Creating a Policy for your Queue, and adding a statement to that policy.
Table of Contents
The following are prerequisites for completing this tutorial:
- SQS enabled account
- SQS queue
- Basic understanding of SQS Queue Policy conditions. These are documented in more detail in the AWS SQS Developers Guide.
A Policy attached to your SQS queue is essentially a contract specifying who should have access to it. It functions much like other Access Control Lists (ACLs) you have seen. Arguably the most difficult part to understand is the Conditions. The following example tutorial will help you to setup a Policy to meet your needs. As mentioned earlier, additional technical details are on Amazon's website in the AWS SQS Developers Guide.
- Navigate to Clouds -> AWS Global -> Queues
- Select the queue you want to add a policy for
- Select the Policy tab
Create the Policy and add the Statement to it
- Select the Add Statement action button
- Fill out the fields:
- Sid - Unique SID. This is pre-populated for you.
- Principal - The person(s) who receive or are denied permission to access your queue. You must specify the principal by providing their AWS account ID (e.g., 1234-5678-9012, with or without the hyphens). You can specify multiple principals, or use a wildcard (*) to indicate all possible users. Multiple principles can be listed by using a space, comma, or semi-colon delimited list. (Ex: 1234-5678-9012,999999999999) Note: There is no validation check to verify a legal principal. Be sure to specify correct Principal IDs and test all of your policies.
- Action - Specify what actions they can take (space, comma or semi-colon delimited list). Examples:
- SQS:* (Note: Wildcard "*" is supported. All supported actions apply with this syntax.)
- Effect - Allow or deny access
- Select the Create action button when ready to save your policy. You can edit it afterwards if need be.
Add a Condition to your Statement (optional)
- By default, the Condition is set to "- any -"
- Select the green "+" action icon to add a condition to your Statement
- Enter the following information:
- Boolean Condition from the drop-down menu
- JSON keys and values
Note: Condition related information is fairly involved. The screen shot below has some helpful examples. See the AWS Website ("See Also" below) for up to date information, or view AWS SQS Policy examples here.
Note: The example table above leaves off intuitive columns (e.g. Sid and Action icons) for space and formatting purposes.
- Other Condition notes (boolean logic):
- All the conditions are joined by AND boolean logic. In our example:
- If the DateGreaterThan AND the StringEquals ...
- All the items inside conditions are also joined by AND. In our example:
- AWS UserAgent AND SourceIP AND CurrentTime...
- If one item has greater than one value set then it is joined by OR.
- If "AWS:UserAgent" : ["Mozilla"] also had entries for Safari, Chrome and IE, these would be joined by OR. Effectively, the browser user agent string must equal Mozilla OR Chrome OR IE.