sqs-dg-2009-02-01
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Amazon Simple Queue Service Developer Guide
Overview
Overview
Topics
• When to Use Access Control (p. 33)
• Key Concepts (p. 33)
• Architectural Overview (p. 36)
• Using the Access Policy Language (p. 38)
• Evaluation Logic (p. 39)
• Basic Use Cases for Access Control (p. 42)
This section describes basic concepts you need to understand to use the access policy language to write
policies. It also describes the general process for how access control works with the access policy
language, and how policies are evaluated.
When to Use Access Control
You have a great deal of flexibility in how you grant or deny access to a resource. However, the typical
use cases are fairly simple:
• You want to grant another AWS account a particular type of access to your queue (e.g., SendMessage).
For more information, see Use Case 1 (p. 43).
• You want to grant another AWS account access to your queue for a specific period of time. For more
information, see Use Case 2 (p. 43).
• You want to grant another AWS account access to your queue only if the requests come from your
EC2 instances. For more information, see Use Case 3 (p. 44).
• You want to deny another AWS account access to your queue. For more information, see Use Case
4 (p. 44).
Key Concepts
The following sections describe the concepts you need to understand to use the access policy language.
They're presented in a logical order, with the first terms you need to know at the top of the list.
Permission
A permission is the concept of allowing or disallowing some kind of access to a particular resource.
Permissions essentially follow this form: "A is/isn't allowed to do B to C where D applies." For example,
Jane (A) has permission to receive messages (B) from John's Amazon SQS queue (C), as long as she
asks to receive them before midnight on May 30, 2009 (D). Whenever Jane sends a request to Amazon
SQS to use John's queue, the service checks to see if she has permission and if the request satisfies the
conditions John set forth in the permission.
Statement
A statement is the formal description of a single permission, written in the access policy language. You
always write a statement as part of a broader container document known as a policy (see the next concept).
Policy
A policy is a document (written in the access policy language) that acts as a container for one or more
statements. For example, a policy could have two statements in it: one that states that Jane can use
API Version 2009-02-01
33