I need to create a really simple IAM policy and grant it to a specific queue. I need to grant access (it should be a full access) to the queue only to specific IAM user.
Because at the moment by default all IAM users with policy AmazonSQSFullAccess/AdministratorAccess can send/read message to/from the queue.
I have tried the following policies but without success
Policy 1
{
"Version": "2012-10-17",
"Id": "arn:aws:sqs:us-east-1:930XXXXXX332:task-queue/SQSDefaultPolicy",
"Statement": [
{
"Sid": "Sid1487598389851",
"Effect": "Deny",
"Principal": "*",
"Action": "SQS:*",
"Resource": "arn:aws:sqs:us-east-1:930XXXXXX332:task-queue",
"Condition": {
"ArnNotEquals": {
"aws:SourceArn": "arn:aws:iam::930XXXXXX332:user/test-sqs"
}
}
},
{
"Sid": "Sid1487599825058",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::930XXXXXX332:user/test-sqs"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:us-east-1:930XXXXXX332:task-queue"
}
]
}
Policy 2 (the same as above but I have tried another condition)
"Condition": {
"NotPrincipal": {
"AWS": "arn:aws:iam::930XXXXXX332:user/test-sqs"
}
}
In other words – I need to get something like the following
Allow: user1, user2
Deny: *
Is it possible at all?
At the moment I have to explicitly specify each user within Deny effect. And this is extremely inconvenient
Best Answer
Finally I have found a workaround. With the policy below it works as expected
The crucial part is - you have to explicitly specify root account. Without it - it wouldn't work at all. As for me it's some AWS magic :) But may be someone could shed some light on the situation.
Update 01.03.2017 It seems I have found the description of such behavior - http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#NotPrincipal
In the following example, all principals except the user named Bob in AWS account 444455556666 are explicitly denied access to a resource. Note that to achieve the intended effect, the NotPrincipal element contains the ARN of both the user Bob and the AWS account that Bob belongs to (arn:aws:iam::444455556666:root). If the NotPrincipal element contained only Bob's ARN, the effect of the policy would be to explicitly deny access to the AWS account that contains the user Bob.
A user cannot have more permissions than its parent account, so if Bob's account is explicitly denied access then Bob is also unable to access the resource.
Combining Deny and NotPrincipal is the only time that the order in which AWS evaluates principals makes a difference