Identity and access management in Amazon SQS - Amazon Simple Queue Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Identity and access management in Amazon SQS

Access to Amazon SQS requires credentials that Amazon can use to authenticate your requests. These credentials must have permissions to access Amazon resources, such an Amazon SQS queues and messages. The following sections provide details on how you can use Amazon Identity and Access Management (IAM) and Amazon SQS to help secure your resources by controlling access to them.

Authentication

You can access Amazon as any of the following types of identities:

  • Amazon Web Services account root user – When you first create an Amazon Web Services account, you begin with a single sign-in identity that has complete access to all Amazon Web Services and resources in the account. This identity is called the Amazon Web Services account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks.

  • IAM user – An IAM user is an identity within your Amazon Web Services account that has specific custom permissions (for example, permissions to create a queue in Amazon SQS). You can use an IAM user name and password to sign in to secure Amazon webpages like the Amazon Web Services Management Console, Amazon Discussion Forums, or the Amazon Web Services Support Center.

    In addition to a user name and password, you can also generate access keys for each user. You can use these keys when you access Amazon Web Services programmatically, either through one of the several SDKs or by using the Amazon Command Line Interface (CLI). The SDK and CLI tools use the access keys to cryptographically sign your request. If you don’t use Amazon tools, you must sign the request yourself. Amazon SQS supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 signing process in the Amazon General Reference.

  • IAM role – An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an Amazon identity with permissions policies that determine what the identity can and cannot do in Amazon. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM roles with temporary credentials are useful in the following situations:

    • Federated user access – Instead of creating an IAM user, you can use existing identities from Amazon Directory Service, your enterprise user directory, or a web identity provider. These are known as federated users. Amazon assigns a role to a federated user when access is requested through an identity provider. For more information about federated users, see Federated users and roles in the IAM User Guide.

    • Amazon Web Service access – A service role is an IAM role that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see Creating a role to delegate permissions to an Amazon Web Service in the IAM User Guide.

    • Applications running on Amazon EC2 – You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making Amazon CLI or Amazon API requests. This is preferable to storing access keys within the EC2 instance. To assign an Amazon role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs that are running on the EC2 instance to get temporary credentials. For more information, see Using an IAM role to grant permissions to applications running on Amazon EC2 instances in the IAM User Guide.

Access control

Amazon SQS has its own resource-based permissions system that uses policies written in the same language used for Amazon Identity and Access Management (IAM) policies. This means that you can achieve similar things with Amazon SQS policies and IAM policies.

Note

It is important to understand that all Amazon Web Services accounts can delegate their permissions to users under their accounts. Cross-account access allows you to share access to your Amazon resources without having to manage additional users. For information about using cross-account access, see Enabling Cross-Account Access in the IAM User Guide.

See Limitations of Custom Policies for further details on cross-content permissions and condition keys within Amazon SQS custom policies.