AWS Documentation » Amazon Simple Queue Service » Developer Guide » Using The Access Policy Language » Amazon SQS Policy Examples	« Previous Next »
	Did this page help you? Yes \| No \| Tell us about it...

Amazon SQS Policy Examples

This section shows example policies for common Amazon SQS use cases.

The following example policy gives the developer with AWS account number 111122223333 the SendMessage permission for the queue named 444455556666/queue1 in the US East (Northern Virginia) Region.

{
  "Version": "2012-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": 
    {
       "Sid":"Queue1_SendMessage",
       "Effect": "Allow",
       "Principal": {
            "AWS": "111122223333"
         },
        "Action": "sqs:SendMessage",
        "Resource": "arn:aws:sqs:us-east-1:444455556666:queue1"
     }
}

The following example policy gives the developer with AWS account number 111122223333 both the SendMessage and ReceiveMessage permission for the queue named 444455556666/queue1 in the US East (Northern Virginia) Region.

{
  "Version": "2012-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": 
    {
       "Sid":"Queue1_Send_Receive",
       "Effect": "Allow",
       "Principal": {
          "AWS": "111122223333"
        },
        "Action": ["sqs:SendMessage","sqs:ReceiveMessage"],
        "Resource": "arn:aws:sqs:*:444455556666:queue1"
     }
}

The following example policy gives two different developers (with AWS account numbers 111122223333 and 444455556666) permission to use all actions that SQS allows shared access for the queue named 123456789012/queue1 in the US East (Northern Virginia) Region.

{
  "Version": "2012-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": 
    {
       "Sid":"Queue1_AllActions",
       "Effect": "Allow",
       "Principal": {
          "AWS": ["111122223333","444455556666"]
        },
       "Action": "sqs:*",
       "Resource": "arn:aws:sqs:us-east-1:123456789012:queue1"
    }
}

The following example policy gives all users ReceiveMessage permission for the queue named 111122223333/queue1.

{
  "Version": "2012-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": 
    {
       "Sid":"Queue1_AnonymousAccess_ReceiveMessage",
       "Effect": "Allow",
       "Principal": {
          "AWS": "*"
        },
       "Action": "sqs:ReceiveMessage",
       "Resource": "arn:aws:sqs:*:111122223333:queue1"
    }
}

The following example policy gives all users ReceiveMessage permission for the queue named 111122223333/queue1, but only between noon and 3:00 p.m. on January 31, 2009.

{
  "Version": "2012-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": 
     {
        "Sid":"Queue1_AnonymousAccess_ReceiveMessage_TimeLimit",
        "Effect": "Allow",
        "Principal": {
           "AWS": "*"
        },
        "Action": "sqs:ReceiveMessage",
        "Resource": "arn:aws:sqs:*:111122223333:queue1",
        "Condition" : {
           "DateGreaterThan" : {
              "aws:CurrentTime":"2009-01-31T12:00Z"
           },
           "DateLessThan" : {
              "aws:CurrentTime":"2009-01-31T15:00Z"
           }
        }
     }
}

The following example policy gives all users permission to use all possible SQS actions that can be shared for the queue named 111122223333/queue1, but only if the request comes from the 192.168.143.0/24 range.

{
  "Version": "2012-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": 
     {
        "Sid":"Queue1_AnonymousAccess_AllActions_WhitelistIP",
        "Effect": "Allow",
        "Principal": {
           "AWS": "*"
         },
        "Action": "sqs:*",
        "Resource": "arn:aws:sqs:*:111122223333:queue1",
        "Condition" : {
            "IpAddress" : {
            "aws:SourceIp":"192.168.143.0/24"
            }
        }
     }
}

The following example policy has two statements:

One that gives all users in the 192.168.143.0/24 range (except for 192.168.143.188) permission to use the SendMessage action for the queue named 111122223333/queue1.
One that blacklists all users in the 10.1.2.0/24 range from using the queue.

{
  "Version": "2012-10-17",
  "Id": "Queue1_Policy_UUID",
  "Statement": [
     {
         "Sid":"Queue1_AnonymousAccess_SendMessage_IPLimit",
         "Effect": "Allow",
         "Principal": {
            "AWS": "*"
         },
         "Action": "sqs:SendMessage",
         "Resource": "arn:aws:sqs:*:111122223333:queue1",
          "Condition" : {
             "IpAddress" : {
             "aws:SourceIp":"192.168.143.0/24"
             },
             "NotIpAddress" : {
             "aws:SourceIp":"192.168.143.188/32"
              }
          }
     },
     {
         "Sid":"Queue1_AnonymousAccess_AllActions_IPLimit_Deny",
         "Effect": "Deny",
         "Principal": {
            "AWS": "*"
         },
         "Action": "sqs:*",
         "Resource": "arn:aws:sqs:*:111122223333:queue1",
         "Condition" : {
            "IpAddress" : {
            "aws:SourceIp":"10.1.2.0/24"
            }
         }
     }
  ]
  }

The following example policy enables a connection between the Amazon Simple Notification Service topic specified by the Amazon Resource Name (ARN) arn:aws:sns:us-east-1:111122223333:test-topic and the queue named arn:aws:sqs:us-east-1:111122223333:test-topic-queue.

{
  "Version": "2012-10-17",
  "Id": "SNStoSQS",
  "Statement": 
     {
        "Sid":"rule1",
        "Effect": "Allow",
        "Principal": {
           "AWS": "*"
         },
        "Action": "sqs:*",
        "Resource": "arn:aws:sqs:us-east-1:111122223333:test-topic-queue",
        "Condition" : {
            "StringEquals" : {
            "aws:SourceArn":"arn:aws:sns:us-east-1:111122223333:test-topic"
            }
        }
     }
}

Document Conventions	« Previous Next »
Terms of Use	Did this page help you? Yes \| No \| Tell us about it...