# Creating IAM users and Amazon SQS queues
<a name="sqs-abac-creating-queues"></a>

The following examples explain how to create an ABAC policy to control access to Amazon SQS using the AWS Management Console and CloudFormation.

## Using the AWS Management Console
<a name="sqs-abac-creating-queues-console"></a>

**Create an IAM user**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **User** from the left navigation pane.

1. Choose **Add Users** and enter a name in the **User name** text box.

1. Select the **Access key - Programmatic access** box and choose **Next:Permissions**.

1. Choose **Next:Tags**.

1. Add the tag key as `environment` and the tag value as `beta`.

1. Choose **Next:Review** and then choose **Create user**.

1. Copy and store the access key ID and secret access key in a secure location.

**Add IAM user permissions**

1. Select the IAM user that you created.

1. Choose **Add inline policy**.

1. On the JSON tab, paste the following policy:

1. Choose **Review policy**.

1. Choose **Create policy**.

## Using AWS CloudFormation
<a name="sqs-abac-creating-queues-cf"></a>

Use the following sample CloudFormation template to create an IAM user with an inline policy attached and an Amazon SQS queue:

```
AWSTemplateFormatVersion: "2010-09-09"
Description: "CloudFormation template to create IAM user with custom inline policy"
Resources:
    IAMPolicy:
        Type: "AWS::IAM::Policy"
        Properties:
            PolicyDocument: |
                {
                    "Version": "2012-10-17",		 	 	 
                    "Statement": [
                        {
                            "Sid": "AllowAccessForSameResTag",
                            "Effect": "Allow",
                            "Action": [
                                "sqs:SendMessage",
                                "sqs:ReceiveMessage",
                                "sqs:DeleteMessage"
                            ],
                            "Resource": "*",
                            "Condition": {
                                "StringEquals": {
                                    "aws:ResourceTag/environment": "${aws:PrincipalTag/environment}"
                                }
                            }
                        },
                        {
                            "Sid": "AllowAccessForSameReqTag",
                            "Effect": "Allow",
                            "Action": [
                                "sqs:CreateQueue",
                                "sqs:DeleteQueue",
                                "sqs:SetQueueAttributes",
                                "sqs:tagqueue"
                            ],
                            "Resource": "*",
                            "Condition": {
                                "StringEquals": {
                                    "aws:RequestTag/environment": "${aws:PrincipalTag/environment}"
                                }
                            }
                        },
                        {
                            "Sid": "DenyAccessForProd",
                            "Effect": "Deny",
                            "Action": "sqs:*",
                            "Resource": "*",
                            "Condition": {
                                "StringEquals": {
                                    "aws:ResourceTag/stage": "prod"
                                }
                            }
                        }
                    ]
                }
                
            Users: 
              - "testUser"
            PolicyName: tagQueuePolicy

    IAMUser:
        Type: "AWS::IAM::User"
        Properties:
            Path: "/"
            UserName: "testUser"
            Tags: 
              - 
                Key: "environment"
                Value: "beta"
```