Element Descriptions

The Version is the access policy language version. This is an optional element, and currently the only allowed value is 2008-10-17.

"Version":"2008-10-17"

The Id is an optional identifier for the policy. We recommend you use a UUID for the value, or incorporate a UUID as part of the ID to ensure uniqueness.

A permission is the concept of allowing or disallowing some kind of access to a particular resource. Permissions essentially follow this form: "A is/isn't allowed to do B to C where D applies." For example, Jane (A) has permission to receive messages (B) from John's Amazon SQS queue (C), as long as she asks to receive them before midnight on May 30, 2009 (D). Whenever Jane sends a request to Amazon SQS to use John's queue, the service checks to see if she has permission and if the request satisfies the conditions John set forth in the permission.

The Statement is the main element for a statement. It can include multiple elements (see the subsequent sections in this guide).

The Statement element contains an array of individual statements. Each individual statement is a distinct JSON block enclosed in curly brackets { }.

"Statement":[{...},{...},{...}]

A policy is a document (written in the access policy language) that acts as a container for one or more statements. For example, a policy could have two statements in it: one that states that Jane can read John's object, and another that states that Bob cannot read John's object. An equivalent scenario would be to have two policies, one containing the statement that Jane can read John's object, and another containing the statement that Bob cannot read John's object.

The issuer is the person who writes a policy to grant permissions for a resource. The issuer (by definition) is always the resource owner. AWS does not permit AWS product users to create policies for resources they don't own. If John is the resource owner, AWS authenticates John's identity when he submits the policy he's written to grant permissions for that resource.

The Sid (statement ID) is an optional identifier you provide for the policy statement. Essentially it is just a sub-ID of the policy document's ID.

"Sid" : "1"

The Effect is a required element that indicates whether you want the statement to result in an allow or an explicit deny (for more information, see Explicit Deny).

Valid values for Effect are Allow and Deny.

"Effect":"Allow"

The Principal is the person or persons who receive or are denied permission according to the policy. You must specify the principal by using the principal's AWS account ID (e.g., 1234-5678-9012, with or without the hyphens). You can specify multiple principals, or a wildcard (*) to indicate all possible users. You can view your account ID by logging in to your AWS account at http://aws.amazon.com and clicking Account Activity.

In JSON, you use "AWS": as a prefix for the principal's AWS account ID.

The Action is the specific type or types of access allowed or denied (for example, read or write). You can specify multiple values for this element. The values are free-form but must match values the AWS service expects (for more information, see Special Information for Amazon S3 Policies). You can use a wildcard (*) to give the principal access to all the actions the specific AWS service lets you share with other developers.

The NotAction element is useful if you want to make an exception to a list of actions. You could use this, for example, if you want your users to be able to use only the GET Object.

The following example refers to all actions other than GET Object. You would use this in a policy with "Effect":"Deny" to keep users from accessing any other actions.

"NotAction":"s3:GetObject"

The Resource is the object or objects the policy covers. The value can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. The values are free-form, but must follow the format the AWS service expects.

This section describes the Condition element and the information you can use inside the element.

The Condition Block

The Condition element is the most complex part of the policy statement. We refer to it as the condition block, because although it has a single Condition element, it can contain multiple conditions, and each condition can contain multiple key-value pairs. The following figure illustrates this. Unless otherwise specified for a particular key, all keys can have multiple values.

When creating a condition block, you specify the name of each condition, and at least one key-value pair for each condition. AWS defines the conditions and keys you can use (they're listed in the subsequent sections). An example of a condition is NumericEquals. Let's say you have a fictional resource, and you want to let John use it only if some particular numeric value foo equals either A or B, and another numeric value bar equals C. Then you would create a condition block that looks like the following figure.

Let's say you also want to restrict John's access to after January 1, 2009. Then you would add another condition, DateGreaterThan, with a date equal to January 1, 2009. The condition block would then look like the following figure.

As illustrated in the following figure, we always apply a logical AND to the conditions within a condition block, and to the keys within a condition. We always apply a logical OR to the values for a single key. All conditions must be met to return an allow or an explicit deny decision. If a condition isn't met, the result is a default deny.

As mentioned, AWS defines the conditions and keys you can use (for example, one of the keys is aws:CurrentTime, which lets you restrict access based on the date and time). The AWS service itself can also define its own service-specific keys. For a list of available keys, see Available Keys.

For a concrete example that uses real keys, let's say you want to let John upload an object under the following three conditions:

• The time is after 12:00 noon on 8/16/2010

• The time is before 3:00 p.m. on 8/16/2010

• The request comes from an IP address within the 192.168.176.0/24 range or the 192.168.143.0/24 range

Your condition block has three separate conditions, and all three of them must be met for John to have access to your bucket .

The following shows what the condition block looks like in your policy.

"Condition" :  {
      "DateGreaterThan" : {
         "aws:CurrentTime" : "2009-04-16T12:00:00Z"
       }
      "DateLessThan": {
         "aws:CurrentTime" : "2009-04-16T15:00:00Z"
       }
       "IpAddress" : {
          "aws:SourceIp" : ["192.168.176.0/24","192.168.143.0/24"]
      }
}

{ 
"Statement":[{ 
       "Action":["ec2:*"], 
       "Effect":"Allow", 
       "Resource":["*"], 
        "Condition":{"Null":{"aws:MultiFactorAuthAge":"false"}
       }
     }
  ]
}

{
   "Statement":[{
      "Effect": "Allow",
      "Principal": {
         "AWS": "210987654321"
      },
      "Action": "sqs:SendMessage",
      "Resource": "arn:aws:sqs:us-east-1:01234567891:your_queue_xyz",
      "Condition" : {
         "ArnEquals" : {
            "aws:SourceArn":"arn:aws:sns:us-east-1:123456789012:your_special_topic_1"}
            }
      }
   ]
}