sqs-dg-2009-02-01

More documents

Recommendations

Info

Amazon Simple Queue Service Developer GuideEvaluation LogicEvaluation LogicThe goal at evaluation time is to decide whether a given request from someone other than you (theresource owner) should be allowed or denied. The evaluation logic follows several basic rules:• By default, all requests to use your resource coming from anyone but you are denied• An allow overrides any default denies• An explicit deny overrides any allows• The order in which the policies are evaluated is not importantThe following flow chart and discussion describe in more detail how the decision is made.The decision starts with a default deny.API Version 2009-02-0139
Amazon Simple Queue Service Developer GuideEvaluation LogicThe enforcement code then evaluates all the policies that are applicable to the request (basedon the resource, principal, action, and conditions).The order in which the enforcement code evaluates the policies is not important.In all those policies, the enforcement code looks for an explicit deny instruction that would applyto the request.If it finds even one, the enforcement code returns a decision of "deny" and the process is finished(this is an explicit deny; for more information, see Explicit Deny (p. 36)).If no explicit deny is found, the enforcement code looks for any "allow" instructions that wouldapply to the request.If it finds even one, the enforcement code returns a decision of "allow" and the process is done(the service continues to process the request).If no allow is found, then the final decision is "deny" (because there was no explicit deny or allow,this is considered a default deny (for more information, see Default Deny (p. 35)).The Interplay of Explicit and Default DenialsA policy results in a default deny if it doesn't directly apply to the request. For example, if a user requeststo use Amazon SQS, but the only policy that applies to the user states that the user can use AmazonSimpleDB, then that policy results in a default deny.A policy also results in a default deny if a condition in a statement isn't met. If all conditions in the statementare met, then the policy results in either an allow or an explicit deny, based on the value of the Effectelement in the policy. Policies don't specify what to do if a condition isn't met, and so the default result inthat case is a default deny.For example, let's say you want to prevent requests coming in from Antarctica. You write a policy (calledPolicy A1) that allows a request only if it doesn't come from Antarctica. The following diagram illustratesthe policy.If someone sends a request from the U.S., the condition is met (the request is not from Antarctica).Therefore, the request is allowed. But, if someone sends a request from Antarctica, the condition isn'tmet, and the policy's result is therefore a default deny.You could turn the result into an explicit deny by rewriting the policy (named Policy A2) as in the followingdiagram. Here, the policy explicitly denies a request if it comes from Antarctica.API Version 2009-02-0140
Page 1 and 2: Amazon Simple Queue ServiceDevelope
Page 3 and 4: Amazon Simple Queue Service Develop
Page 41: Amazon Simple Queue Service Develop

sqs-dg-2009-02-01

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?