Queue Access Control
SQS provides an access control mechanism that allows you to specify who can access your queues and what actions they can perform. Access control settings are specified as a set of rules, and each rule associates a specific permission with a grantee who receives that permission. For any action to be permitted in SQS, the user performing the action must have been granted the permission to perform that action with an explicit rule.
Warning
Access control settings can be applied only at the queue level and not to individual messages, so if you make a queue accessible to others, make sure you do not send any private messages to that queue.
Grantees
There is only one kind of grantee who can be assigned access permissions with queue access controls: individual SQS users. SQS users are identified by their AWS canonical identifier, a long, hex-encoded value that uniquely identifies an individual AWS user account. Because this user ID value is difficult for humans to work with, SQS allows us to identify users with their Amazon email address when adding new rules.
Permissions
SQS access control rules apply one of three permission settings:
- ReceiveMessage
The grantee is allowed to receive, peek at, and delete messages in the queue.
- SendMessage
The grantee is allowed to send messages to the queue.
- FullControl
The grantee is allowed to perform any action on the queue or on messages in the queue. In addition to being able to send, receive, and delete messages, a user with full permissions ...
Get Programming Amazon Web Services now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
