本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 自定义 Amazon SQS 访问策略语言示例
<a name="sqs-creating-custom-policies-access-policy-examples"></a>

以下示例是典型的 Amazon SQS 访问策略。

## 示例 1：为一个账户授予权限
<a name="one-account"></a>

以下示例 Amazon SQS 策略为 Amazon Web Services 账户 111122223333 授予权限，允许从 Amazon Web Services 账户 444455556666 拥有的 `queue2` 中发送和接收请求。

------
#### [ JSON ]

****  

```
{   
   "Version":"2012-10-17",		 	 	 
   "Id": "UseCase1",
   "Statement" : [{
      "Sid": "1", 
      "Effect": "Allow",           
      "Principal": {
         "AWS": [
            "111122223333"
         ]
      },
      "Action": [
         "sqs:SendMessage",
         "sqs:ReceiveMessage"
      ], 
      "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2"  
   }]
}
```

------

## 示例 2：对一个或多个账户授予权限
<a name="two-accounts"></a>

以下示例 Amazon SQS 策略允许在特定时间段内对您的账户拥有的队列进行一个或多个 Amazon Web Services 账户 访问权限。有必要编写此策略并使用 [https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html](https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html) 操作将其上传到 Amazon SQS，因为 [https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html](https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html) 操作不允许在授予队列访问权限时指定时间限制。

------
#### [ JSON ]

****  

```
{   
   "Version":"2012-10-17",		 	 	 
   "Id": "UseCase2",
   "Statement" : [{
      "Sid": "1", 
      "Effect": "Allow",           
      "Principal": {
         "AWS": [
            "111122223333",
            "444455556666"
         ]
      },
      "Action": [
         "sqs:SendMessage",
         "sqs:ReceiveMessage"
      ], 
      "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
      "Condition": {
         "DateLessThan": {
            "AWS:CurrentTime": "2009-06-30T12:00Z"
         }
      }   
   }]
}
```

------

## 示例 3：对来自 Amazon EC2 实例的请求授予权限
<a name="requests-from-ec2"></a>

以下示例 Amazon SQS 策略对来自 Amazon EC2 实例的请求授予访问权限。此示例根据“[示例 2：对一个或多个账户授予权限](#two-accounts)”示例编写：它将访问时间限制在 2009 年 6 月 30 日中午 12 点 (UTC) 之前，将访问 IP 的范围限制在 `203.0.113.0/24`。有必要编写此策略并使用 [https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html](https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html) 操作将其上传到 Amazon SQS，因为 [https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html](https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html) 操作不允许在授予队列访问权限时指定 IP 地址限制。

------
#### [ JSON ]

****  

```
{   
   "Version":"2012-10-17",		 	 	 
   "Id": "UseCase3",
   "Statement" : [{
      "Sid": "1", 
      "Effect": "Allow",           
      "Principal": {
         "AWS": [
            "111122223333"
         ]
      },
      "Action": [
         "sqs:SendMessage",
         "sqs:ReceiveMessage"
      ], 
      "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2",
      "Condition": {
         "DateLessThan": {
            "AWS:CurrentTime": "2009-06-30T12:00Z"
         },
         "IpAddress": {
            "AWS:SourceIp": "203.0.113.0/24"
         }
      }   
   }]
}
```

------

## 示例 4：拒绝特定账户的访问
<a name="deny-account"></a>

以下示例 Amazon SQS 策略拒绝对您的队列的特定 Amazon Web Services 账户 访问权限。此示例以 “[示例 1：为一个账户授予权限](#one-account)” 示例为基础：它拒绝访问指定的 Amazon Web Services 账户。有必要编写此策略并使用 [https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html](https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_SetQueueAttributes.html) 操作将其上传到 Amazon SQS，因为 [https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html](https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_AddPermission.html) 操作不允许拒绝对队列的访问权限（它只允许授予对队列的访问权限）。

------
#### [ JSON ]

****  

```
{ 
   "Version":"2012-10-17",		 	 	 
   "Id": "UseCase4",
   "Statement" : [{
      "Sid": "1", 
      "Effect": "Deny",           
      "Principal": {
         "AWS": [
            "111122223333"
         ]
      },
      "Action": [
         "sqs:SendMessage",
         "sqs:ReceiveMessage"
      ], 
      "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2"   
   }]
}
```

------

## 示例 5：如果不是来自 VPC 端点，则拒绝访问
<a name="deny-not-from-vpc"></a>

以下示例 Amazon SQS 策略限制对 `queue1` 的访问权限：111122223333 只能通过 VPC 端点 ID `vpce-1a2b3c4d`（使用 `aws:sourceVpce` 条件指定）执行 [https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html](https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html) 和 [https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_ReceiveMessage.html](https://docs.amazonaws.cn/AWSSimpleQueueService/latest/APIReference/API_ReceiveMessage.html) 操作。有关更多信息，请参阅 [Amazon SQS 的 Amazon Virtual Private Cloud 端点](sqs-internetwork-traffic-privacy.md#sqs-vpc-endpoints)。

**注意**  
`aws:sourceVpce` 条件不需要 VPC 端点资源的 ARN，而只需要 VPC 端点 ID。
您可以通过在第二个语句中拒绝所有 Amazon SQS 操作 (`sqs:*`)，修改以下示例，以将所有操作限制到特定 VPC 端点。但是，此类策略声明将规定所有操作（包括修改队列权限所需的管理操作）必须通过在策略中定义的特定 VPC 端点进行，这可能会阻止用户以后修改队列权限。

------
#### [ JSON ]

****  

```
{
   "Version":"2012-10-17",		 	 	 
   "Id": "UseCase5",
   "Statement": [{
      "Sid": "1",
      "Effect": "Allow",
      "Principal": {
         "AWS": [
            "111122223333"
         ]
      },
      "Action": [
         "sqs:SendMessage",
         "sqs:ReceiveMessage"
      ],
         "Resource": "arn:aws:sqs:us-east-2:{{111122223333}}:queue1"
      },
      {
         "Sid": "2",
         "Effect": "Deny",
         "Principal": "*",
         "Action": [
            "sqs:SendMessage",
            "sqs:ReceiveMessage"
         ],
         "Resource": "arn:aws:sqs:us-east-2:{{111122223333}}:queue1",
         "Condition": {
            "StringNotEquals": {
               "aws:sourceVpce": "vpce-1a2b3c4d"
            }
         }
      }
   ]
}
```

------