Package com.amazonaws.auth.policy

Classes for creating custom AWS access control policies.

See: Description

Interface Summary

Interface	Description
Action	An access control policy action identifies a specific action in a service that can be performed on a resource.

Class Summary

Class	Description
Condition	AWS access control policy conditions are contained in Statement objects, and affect when a statement is applied.
Policy	An AWS access control policy is a object that acts as a container for one or more statements, which specify fine grained rules for allowing or denying various types of actions from being performed on your AWS resources.
PolicyReaderOptions	Options that affect the way in which Policy.fromJson(String, PolicyReaderOptions) will generate a Policy.
Principal	A principal is an AWS account or AWS web service, which is being allowed or denied access to a resource through an access control policy.
Resource	Represents a resource involved in an AWS access control policy statement.
Statement	A statement is the formal description of a single permission, and is always contained within a policy object.

Enum Summary

Enum	Description
Principal.Services	The services who have the right to do the assume the role action.
Principal.WebIdentityProviders	Web identity providers, such as Login with Amazon, Facebook, or Google.
Statement.Effect	The effect is the result that you want a policy statement to return at evaluation time.
STSActions	Deprecated in favor of SecurityTokenServiceActions

Package com.amazonaws.auth.policy Description

Classes for creating custom AWS access control policies. Policies allow you to specify fine grained access controls on your AWS resources. You can allow or deny access to your AWS resources based on:

• what resource is being accessed
• who is accessing the resource (i.e. the principal)
• what action is being taken on the resource
• a variety of conditions including date restrictions, IP address restrictions, etc.

Access control policies are a collection of statements. Each statement takes the form: "A has permission to do B to C where D applies".

• A is the principal - the AWS account that is making a request to access or modify one of your AWS resources.
• B is the action - the way in which your AWS resource is being accessed or modified, such as sending a message to an Amazon SQS queue, or storing an object in an Amazon S3 bucket.
• C is the resource - your AWS entity that the principal wants to access, such as an Amazon SQS queue, or an object stored in Amazon S3.
• D is the set of conditions - optional constraints that specify when to allow or deny access for the principal to access your resource. Many expressive conditions are available, some specific to each service. For example you can use date conditions to allow access to your resources only after or before a specific time.

The following code creates a policy to allow a specific AWS account to send and receive messages using one of your Amazon SQS queues:

    Policy policy = new Policy("MyQueuePolicy");
    policy.withStatements(new Statement(Effect.Allow)
           .withPrincipals(new Principal("123456789012"))
           .withActions(SQSActions.SendMessage, SQSActions.ReceiveMessage)
           .withResources(new SQSQueueResource("987654321000", "queue2")));
 

Once you've created a policy, you need to use methods on the service to upload your policy to AWS.