Package com.amazonaws.auth.policy
Classes for creating custom AWS access control policies. Policies allow you to specify fine grained
access controls on your AWS resources. You can allow or deny access to your AWS resources based on:
- what resource is being accessed
- who is accessing the resource (i.e. the principal)
- what action is being taken on the resource
- a variety of conditions including date restrictions, IP address restrictions, etc.
Access control policies are a collection of statements. Each statement takes the form: "A has permission to do B to C where D applies".
- A is the principal - the AWS account that is making a request to access or modify one of your AWS resources.
- B is the action - the way in which your AWS resource is being accessed or modified, such as sending a message to an Amazon SQS queue, or storing an object in an Amazon S3 bucket.
- C is the resource - your AWS entity that the principal wants to access, such as an Amazon SQS queue, or an object stored in Amazon S3.
- D is the set of conditions - optional constraints that specify when to allow or deny access for the principal to access your resource. Many expressive conditions are available, some specific to each service. For example you can use date conditions to allow access to your resources only after or before a specific time.
The following code creates a policy to allow a specific AWS account to send and receive messages using one of your Amazon SQS queues:
Policy policy = new Policy("MyQueuePolicy"); policy.withStatements(new Statement(Effect.Allow) .withPrincipals(new Principal("123456789012")) .withActions(SQSActions.SendMessage, SQSActions.ReceiveMessage) .withResources(new SQSQueueResource("987654321000", "queue2")));
Once you've created a policy, you need to use methods on the service to upload your policy to AWS.
-
Interface Summary Interface Description Action An access control policy action identifies a specific action in a service that can be performed on a resource. -
Class Summary Class Description Condition AWS access control policy conditions are contained inStatement
objects, and affect when a statement is applied.Policy An AWS access control policy is a object that acts as a container for one or more statements, which specify fine grained rules for allowing or denying various types of actions from being performed on your AWS resources.Principal A principal is an AWS account or AWS web serivce, which is being allowed or denied access to a resource through an access control policy.Resource Represents a resource involved in an AWS access control policy statement.Statement A statement is the formal description of a single permission, and is always contained within a policy object. -
Enum Summary Enum Description Principal.Services The services who have the right to do the assume the role action.Principal.WebIdentityProviders Web identity providers, such as Login with Amazon, Facebook, or Google.Statement.Effect The effect is the result that you want a policy statement to return at evaluation time.STSActions Deprecated. in favor ofSecurityTokenServiceActions