docs.aws.amazon.com
Open in
urlscan Pro
65.9.63.6
Public Scan
URL:
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-sqs-policies.html
Submission: On May 16 via api from US — Scanned from DE
Submission: On May 16 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use cookies and similar tools to enhance your experience, provide our
services, deliver relevant advertising, and make improvements. Approved third
parties also use these tools to help us deliver advertising and provide certain
site features.
CustomizeAccept all
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice
.
CancelSave preferences
English
Sign In to the Console
1. AWS
2. ...
3. Documentation
4. Amazon Simple Queue Service
5. Developer Guide
Feedback
Preferences
Amazon Simple Queue Service
Developer Guide
* What is Amazon SQS?
* Setting up
* Getting started
* Configuring Amazon SQS
* Creating a queue
* Editing a queue
* Configuring queue parameters
* Configuring access policy
* Configuring SSE-SQS for a queue
* Configuring SSE-KMS for a queue
* Configuring a dead-letter queue
* Configuring a dead-letter queue redrive
* Configuring tags for a queue
* Subscribing a queue to a topic
* Configuring a Lambda trigger
* Managing queues
* Sending messages
* Message attributes
* Receiving and deleting a message
* Purging a queue
* Deleting a queue
* Confirming that a queue is empty
* How Amazon SQS works
* Basic architecture
* Standard queues
* FIFO queues
* Message ordering
* Key terms
* FIFO delivery logic
* Exactly-once processing
* Moving from a standard queue to a FIFO queue
* High throughput for FIFO queues
* Partitions and data distribution
* Compatibility
* Queue and message identifiers
* Message metadata
* Resources required to process messages
* List queue pagination
* Cost allocation tags
* Short and long polling
* Dead-letter queues
* Visibility timeout
* Delay queues
* Temporary queues
* Message timers
* Best practices
* Recommendations for standard and FIFO queues
* Working with messages
* Reducing costs
* Moving from a Standard queue to a FIFO queue
* Additional recommendations for FIFO queues
* Using the message deduplication ID
* Using the message group ID
* Using the receive request attempt ID
* Java SDK examples
* Using server-side encryption
* Configuring tags
* Sending message attributes
* Managing large messages
* Working with JMS
* Prerequisites
* Getting started with the Java Messaging Library
* Using the JMS Client with other Amazon SQS clients
* Working Java example for using JMS with Amazon SQS Standard queues
* Supported JMS 1.1 implementations
* Tutorials
* Creating an Amazon SQS queue (AWS CloudFormation)
* Sending a message from a VPC
* Quotas
* Quotas related to queues
* Quotas related to messages
* Quotas related to policies
* Automating and troubleshooting
* Automating notifications using EventBridge
* Troubleshooting queues using X-Ray
* Security
* Data protection
* Data encryption
* Encryption at rest
* Key management
* Internetwork traffic privacy
* Identity and access management
* Overview
* Using identity-based policies
* AWS Managed Policies
* Basic IAM policy examples
* Basic Amazon SQS policy examples
* Using custom policies with the Access Policy Language
* Access control architecture
* Access control process workflow
* Access Policy Language key concepts
* Access Policy Language evaluation logic
* Relationships between explicit and default denials
* Custom Policy limitations
* Custom Access Policy Language examples
* Using temporary security credentials
* API permissions reference
* Logging and monitoring
* Logging API calls using CloudTrail
* Monitoring queues using CloudWatch
* Accessing CloudWatch metrics for Amazon SQS
* Creating CloudWatch alarms for Amazon SQS metrics
* Available CloudWatch metrics for Amazon SQS
* Compliance validation
* Resilience
* Infrastructure security
* Best practices
* Working with APIs
* Making Query API requests
* Authenticating requests
* Interpreting responses
* Batch actions
* Enabling client-side buffering and request batching
* Increasing throughput using horizontal scaling and action batching
* Related resources
* Documentation history
* AWS glossary
Basic examples of Amazon SQS policies - Amazon Simple Queue Service
AWSDocumentationAmazon Simple Queue ServiceDeveloper Guide
Example 1: Grant one permission to one AWS accountExample 2: Grant two
permissions to one AWS accountExample 3: Grant all permissions to two AWS
accountsExample 4: Grant cross-account permissions to a role and a user
nameExample 5: Grant a permission to all usersExample 6: Grant a time-limited
permission to all usersExample 7: Grant all permissions to all users in a CIDR
rangeExample 8: Allowlist and blocklist permissions for users in different CIDR
ranges
BASIC EXAMPLES OF AMAZON SQS POLICIES
PDFRSS
This section shows example policies for common Amazon SQS use cases.
You can use the console to verify the effects of each policy as you attach the
policy to the user. Initially, the user doesn't have permissions and won't be
able to do anything in the console. As you attach policies to the user, you can
verify that the user can perform various actions in the console.
Note
We recommend that you use two browser windows: one to grant permissions and the
other to sign into the AWS Management Console using the user's credentials to
verify permissions as you grant them to the user.
EXAMPLE 1: GRANT ONE PERMISSION TO ONE AWS ACCOUNT
The following example policy grants AWS account number 111122223333 the
SendMessage permission for the queue named 444455556666/queue1 in the US East
(Ohio) region.
