0

This is my policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1493711257000",
            "Effect": "Allow",
            "Action": [
                "sqs:DeleteMessage",
                "sqs:DeleteMessageBatch",
                "sqs:GetQueueAttributes",
                "sqs:GetQueueUrl",
                "sqs:ListDeadLetterSourceQueues",
                "sqs:ReceiveMessage",
                "sqs:SendMessage",
                "sqs:SendMessageBatch"
            ],
            "Resource": [
                "arn:aws:sqs:::q1",
                "arn:aws:sqs:::q2",
                "arn:aws:sqs:::q3"
            ]
        }
    ]
}

In the previous version, I actually have the queue names fully qualified. i.e..

            "Resource": [
                "arn:aws:sqs:us-west-2:1234567:q1",
                "arn:aws:sqs:us-west-2:1234567:q2",
                "arn:aws:sqs:us-west-2:1234567:q3"
            ]

However I want to make them more generic, so I try to use the ':::' shorthand to replace the region and user account identifier. And it becomes the version as I posted at the beginning of this question.

Before I save it, I use 'Validate Policy' to double check. It passed the validation.

Then I try to test it in IAM Policy Simulator. I got this error: enter image description here

So what exactly is wrong with my policy? It seems like I cannot trust the validation function in the group policy editor.

Anthony Kong
  • 2,976
  • 10
  • 53
  • 91
  • I really doubt, whether u will be able to write it in shorthand in the policy. Yes, you'll be able to write, but in this scenario, nowhere else you specify the default region as well as the principal and so I doubt the code wont be executed, even if the syntax is correct. – serverstackqns May 03 '17 at 05:41
  • How can I specify the default region and principal? Is there any documentation? – Anthony Kong May 03 '17 at 05:44
  • As far as I know, you can mention principal in statements section and then use : (shorthand here), but region I dont think you'll be able to pass this centrally. Refer IAM policies for SQS for more. – serverstackqns May 03 '17 at 05:55
  • I haven't tried this, but the answer mentioned here could work in case of regions: https://serverfault.com/questions/589150/is-it-possible-to-restrict-aws-users-accounts-to-a-specific-region Replace ec2 with SQS. Let me know how it goes. – serverstackqns May 03 '17 at 06:02
  • Policy can be syntactically invalid or semantically invalid. Policy editor probably only checks the former. Does SQS allow you not to specify the attributes you omitted? That's essentially (I suspect) saying any queue in any account in any region that happens to have that name, and that seems unlikely to work. – Michael - sqlbot May 03 '17 at 11:06

0 Answers0