

API Version <strong>2009</strong>-<strong>02</strong>-<strong>01</strong><br />

66

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!