Overview of Managing Access Permissions to Your Amazon Simple Queue Service Resource
Every AWS resource is owned by an AWS account, and permissions to create or access a resource are governed by permissions policies. An account administrator can attach permissions policies to IAM identities (users, groups, and roles), and some services (such as Amazon SQS) also support attaching permissions policies to resources.
An account administrator (or administrator user) is a user with administrative privileges. For more information, see IAM Best Practices in the IAM User Guide.
When granting permissions, you specify what users get permissions, the resource they get permissions for, and the specific actions that you want to allow on the resource.
Amazon Simple Queue Service Resource and Operations
For Amazon SQS, the queue is the only resource type you can specify in a policy. The following are examples of the Amazon Resource Name (ARN) format for queues:
An ARN for a normal queue:
For more information about ARNs, see IAM ARNs in the IAM User Guide.
An ARN for a queue named
my_queuein the US East (Ohio) region, belonging to AWS Account 123456789012:
An ARN for a queue named
my_queuein each of the different regions that Amazon SQS supports:
An ARN that uses
?as a wildcard for the queue name. In the following examples, the ARN matches all queues prefixed with
You can retrieve the ARN value for an existing queue by calling the
GetQueueAttributes action. The value of the
Arn attribute is the ARN of the queue.
Understanding Resource Ownership
A resource owner is the AWS account that creates the resource. That is, the resource owner is the AWS account of the principal entity (the root account, an IAM user, or an IAM role) that authenticates the request that creates the resource. The following examples illustrate how this works:
If you use the root account credentials of your AWS account to create an Amazon SQS queue, your AWS account is the owner of the resource (in Amazon SQS, the resource is the Amazon SQS queue).
If you create an Amazon SQS user in your AWS account and grant permissions to create an Amazon SQS queue to the user, the user can create an Amazon SQS queue. However, your AWS account (to which the user belongs) owns the Amazon SQS queue resource.
If you create an IAM role in your AWS account with permissions to create an Amazon SQS queue, anyone who can assume the role can create a Amazon SQS queue. Your AWS account (to which the role belongs) owns the Amazon SQS queue resource.
Managing Access to Resources
A permissions policy describes the permissions granted to accounts. The following section explains the available options for creating permissions policies.
This section discusses using IAM in the context of Amazon Simple Queue Service. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see What is IAM? in the IAM User Guide. For information about IAM policy syntax and descriptions, see AWS IAM Policy Reference in the IAM User Guide.
Policies attached to an IAM identity are referred to as identity-based policies (IAM polices) and policies attached to a resource are referred to as resource-based policies.
Identity-Based (IAM) Features of Resource-Based (Amazon SQS) Policies
You can use an Amazon SQS policy with a queue to specify which AWS Accounts have access to the
queue. You can specify the type of access and conditions (for example, a
condition that grants permission to use
ReceiveMessage if the request is made before December 31,
2010). The specific actions you can grant permission for are a subset of the
overall list of Amazon SQS actions. When you write an Amazon SQS policy and specify
* to mean "all the Amazon SQS actions", that means all actions
in that subset.
The following diagram illustrates the concept of one of these basic Amazon SQS policies that covers the subset of actions. The policy is for
queue_xyz, and it gives AWS Account 1 and AWS Account 2
permission to use any of the allowed actions with the queue.
The resource in the policy is specified as
123456789012 is the AWS Account ID of the account that owns the queue.
With the introduction of IAM and the concepts of Users and Amazon Resource Names (ARNs), a few things have changed about SQS policies. The following diagram and table describe the changes.
In addition to specifying which AWS Accounts have access to a queue, you can specify which users in your own AWS Account have access to the queue. If the users are in different accounts, see Tutorial: Delegate Access Across AWS Accounts Using IAM Roles in the IAM User Guide.
