sqs-dg-2009-02-01
Sie wollen auch ein ePaper? Erhöhen Sie die Reichweite Ihrer Titel.
YUMPU macht aus Druck-PDFs automatisch weboptimierte ePaper, die Google liebt.
Amazon Simple Queue Service Developer Guide
Evaluation Logic
The enforcement code then evaluates all the policies that are applicable to the request (based
on the resource, principal, action, and conditions).
The order in which the enforcement code evaluates the policies is not important.
In all those policies, the enforcement code looks for an explicit deny instruction that would apply
to the request.
If it finds even one, the enforcement code returns a decision of "deny" and the process is finished
(this is an explicit deny; for more information, see Explicit Deny (p. 36)).
If no explicit deny is found, the enforcement code looks for any "allow" instructions that would
apply to the request.
If it finds even one, the enforcement code returns a decision of "allow" and the process is done
(the service continues to process the request).
If no allow is found, then the final decision is "deny" (because there was no explicit deny or allow,
this is considered a default deny (for more information, see Default Deny (p. 35)).
The Interplay of Explicit and Default Denials
A policy results in a default deny if it doesn't directly apply to the request. For example, if a user requests
to use Amazon SQS, but the only policy that applies to the user states that the user can use Amazon
SimpleDB, then that policy results in a default deny.
A policy also results in a default deny if a condition in a statement isn't met. If all conditions in the statement
are met, then the policy results in either an allow or an explicit deny, based on the value of the Effect
element in the policy. Policies don't specify what to do if a condition isn't met, and so the default result in
that case is a default deny.
For example, let's say you want to prevent requests coming in from Antarctica. You write a policy (called
Policy A1) that allows a request only if it doesn't come from Antarctica. The following diagram illustrates
the policy.
If someone sends a request from the U.S., the condition is met (the request is not from Antarctica).
Therefore, the request is allowed. But, if someone sends a request from Antarctica, the condition isn't
met, and the policy's result is therefore a default deny.
You could turn the result into an explicit deny by rewriting the policy (named Policy A2) as in the following
diagram. Here, the policy explicitly denies a request if it comes from Antarctica.
API Version 2009-02-01
40