Manualshelf

User guide

ManualsBrandsAmazon ManualsComputer equipmentAWS SDK
21222324252627282930
A is the principal
The AWS account that is making a request to access or modify one of your AWS resources.
B is the action
The way in which your AWS resource is being accessed or modified, such as sending a message
to an Amazon SQS queue, or storing an object in an Amazon S3 bucket.
C is the resource
Your AWS entity that the principal wants to access, such as an Amazon SQS queue, or an object
stored in Amazon S3.
D is the set of conditions
The optional constraints that specify when to allow or deny access for the principal to access your
resource. Many expressive conditions are available, some specific to each service. For example,
you can use date conditions to allow access to your resources only after or before a specific time.
Amazon S3 Example
The following example demonstrates a policy that allows anyone access to read all the objects in a bucket,
but restricts access to uploading objects to that bucket to two specific AWS accounts (in addition to the
bucket owner's account).
Statement allowPublicReadStatement = new Statement(Effect.Allow)
.withPrincipals(Principal.AllUsers)
.withActions(S3Actions.GetObject)
.withResources(new S3ObjectResource(myBucketName, "*"));
Statement allowRestrictedWriteStatement = new Statement(Effect.Allow)
.withPrincipals(new Principal("123456789"), new Principal("876543210"))
.withActions(S3Actions.PutObject)
.withResources(new S3ObjectResource(myBucketName, "*"));
Policy policy = new Policy()
.withStatements(allowPublicReadStatement, allowRestrictedWriteStatement);
AmazonS3 s3 = new AmazonS3Client(myAwsCredentials);
s3.setBucketPolicy(myBucketName, policy.toJson());
Amazon SQS Example
One common use of policies is to authorize an Amazon SQS queue to receive messages from an Amazon
SNS topic.
/*
* This policy allows an SNS topic to send messages to an SQS queue.
* You can find your SNS topic's ARN through the SNS getTopicAttributes opera
tion.
*/
Policy policy = new Policy().withStatements(
new Statement(Effect.Allow)
.withPrincipals(Principal.AllUsers)
.withActions(SQSActions.SendMessage)
.withConditions(ConditionFactory.newSourceArnCondition(myTopicArn)));
Map queueAttributes = new HashMap();
queueAttributes.put(QueueAttributeName.Policy.toString(), policy.toJson());
Version v1.0.0
21
AWS SDK for Java Developer Guide
Access Control Policies