{
"Version": "2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_SendMessage",
"Effect": "Allow",
"Principal": {
"AWS": [
"111122223333"
]
},
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue1"
}]
}
EXAMPLE 2: GRANT TWO PERMISSIONS TO ONE AWS ACCOUNT
The following example policy grants AWS account number 111122223333 both the
SendMessage and ReceiveMessage permission for the queue named
444455556666/queue1.
{
"Version": "2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_Send_Receive",
"Effect": "Allow",
"Principal": {
"AWS": [
"111122223333"
]
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:*:444455556666:queue1"
}]
}
EXAMPLE 3: GRANT ALL PERMISSIONS TO TWO AWS ACCOUNTS
The following example policy grants two different AWS accounts numbers
(111122223333 and 444455556666) permission to use all actions to which Amazon
SQS allows shared access for the queue named 123456789012/queue1 in the US East
(Ohio) region.
{
"Version": "2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_AllActions",
"Effect": "Allow",
"Principal": {
"AWS": [
"111122223333",
"444455556666"
]
},
"Action": "sqs:*",
"Resource": "arn:aws:sqs:us-east-2:123456789012:queue1"
}]
}
EXAMPLE 4: GRANT CROSS-ACCOUNT PERMISSIONS TO A ROLE AND A USER NAME
The following example policy grants role1 and username1 under AWS account number
111122223333 cross-account permission to use all actions to which Amazon SQS
allows shared access for the queue named 123456789012/queue1 in the US East
(Ohio) region.
Cross-account permissions don't apply to the following actions:
* AddPermission
* CreateQueue
* DeleteQueue
* ListQueues
* ListQueueTags
* RemovePermission
* SetQueueAttributes
* TagQueue
* UntagQueue
{
"Version": "2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_AllActions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/role1",
"arn:aws:iam::111122223333:user/username1"
]
},
"Action": "sqs:*",
"Resource": "arn:aws:sqs:us-east-2:123456789012:queue1"
}]
}
EXAMPLE 5: GRANT A PERMISSION TO ALL USERS
The following example policy grants all users (anonymous users) ReceiveMessage
permission for the queue named 111122223333/queue1.
{
"Version": "2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_AnonymousAccess_ReceiveMessage",
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:ReceiveMessage",
"Resource": "arn:aws:sqs:*:111122223333:queue1"
}]
}
EXAMPLE 6: GRANT A TIME-LIMITED PERMISSION TO ALL USERS
The following example policy grants all users (anonymous users) ReceiveMessage
permission for the queue named 111122223333/queue1, but only between 12:00 p.m.
(noon) and 3:00 p.m. on January 31, 2009.
{
"Version": "2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_AnonymousAccess_ReceiveMessage_TimeLimit",
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:ReceiveMessage",
"Resource": "arn:aws:sqs:*:111122223333:queue1",
"Condition" : {
"DateGreaterThan" : {
"aws:CurrentTime":"2009-01-31T12:00Z"
},
"DateLessThan" : {
"aws:CurrentTime":"2009-01-31T15:00Z"
}
}
}]
}
EXAMPLE 7: GRANT ALL PERMISSIONS TO ALL USERS IN A CIDR RANGE
The following example policy grants all users (anonymous users) permission to
use all possible Amazon SQS actions that can be shared for the queue named
111122223333/queue1, but only if the request comes from the 192.0.2.0/24 CIDR
range.
{
"Version": "2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_AnonymousAccess_AllActions_AllowlistIP",
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:*",
"Resource": "arn:aws:sqs:*:111122223333:queue1",
"Condition" : {
"IpAddress" : {
"aws:SourceIp":"192.0.2.0/24"
}
}
}]
}
EXAMPLE 8: ALLOWLIST AND BLOCKLIST PERMISSIONS FOR USERS IN DIFFERENT CIDR
RANGES
The following example policy has two statements:
* The first statement grants all users (anonymous users) in the 192.0.2.0/24
CIDR range (except for 192.0.2.188) permission to use the SendMessage action
for the queue named 111122223333/queue1.
* The second statement blocks all users (anonymous users) in the 12.148.72.0/23
CIDR range from using the queue.
{
"Version": "2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_AnonymousAccess_SendMessage_IPLimit",
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:*:111122223333:queue1",
"Condition" : {
"IpAddress" : {
"aws:SourceIp":"192.0.2.0/24"
},
"NotIpAddress" : {
"aws:SourceIp":"192.0.2.188/32"
}
}
}, {
"Sid":"Queue1_AnonymousAccess_AllActions_IPLimit_Deny",
"Effect": "Deny",
"Principal": "*",
"Action": "sqs:*",
"Resource": "arn:aws:sqs:*:111122223333:queue1",
"Condition" : {
"IpAddress" : {
"aws:SourceIp":"12.148.72.0/23"
}
}
}]
}
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Basic IAM policy examples
Using custom policies with the Access Policy Language
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Did this page help you?
YesNo
Provide feedback
Edit this page on GitHub
Next topic:Using custom policies with the Access Policy Language
Previous topic:Basic IAM policy examples
Need help?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On this page
--------------------------------------------------------------------------------
* Example 1: Grant one permission to one AWS account
* Example 2: Grant two permissions to one AWS account
* Example 3: Grant all permissions to two AWS accounts
* Example 4: Grant cross-account permissions to a role and a user name
* Example 5: Grant a permission to all users
* Example 6: Grant a time-limited permission to all users
* Example 7: Grant all permissions to all users in a CIDR range
* Example 8: Allowlist and blocklist permissions for users in different CIDR
ranges
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback