AWS SDK Version 3 for .NET
API Reference

AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

Classes

NameDescription
Class ActionIdentifier

An access control policy action identifies a specific action in a service that can be performed on a resource. For example, sending a message to a queue.

ActionIdentifiers allow you to limit what your access control policy statement affects. For example, you could create a policy statement that enables a certain group of users to send messages to your queue, but not allow them to perform any other actions on your queue.

The action is B in the statement "A has permission to do B to C where D applies."

Free form access control policy actions may include a wildcard (*) to match multiple actions.

Constants for known actions can be found in the Amazon.Auth.AccessControlPolicy.ActionIdentifiers namespace.

Class Condition

AWS access control policy conditions are contained in Amazon.Auth.AccessControlPolicy.Statement objects, and affect when a statement is applied. For example, a statement that allows access to an Amazon SQS queue could use a condition to only apply the effect of that statement for requests that are made before a certain date, or that originate from a range of IP addresses.

Multiple conditions can be included in a single statement, and all conditions must evaluate to true in order for the statement to take effect.

The set of conditions is D in the statement "A has permission to do B to C where D applies."

A condition is composed of three parts: Condition Key The condition key declares which value of a request to pull in and compare against when a policy is evaluated by AWS. For example, using Amazon.Auth.AccessControlPolicy.ConditionFactory.SOURCE_IP_CONDITION_KEY will cause AWS to pull in the current request's source IP as the first value to compare against every time your policy is evaluated. Comparison Type This is a static value used as the second value in the comparison when your policy is evaluated. Depending on the comparison type, this value can optionally use wildcards. See the documentation for individual comparison types for more information. Comparison Value This is a static value used as the second value in the comparison when your policy is evaluated. Depending on the comparison type, this value can optionally use wildcards. See the documentation for individual comparison types for more information.

Class ConditionFactory

A factory for creating conditions to be used in the policy.

Class Policy

An AWS access control policy is a object that acts as a container for one or more statements, which specify fine grained rules for allowing or denying various types of actions from being performed on your AWS resources.

By default, all requests to use your resource coming from anyone but you are denied. Access control polices can override that by allowing different types of access to your resources, or by explicitly denying different types of access.

Each statement in an AWS access control policy takes the form: "A has permission to do B to C where D applies". A is the prinicpal The AWS account that is making a request to access or modify one of your AWS resources. B is the action the way in which your AWS resource is being accessed or modified, such as sending a message to an Amazon SQS queue, or storing an object in an Amazon S3 bucket. C is the resource your AWS entity that the principal wants to access, such as an Amazon SQS queue, or an object stored in Amazon S3. D is the set of conditions optional constraints that specify when to allow or deny access for the principal to access your resource. Many expressive conditions are available, some specific to each service. For example you can use date conditions to allow access to your resources only after or before a specific time.

Note that an AWS access control policy should not be confused with the similarly named "POST form policy" concept used in Amazon S3.

Class Principal

A principal is an AWS account which is being allowed or denied access to a resource through an access control policy. The principal is a property of the Statement object, not directly the Amazon.Auth.AccessControlPolicy.Policy object.

The principal is A in the statement "A has permission to do B to C where D applies."

In an access control policy statement, you can set the principal to all authenticated AWS users through the Amazon.Auth.AccessControlPolicy.Principal.AllUsers member. This is useful when you don't want to restrict access based on the identity of the requester, but instead on other identifying characteristics such as the requester's IP address.

Class Resource

Represents a resource involved in an AWS access control policy statement. Resources are the service specific AWS entities owned by your account. Amazon SQS queues, Amazon S3 buckets and objects, and Amazon SNS topics are all examples of AWS resources.

The standard way of specifying an AWS resource is with an Amazon Resource Name (ARN).

The resource is C in the statement "A has permission to do B to C where D applies."

Class ResourceFactory

A factory for creating resources to be used in the policy.

Class Statement

A statement is the formal description of a single permission, and is always contained within a policy object.

A statement describes a rule for allowing or denying access to a specific AWS resource based on how the resource is being accessed, and who is attempting to access the resource. Statements can also optionally contain a list of conditions that specify when a statement is to be honored.

For example, consider a statement that: A is the prinicpal The AWS account that is making a request to access or modify one of your AWS resources. B is the action the way in which your AWS resource is being accessed or modified, such as sending a message to an Amazon SQS queue, or storing an object in an Amazon S3 bucket. C is the resource your AWS entity that the principal wants to access, such as an Amazon SQS queue, or an object stored in Amazon S3. D is the set of conditions optional constraints that specify when to allow or deny access for the principal to access your resource. Many expressive conditions are available, some specific to each service. For example you can use date conditions to allow access to your resources only after or before a specific time.

There are many resources and conditions available for use in statements, and you can combine them to form fine grained custom access control polices.

Enums

NameDescription
Enum ConditionFactory.ArnComparisonType

Enumeration of the supported ways an ARN comparison can be evaluated.

Enum ConditionFactory.DateComparisonType

Enumeration of the supported ways a date comparison can be evaluated.

Enum ConditionFactory.IpAddressComparisonType

Enumeration of the supported ways an IP address comparison can be evaluated.

Enum ConditionFactory.NumericComparisonType

Enumeration of the supported ways a numeric comparison can be evaluated

Enum ConditionFactory.StringComparisonType

Enumeration of the supported ways a string comparison can be evaluated.

Enum Statement.StatementEffect

The effect is the result that you want a policy statement to return at evaluation time. A policy statement can either allow access or explicitly deny access.