Amazon SQS Access Policy Language evaluation logic - Amazon Simple Queue Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon SQS Access Policy Language evaluation logic

At evaluation time, Amazon SQS determines whether a request from someone other than the resource owner should be allowed or denied. The evaluation logic follows several basic rules:

  • By default, all requests to use your resource coming from anyone but you are denied.

  • An Allow overrides any Default-deny.

  • An Explicit-deny overrides any allow.

  • The order in which the policies are evaluated isn't important.

The following diagram describes in detail how Amazon SQS evaluates decisions about access permissions.

The decision starts with a default-deny.

The enforcement code evaluates all the policies that are applicable to the request (based on the resource, principal, action, and conditions). The order in which the enforcement code evaluates the policies isn't important.

The enforcement code looks for an explicit-deny instruction that can apply to the request. If it finds even one, the enforcement code returns a decision of deny and the process finishes.

If no explicit-deny instruction is found, the enforcement code looks for any allow instructions that can apply to the request. If it finds even one, the enforcement code returns a decision of allow and the process finishes (the service continues to process the request).

If no allow instruction is found, then the final decision is deny (because there is no explicit-deny or allow, this is considered a default-deny).