sqs-dg-2009-02-01
Erfolgreiche ePaper selbst erstellen
Machen Sie aus Ihren PDF Publikationen ein blätterbares Flipbook mit unserer einzigartigen Google optimierten e-Paper Software.
Amazon Simple Queue Service Developer Guide
Amazon SQS ARNs
Example 2
In this example, we build on example 1 (where Bob has two policies that apply to him). Let's say that Bob
abuses his access to queue_xyz, so you want to remove his entire access to that queue. The easiest
thing to do is add a policy that denies him access to all actions on the queue. This third policy overrides
the other two, because an explicit deny always overrides an allow (for more information about policy
evaluation logic, see Evaluation Logic (p. 39)). The following diagram illustrates the concept.
Alternatively, you could add an additional statement to the SQS policy that denies Bob any type of access
to the queue. It would have the same effect as adding a AWS IAM policy that denies him access to the
queue.
For examples of policies that cover Amazon SQS actions and resources, see Example AWS IAM Policies
for Amazon SQS (p. 68). For more information about writing SQS policies, go to the Amazon Simple
Queue Service Developer Guide.
Amazon SQS ARNs
For Amazon SQS, queues are the only resource type you can specify in a policy. Following is the Amazon
Resource Name (ARN) format for queues:
arn:aws:sqs:region:account_ID:queue_name
For more information about ARNs, go to ARNs in Using Identity and Access Management.
API Version 2009-02-01
66