Creating IAM users and Amazon SQS queues - Amazon Simple Queue Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating IAM users and Amazon SQS queues

The following examples explain how to create an ABAC policy to control access to Amazon SQS using the Amazon Web Services Management Console and Amazon CloudFormation.

Using the Amazon Web Services Management Console

Create an IAM user

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at

  2. Choose User from the left navigation pane.

  3. Choose Add Users and enter a name in the User name text box.

  4. Select the Access key - Programmatic access box and choose Next:Permissions.

  5. Choose Next:Tags.

  6. Add the tag key as environment and the tag value as beta.

  7. Choose Next:Review and then choose Create user.

  8. Copy and store the access key ID and secret access key in a secure location.

Add IAM user permissions

  1. Select the IAM user that you created.

  2. Choose Add inline policy.

  3. On the JSON tab, paste the following policy:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAccessForSameResTag", "Effect": "Allow", "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:DeleteMessage" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/environment": "${aws:PrincipalTag/environment}" } } }, { "Sid": "AllowAccessForSameReqTag", "Effect": "Allow", "Action": [ "sqs:CreateQueue", "sqs:DeleteQueue", "sqs:SetQueueAttributes", "sqs:tagqueue" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/environment": "${aws:PrincipalTag/environment}" } } }, { "Sid": "DenyAccessForProd", "Effect": "Deny", "Action": "sqs:*", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/stage": "prod" } } } ] }
  4. Choose Review policy.

  5. Choose Create policy.

Using Amazon CloudFormation

Use the following sample Amazon CloudFormation template to create an IAM user with an inline policy attached and an Amazon SQS queue:

AWSTemplateFormatVersion: "2010-09-09" Description: "CloudFormation template to create IAM user with custom inline policy" Resources: IAMPolicy: Type: "Amazon::IAM::Policy" Properties: PolicyDocument: | { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAccessForSameResTag", "Effect": "Allow", "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:DeleteMessage" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/environment": "${aws:PrincipalTag/environment}" } } }, { "Sid": "AllowAccessForSameReqTag", "Effect": "Allow", "Action": [ "sqs:CreateQueue", "sqs:DeleteQueue", "sqs:SetQueueAttributes", "sqs:tagqueue" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/environment": "${aws:PrincipalTag/environment}" } } }, { "Sid": "DenyAccessForProd", "Effect": "Deny", "Action": "sqs:*", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/stage": "prod" } } } ] } Users: - "testUser" PolicyName: tagQueuePolicy IAMUser: Type: "AWS::IAM::User" Properties: Path: "/" UserName: "testUser" Tags: - Key: "environment" Value: "beta"