本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 自訂 Amazon SQS 存取政策語言範例
以下是典型 Amazon SQS 存取政策的範例。
## 範例 1:提供許可給一個帳戶
以下範例 Amazon SQS 政策提供允許對 AWS 帳戶 444455556666 擁有的 `queue2` 傳送及接收的 AWS 帳戶 111122223333 許可權。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "UseCase1",
"Statement" : [{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": [
"111122223333"
]
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2"
}]
}
```
------
## 範例 2:提供許可給一或多個帳戶
下列範例 Amazon SQS 政策提供一或多個 AWS 帳戶 在特定期間內存取您帳戶擁有的佇列。有需要使用 [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html) 動作來撰寫此政策並上傳到 Amazon SQS,因為 [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html) 動作在授與佇列存取權時不允許指定時間限制。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "UseCase2",
"Statement" : [{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": [
"111122223333",
"444455556666"
]
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
"Condition": {
"DateLessThan": {
"AWS:CurrentTime": "2009-06-30T12:00Z"
}
}
}]
}
```
------
## 範例 3:提供許可給來自 Amazon EC2 執行個體的請求
以下範例 Amazon SQS 政策提供許可給來自 Amazon SQS 執行個體的請求。此範例是根據「[範例 2:提供許可給一或多個帳戶](#two-accounts)」範例:限制對 2009 年 6 月 30 日中午 12 點 (UTC) 之前的存取權,它限制對 IP 範圍 `203.0.113.0/24` 的存取權。有需要使用 [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html) 動作來撰寫此政策並上傳到 Amazon SQS,因為 [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html) 動作在授與佇列存取權時不允許指定 IP 地址限制。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "UseCase3",
"Statement" : [{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": [
"111122223333"
]
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
"Condition": {
"DateLessThan": {
"AWS:CurrentTime": "2009-06-30T12:00Z"
},
"IpAddress": {
"AWS:SourceIp": "203.0.113.0/24"
}
}
}]
}
```
------
## 範例 4:拒絕特定帳戶的存取權
下列範例 Amazon SQS 政策會拒絕對佇列的特定 AWS 帳戶 存取。此範例以「[範例 1:提供許可給一個帳戶](#one-account)」範例為基礎:拒絕存取指定的 AWS 帳戶。有需要使用 [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html) 動作來撰寫此政策並上傳到 Amazon SQS,因為 [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html) 動作在授與佇列存取權時不允許拒絕佇列的存取權 (僅允許授與佇列的存取權)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "UseCase4",
"Statement" : [{
"Sid": "1",
"Effect": "Deny",
"Principal": {
"AWS": [
"111122223333"
]
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-2:444455556666:queue2"
}]
}
```
------
## 範例 5:如果不是來自 VPC 端點,則拒絕存取
下列範例 Amazon SQS 政策會限制對 `queue1` 的存取:111122223333 只能從 VPC 端點 ID `vpce-1a2b3c4d` (使用 `aws:sourceVpce` 條件指定) 執行 [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html) 和 [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ReceiveMessage.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ReceiveMessage.html) 動作。如需詳細資訊,請參閱 [適用於 Amazon SQS 的 Amazon Virtual Private Cloud 端點](sqs-internetwork-traffic-privacy.md#sqs-vpc-endpoints)。
**注意**
`aws:sourceVpce` 條件不需要 VPC 端點資源的 ARN,其只需要 VPC 端點 ID。
您可以透過在第二個陳述式中拒絕所有 Amazon SQS 動作 (`sqs:*`),來修改下列範例以限制對特定 VPC 端點的所有動作。然而,這類政策陳述式規定必須透過此政策中定義的特定 VPC 端點來做出所有動作 (包含修改佇列許可所需的管理動作),可能可避免使用者在未來修改佇列許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "UseCase5",
"Statement": [{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": [
"111122223333"
]
},
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-2:{{111122223333}}:queue1"
},
{
"Sid": "2",
"Effect": "Deny",
"Principal": "*",
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:us-east-2:{{111122223333}}:queue1",
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-1a2b3c4d"
}
}
}
]
}
```
------