sqs-dg-2009-02-01
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Amazon Simple Queue Service Developer Guide<br />
Basic Use Cases for Access Control<br />
}<br />
]<br />
}<br />
}<br />
"DateLessThan" : {<br />
"AWS:CurrentTime":"<strong>2009</strong>-06-30T12:00Z"<br />
}<br />
Use Case 3<br />
In this use case, you want to allow access to your queues only if the requests come from your Amazon<br />
EC2 instances.<br />
Again, you need to know how to write your own policy because the SQS AddPermission action doesn't<br />
let you specify an IP address restriction when granting access to your queue.<br />
The following example builds on the example in use case 2, and also includes a condition that restricts<br />
access to the IP address range 10.52.176.0/24. So in this example, a request from AWS account<br />
1234-5678-9<strong>01</strong>2 to send or receive messages from queue2 would be allowed only if it came in before<br />
noon on June 30, <strong>2009</strong>, and it came from the 10.52.176.0/24 address range.<br />
{<br />
}<br />
"Version":"2008-10-17",<br />
"Id":"UseCase3",<br />
"Statement" : [<br />
{<br />
"Sid":"1",<br />
"Effect":"Allow",<br />
"Principal" : {<br />
"AWS": "123456789<strong>01</strong>2"<br />
},<br />
"Action":["<strong>sqs</strong>:SendMessage","<strong>sqs</strong>:ReceiveMessage"],<br />
"Resource": "/987654321000/queue2",<br />
"Condition" : {<br />
"DateLessThan" : {<br />
"AWS:CurrentTime":"<strong>2009</strong>-06-30T12:00Z"<br />
},<br />
"IpAddress" : {<br />
"AWS:SourceIp":"10.52.176.0/24"<br />
}<br />
}<br />
}<br />
]<br />
Use Case 4<br />
In this use case, you want to specifically deny a certain AWS account access to your queues.<br />
Again, you need to know how to write your own policy because the SQS AddPermission action doesn't<br />
let you deny access to a queue; it only lets you grant access.<br />
The following example is the same as in the original use case (#1), except it denies access to the specified<br />
AWS account.<br />
API Version <strong>2009</strong>-<strong>02</strong>-<strong>01</strong><br />
44