The subset of actions included in
You can specify the resource using the Amazon Resource Name (ARN), the standard means of specifying resources in IAM policies. For information about the ARN format for Amazon SQS queues, see Amazon Simple Queue Service Resource and Operations.
For example, according to the Amazon SQS policy in the preceding figure, anyone who possesses the security credentials for AWS Account 1 or AWS Account 2 can access
queue_xyz. In addition, Users Bob and
Susan in your own AWS Account (with ID
123456789012) can access the queue.
Before the introduction of IAM, Amazon SQS automatically gave the creator of a queue full control over the queue (that is, access to all possible Amazon SQS actions on that queue). This is no longer true, unless the creator uses AWS security credentials. Any user who has permission to create a queue must also have permission to use other Amazon SQS actions in order to do anything with the created queues.
Resource-Based (Amazon SQS) and Identity-Based (IAM) Policies
There are two ways to give your users permissions to your Amazon SQS resources: using the Amazon SQS policy system and using the IAM policy system. You can use one or the other, or both. For the most part, you can achieve the same result with either one.
For example, the following diagram shows an IAM policy and an Amazon SQS policy equivalent to it. The IAM policy grants the rights to the Amazon SQS
SendMessage actions for the
queue_xyz in your AWS Account, and the policy is attached to users named Bob and Susan (Bob and Susan have the permissions stated in the policy). This Amazon SQS policy also gives Bob and Susan rights
SendMessage actions for the same queue.
This example shows simple policies without conditions. You can specify a particular condition in either policy and get the same result.
There is one major difference between IAM and Amazon SQS policies: the Amazon SQS policy system lets you grant permission to other AWS Accounts, whereas IAM doesn't.
It is up to you how you use both of the systems together to manage your permissions. The following examples show how the two policy systems work together.
In the first example, Bob has both an IAM policy and an Amazon SQS policy that apply to his account. The IAM policy grants his account permission for the
queue_xyz, whereas the Amazon SQS policy gives his account permission for the
SendMessageaction on the same queue. The following diagram illustrates the concept.
If Bob sends a
queue_xyz, the IAM policy allows the action. If Bob sends a
queue_xyz, the Amazon SQS policy allows the action.
In the second example, Bob abuses his access to
queue_xyz, so it becomes necessary to remove his entire access to the queue. The easiest thing to do is to add a policy that denies him access to all actions for the queue. This policy overrides the other two because an explicit
denyalways overrides an
allow. For more information about policy evaluation logic, see Creating Custom Policies Using the Access Policy Language. The following diagram illustrates the concept.
You can also add an additional statement to the Amazon SQS policy that denies Bob any type of access to the queue. It has the same effect as adding an IAM policy that denies Bob access to the queue. For examples of policies that cover Amazon SQS actions and resources, see Customer-Managed Policy Examples. For more information about writing Amazon SQS policies, see Creating Custom Policies Using the Access Policy Language.
Specifying Policy Elements: Actions, Effects, Resources, and Principals
For each Amazon Simple Queue Service resource, the service defines a set of API operations. To grant permissions for these API operations, Amazon SQS defines a set of actions that you can specify in a policy.
Performing an API operation can require permissions for more than one action. When granting permissions for specific actions, you also identify the resource for which the actions are allowed or denied.
The following are the most basic policy elements:
Resource – In a policy, you use an Amazon Resource Name (ARN) to identify the resource to which the policy applies.
Action – You use action keywords to identify resource operations that you want to allow or deny. For example, the
sqs:CreateQueuepermission allows the user to perform the Amazon Simple Queue Service
Effect – You specify the effect when the user requests the specific action—this can be either allow or deny. If you don't explicitly grant access to a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do to make sure that a user can't access it, even if a different policy grants access.
Principal – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only).
To learn more about Amazon SQS policy syntax and descriptions, see AWS IAM Policy Reference in the IAM User Guide.
For a table of all Amazon Simple Queue Service API actions and the resources that they apply to, see Amazon SQS API Permissions: Actions and Resource Reference.