AWS
4 weeks subscription
4 weeks subscription
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Amazon Simple Queue Service Developer Guide<br />
IAM-Related Features of SQS Policies<br />
Controlling User Access to Your<br />
<strong>AWS</strong> Account<br />
Topics<br />
• IAM-Related Features of SQS Policies (p. 62)<br />
• <strong>AWS</strong> IAM and SQS Policies Together (p. 64)<br />
• Amazon SQS ARNs (p. 66)<br />
• Amazon SQS Actions (p. 67)<br />
• Amazon SQS Keys (p. 68)<br />
• Example <strong>AWS</strong> IAM Policies for Amazon SQS (p. 68)<br />
• Using Temporary Security Credentials (p. 70)<br />
Amazon SQS has its own resource-based permissions system that uses policies written in the same<br />
language used for <strong>AWS</strong> Identity and Access Management (<strong>AWS</strong> IAM) policies. This means that you can<br />
achieve the same things with SQS policies that you can with <strong>AWS</strong> IAM policies. The main difference<br />
between using SQS policies versus <strong>AWS</strong> IAM policies is that you can grant another <strong>AWS</strong> Account<br />
permission to your queues with an SQS policy, and you can't do that with an <strong>AWS</strong> IAM policy.<br />
Note<br />
When you grant other <strong>AWS</strong> accounts access to your <strong>AWS</strong> resources, be aware that all <strong>AWS</strong><br />
accounts can delegate their permissions to users under their accounts. This is known as<br />
cross-account access. Cross-account access enables you to share access to your <strong>AWS</strong> resources<br />
without having to manage additional users. For information about using cross-account access,<br />
go to Enabling Cross-Account Access in Using <strong>AWS</strong> Identity and Access Management.<br />
This section describes how the SQS policy system works with <strong>AWS</strong> IAM.<br />
IAM-Related Features of SQS Policies<br />
You can use an SQS policy with a queue to specify which <strong>AWS</strong> Accounts have access to the queue.You<br />
can specify the type of access and conditions (e.g., permission to use SendMessage, ReceiveMessage,<br />
if the request is before December 31, 2010). The specific actions you can grant permission for are a<br />
API Version 2009-02-01<br />
62