sqs-m5
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Amazon Simple Queue Service Developer Guide<br />
Amazon SQS ARNs<br />
Example 2<br />
In this example, we build on example 1 (where Bob has two policies that apply to him). Let's say that Bob<br />
abuses his access to queue_xyz, so you want to remove his entire access to that queue. The easiest<br />
thing to do is add a policy that denies him access to all actions on the queue. This third policy overrides<br />
the other two, because an explicit deny always overrides an allow (for more information about policy<br />
evaluation logic, see Evaluation Logic (p. 39)). The following diagram illustrates the concept.<br />
Alternatively, you could add an additional statement to the SQS policy that denies Bob any type of access<br />
to the queue. It would have the same effect as adding a AWS IAM policy that denies him access to the<br />
queue.<br />
For examples of policies that cover Amazon SQS actions and resources, see Example AWS IAM Policies<br />
for Amazon SQS (p. 68). For more information about writing SQS policies, go to the Amazon Simple<br />
Queue Service Developer Guide.<br />
Amazon SQS ARNs<br />
For Amazon SQS, queues are the only resource type you can specify in a policy. Following is the Amazon<br />
Resource Name (ARN) format for queues:<br />
arn:aws:<strong>sqs</strong>:region:account_ID:queue_name<br />
For more information about ARNs, go to ARNs in Using Identity and Access Management.<br />
API Version 2009-02-01<br />
66