Creating IAM users and Amazon SQS queues
The following examples explain how to create an ABAC policy to control access to Amazon SQS using the Amazon Web Services Management Console and Amazon CloudFormation.
Using the Amazon Web Services Management Console
Create an IAM user
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
Choose User from the left navigation pane.
-
Choose Add Users and enter a name in the User name text box.
-
Select the Access key - Programmatic access box and choose Next:Permissions.
-
Choose Next:Tags.
-
Add the tag key as
environment
and the tag value asbeta
. -
Choose Next:Review and then choose Create user.
-
Copy and store the access key ID and secret access key in a secure location.
Add IAM user permissions
-
Select the IAM user that you created.
-
Choose Add inline policy.
-
On the JSON tab, paste the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAccessForSameResTag", "Effect": "Allow", "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:DeleteMessage" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/environment": "${aws:PrincipalTag/environment}" } } }, { "Sid": "AllowAccessForSameReqTag", "Effect": "Allow", "Action": [ "sqs:CreateQueue", "sqs:DeleteQueue", "sqs:SetQueueAttributes", "sqs:tagqueue" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/environment": "${aws:PrincipalTag/environment}" } } }, { "Sid": "DenyAccessForProd", "Effect": "Deny", "Action": "sqs:*", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/stage": "prod" } } } ] }
-
Choose Review policy.
-
Choose Create policy.
Using Amazon CloudFormation
Use the following sample Amazon CloudFormation template to create an IAM user with an inline policy attached and an Amazon SQS queue:
AWSTemplateFormatVersion: "2010-09-09" Description: "CloudFormation template to create IAM user with custom inline policy" Resources: IAMPolicy: Type: "Amazon::IAM::Policy" Properties: PolicyDocument: | { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAccessForSameResTag", "Effect": "Allow", "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:DeleteMessage" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/environment": "${aws:PrincipalTag/environment}" } } }, { "Sid": "AllowAccessForSameReqTag", "Effect": "Allow", "Action": [ "sqs:CreateQueue", "sqs:DeleteQueue", "sqs:SetQueueAttributes", "sqs:tagqueue" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/environment": "${aws:PrincipalTag/environment}" } } }, { "Sid": "DenyAccessForProd", "Effect": "Deny", "Action": "sqs:*", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/stage": "prod" } } } ] } Users: - "testUser" PolicyName: tagQueuePolicy IAMUser: Type: "AWS::IAM::User" Properties: Path: "/" UserName: "testUser" Tags: - Key: "environment" Value: "beta"