本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Amazon SQS 策略的基本示例
本部分显示了常见 Amazon SQS 使用案例的示例策略。
在将每个策略附加到用户时,可使用控制台验证该策略的效果。最初,用户没有权限并且无法在控制台中执行任何操作。在将策略附加到用户时,可以验证用户是否能在控制台中执行各种操作。
**注意**
我们建议您使用两个浏览器窗口:一个用于授予权限,另一个用于在向用户授予权限时 AWS 管理控制台 使用用户的证书登录以验证权限。
## 示例 1:向一个人授予一个权限 AWS 账户
以下示例策略向 AWS 账户 编号`111122223333`授予在美国东部(俄亥俄州)`444455556666/queue1`地区命名的队列的`SendMessage`权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_SendMessage",
"Effect": "Allow",
"Principal": {
"AWS": [
"111122223333"
]
},
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue1"
}]
}
```
------
## 示例 2:向其中一个授予两个权限 AWS 账户
以下示例策略为名为的队列授予 AWS 账户 编号`111122223333``SendMessage`和`ReceiveMessage`权限`444455556666/queue1`。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_Send_Receive",
"Effect": "Allow",
"Principal": {
"AWS": [
"111122223333"
]
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:*:444455556666:queue1"
}]
}
```
------
## 示例 3:将所有权限授予两个 AWS 账户
以下示例策略授予两个不同的 AWS 账户 数字(`111122223333`和`444455556666`)权限,允许他们使用 Amazon SQS 允许共享访问美国东部(俄亥俄州)区域`123456789012/queue1`中命名的队列的所有操作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_AllActions",
"Effect": "Allow",
"Principal": {
"AWS": [
"111122223333",
"444455556666"
]
},
"Action": "sqs:*",
"Resource": "arn:aws:sqs:us-east-2:123456789012:queue1"
}]
}
```
------
## 示例 4:向角色和用户名授予跨账户权限
以下示例策略授予 `role1` Amazon SQS 允许共享访问位于美国东部(俄亥俄州)地区的队`123456789012/queue1`列的所有操作的`111122223333`跨账户权限。`username1` AWS 账户
跨账户权限不能应用于以下操作:
+ `[AddPermission](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html)`
+ `[CancelMessageMoveTask](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_CancelMessageMoveTask.html)`
+ `[CreateQueue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_CreateQueue.html)`
+ `[DeleteQueue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_DeleteQueue.html)`
+ `[ListMessageMoveTask](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ListMessageMoveTasks.html)`
+ `[ListQueues](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ListQueues.html)`
+ `[ListQueueTags](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ListQueueTags.html)`
+ `[RemovePermission](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_RemovePermission.html)`
+ `[SetQueueAttributes](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html)`
+ `[StartMessageMoveTask](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_StartMessageMoveTask.html)`
+ `[TagQueue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_TagQueue.html)`
+ `[UntagQueue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_UntagQueue.html)`
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_AllActions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/role1",
"arn:aws:iam::111122223333:user/username1"
]
},
"Action": "sqs:*",
"Resource": "arn:aws:sqs:us-east-2:123456789012:queue1"
}]
}
```
------
## 示例 5:向所有用户授予一项权限
以下示例策略向所有用户(匿名用户)授予对名为 `111122223333/queue1` 的队列的 `ReceiveMessage` 权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_AnonymousAccess_ReceiveMessage",
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:ReceiveMessage",
"Resource": "arn:aws:sqs:*:111122223333:queue1"
}]
}
```
------
## 示例 6:向所有用户授予有时间限制的权限
以下示例策略向所有用户(匿名用户)授予对名为 `111122223333/queue1` 的队列的 `ReceiveMessage` 权限,但有效时间仅限于 2009 年 1 月 31 日中午 12:00 至下午 3:00 期间。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_AnonymousAccess_ReceiveMessage_TimeLimit",
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:ReceiveMessage",
"Resource": "arn:aws:sqs:*:111122223333:queue1",
"Condition" : {
"DateGreaterThan" : {
"aws:CurrentTime":"2009-01-31T12:00Z"
},
"DateLessThan" : {
"aws:CurrentTime":"2009-01-31T15:00Z"
}
}
}]
}
```
------
## 示例 7:向 CIDR 范围内的所有用户授予所有权限
以下示例策略向所有用户(匿名用户)授予对名为 `111122223333/queue1` 的队列使用可以共享的所有可能的 Amazon SQS 操作的权限,但条件是请求必须来自于 `192.0.2.0/24` CIDR 范围。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_AnonymousAccess_AllActions_AllowlistIP",
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:*",
"Resource": "arn:aws:sqs:*:111122223333:queue1",
"Condition" : {
"IpAddress" : {
"aws:SourceIp":"192.0.2.0/24"
}
}
}]
}
```
------
## 示例 8:不同 CIDR 范围内用户的允许列表和阻止列表权限
以下策略示例具有两项陈述:
+ 第一个语句向 `192.0.2.0/24` CIDR 范围(`192.0.2.188` 除外)内的所有用户(匿名用户)授予对名为 `111122223333`/queue1 的队列使用 `SendMessage` 操作的权限。
+ 第二个语句阻止 `12.148.72.0/23` CIDR 范围内的所有用户(匿名用户)使用该队列。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement": [{
"Sid":"Queue1_AnonymousAccess_SendMessage_IPLimit",
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:*:111122223333:queue1",
"Condition" : {
"IpAddress" : {
"aws:SourceIp":"192.0.2.0/24"
},
"NotIpAddress" : {
"aws:SourceIp":"192.0.2.188/32"
}
}
}, {
"Sid":"Queue1_AnonymousAccess_AllActions_IPLimit_Deny",
"Effect": "Deny",
"Principal": "*",
"Action": "sqs:*",
"Resource": "arn:aws:sqs:*:111122223333:queue1",
"Condition" : {
"IpAddress" : {
"aws:SourceIp":"12.148.72.0/23"
}
}
}]
}
```
------