AWS AWSSimpleQueueService documentation change
Summary
Expanded custom policy documentation with access control topics and workflow details
Security assessment
Adds documentation about security features (custom IAM policies with conditions) but doesn't reference specific vulnerabilities. Focuses on security best practices for access control.
Diff
diff --git a/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.md index 7ffa4a65c..7b6ba81c0 100644 --- a/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.md +++ b/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.md @@ -7 +7,21 @@ -If you want to allow Amazon SQS access based only on an AWS account ID and basic permissions (such as for [`SendMessage`](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html) or [`ReceiveMessage`](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ReceiveMessage.html)), you don't need to write your own policies. You can just use the Amazon SQS [`AddPermission`](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html) action. +To grant basic permissions (such as [`SendMessage`](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html) or [`ReceiveMessage`](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_ReceiveMessage.html)) based only on an AWS account ID, you don’t need to write a custom policy. Instead, use the Amazon SQS [`AddPermission`](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html) action. + +To allow or deny access based on specific conditions, such as request time or the requester's IP address, you must create a custom Amazon SQS policy and upload it using the [SetQueueAttributes](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html) action. + +###### Topics + + * [Access control architecture](./sqs-creating-custom-policies-architecture.html) + + * [Access control process workflow](./sqs-creating-custom-policies-process-workflow.html) + + * [Access Policy Language key concepts](./sqs-creating-custom-policies-key-concepts.html) + + * [Access Policy Language evaluation logic](./sqs-creating-custom-policies-evaluation-logic.html) + + * [Relationships between explicit and default denials](./sqs-creating-custom-policies-relationships-between-explicit-default-denials.html) + + * [Custom policy limitations](./sqs-limitations-of-custom-policies.html) + + * [Custom Access Policy Language examples](./sqs-creating-custom-policies-access-policy-examples.html) + + @@ -9 +28,0 @@ If you want to allow Amazon SQS access based only on an AWS account ID and basic -If you want to explicitly deny or allow access based on more specific conditions (such as the time the request comes in or the IP address of the requester), you need to write your own Amazon SQS policies and upload them to the AWS system using the Amazon SQS `SetQueueAttributes` action.