How to grant access to an SQS to a specific IAM user

amazon-web-services

I need to create a really simple IAM policy and grant it to a specific queue. I need to grant access (it should be a full access) to the queue only to specific IAM user.

Because at the moment by default all IAM users with policy AmazonSQSFullAccess/AdministratorAccess can send/read message to/from the queue.

I have tried the following policies but without success

Policy 1

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:us-east-1:930XXXXXX332:task-queue/SQSDefaultPolicy",
  "Statement": [
    {
      "Sid": "Sid1487598389851",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:us-east-1:930XXXXXX332:task-queue",
      "Condition": {
        "ArnNotEquals": {
          "aws:SourceArn": "arn:aws:iam::930XXXXXX332:user/test-sqs"
        }
      }
    },
    {
      "Sid": "Sid1487599825058",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::930XXXXXX332:user/test-sqs"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:us-east-1:930XXXXXX332:task-queue"
    }
  ]
}

Policy 2 (the same as above but I have tried another condition)

"Condition": {
        "NotPrincipal": { 
             "AWS": "arn:aws:iam::930XXXXXX332:user/test-sqs" 
        }
  }

In other words – I need to get something like the following

Allow: user1, user2
Deny: *

Is it possible at all?

At the moment I have to explicitly specify each user within Deny effect. And this is extremely inconvenient

Best Answer

Finally I have found a workaround. With the policy below it works as expected

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:us-east-1:930XXXXXX332:test-queue",
  "Statement": [
    {
      "Sid": "Sid1472529596416",
      "Effect": "Deny",
      "NotPrincipal": {
        "AWS": [
          "arn:aws:iam::930XXXXXX332:user/test-sqs",
          "arn:aws:iam::930XXXXXX332:root"
        ]
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:us-east-1:930XXXXXX332:test-queue"
    }
  ]
}

The crucial part is - you have to explicitly specify root account. Without it - it wouldn't work at all. As for me it's some AWS magic :) But may be someone could shed some light on the situation.

Update 01.03.2017 It seems I have found the description of such behavior - http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#NotPrincipal

In the following example, all principals except the user named Bob in AWS account 444455556666 are explicitly denied access to a resource. Note that to achieve the intended effect, the NotPrincipal element contains the ARN of both the user Bob and the AWS account that Bob belongs to (arn:aws:iam::444455556666:root). If the NotPrincipal element contained only Bob's ARN, the effect of the policy would be to explicitly deny access to the AWS account that contains the user Bob.

A user cannot have more permissions than its parent account, so if Bob's account is explicitly denied access then Bob is also unable to access the resource.

"Effect": "Deny",
"NotPrincipal": {
  "AWS": [
    "arn:aws:iam::444455556666:user/Bob",
    "arn:aws:iam::444455556666:root"
  ]
}

Combining Deny and NotPrincipal is the only time that the order in which AWS evaluates principals makes a difference

Related Topic