# Attribute-based access control for Amazon SQS
## What is ABAC?
Attribute-based access control (ABAC) is an authorization process that defines permissions based on tags that are attached to users and AWS resources. ABAC provides granular and flexible access control based on attributes and values, reduces security risk related to reconfigured role-based policies, and centralizes auditing and access policy management. For more details about ABAC, see [What is ABAC for AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*.
Amazon SQS supports ABAC by allowing you to control access to your Amazon SQS queues based on the tags and aliases that are associated with an Amazon SQS queue. The tag and alias condition keys that enable ABAC in Amazon SQS authorize IAM principals to use Amazon SQS queues without editing policies or managing grants. To learn more about ABAC condition keys, see [Condition keys for Amazon SQS](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsqs.html#amazonsqs-policy-keys) in the *Service Authorization Reference*.
With ABAC, you can use tags to configure IAM access permissions and policies for your Amazon SQS queues, which helps you to scale your permissions management. You can create a single permissions policy in IAM using tags that you add to each business role—without having to update the policy each time you add a new resource. You can also attach tags to IAM principals to create an ABAC policy. You can design ABAC policies to allow Amazon SQS operations when the tag on the IAM user role that's making the call matches the Amazon SQS queue tag. To learn more about tagging in AWS, see [AWS Tagging Strategies](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) and [Amazon SQS cost allocation tags](sqs-queue-tags.md).
**Note**
ABAC for Amazon SQS is currently available in all AWS Commercial Regions where Amazon SQS is available, with the following exceptions:
Asia Pacific (Hyderabad)
Asia Pacific (Melbourne)
Europe (Spain)
Europe (Zurich)
## Why should I use ABAC in Amazon SQS?
Here are some benefits of using ABAC in Amazon SQS:
+ ABAC for Amazon SQS requires fewer permissions policies. You don't have to create different policies for different job functions. You can use resource and request tags that apply to more than one queue, which reduces operational overhead.
+ Use ABAC to scale teams quickly. Permissions for new resources are automatically granted based on tags when resources are appropriately tagged during their creation.
+ Use permissions on the IAM principal to restrict resource access. You can create tags for the IAM principal and use them to restrict access to specific actions that match the tags on the IAM principal. This helps you to automate the process of granting request permissions.
+ Track who's accessing your resources. You can determine the identity of a session by looking at user attributes in AWS CloudTrail.
**Topics**
+ [What is ABAC?](#sqs-abac-whatis)
+ [Why should I use ABAC in Amazon SQS?](#sqs-abac-benefits)
+ [Tagging for access control](sqs-abac-tagging-resource-control.md)
+ [Creating IAM users and Amazon SQS queues](sqs-abac-creating-queues.md)
+ [Testing attribute-based access control](sqs-abac-testing-access-control.md)
# Tagging for access control in Amazon SQS
The following is an example of using tags for access control in Amazon SQS. The IAM policy restricts an IAM user to all Amazon SQS actions for all queues that include a resource tag with the key environment and the value production. For more information, see [Attribute-based access control with tags and AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging_abac.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccessForProd",
"Effect": "Allow",
"Action": "sqs:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/environment": "prod"
}
}
}
]
}
```
------
# Creating IAM users and Amazon SQS queues
The following examples explain how to create an ABAC policy to control access to Amazon SQS using the AWS Management Console and CloudFormation.
## Using the AWS Management Console
**Create an IAM user**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Choose **User** from the left navigation pane.
1. Choose **Add Users** and enter a name in the **User name** text box.
1. Select the **Access key - Programmatic access** box and choose **Next:Permissions**.
1. Choose **Next:Tags**.
1. Add the tag key as `environment` and the tag value as `beta`.
1. Choose **Next:Review** and then choose **Create user**.
1. Copy and store the access key ID and secret access key in a secure location.
**Add IAM user permissions**
1. Select the IAM user that you created.
1. Choose **Add inline policy**.
1. On the JSON tab, paste the following policy:
1. Choose **Review policy**.
1. Choose **Create policy**.
## Using AWS CloudFormation
Use the following sample CloudFormation template to create an IAM user with an inline policy attached and an Amazon SQS queue:
```
AWSTemplateFormatVersion: "2010-09-09"
Description: "CloudFormation template to create IAM user with custom inline policy"
Resources:
IAMPolicy:
Type: "AWS::IAM::Policy"
Properties:
PolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessForSameResTag",
"Effect": "Allow",
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:DeleteMessage"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/environment": "${aws:PrincipalTag/environment}"
}
}
},
{
"Sid": "AllowAccessForSameReqTag",
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:SetQueueAttributes",
"sqs:tagqueue"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/environment": "${aws:PrincipalTag/environment}"
}
}
},
{
"Sid": "DenyAccessForProd",
"Effect": "Deny",
"Action": "sqs:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/stage": "prod"
}
}
}
]
}
Users:
- "testUser"
PolicyName: tagQueuePolicy
IAMUser:
Type: "AWS::IAM::User"
Properties:
Path: "/"
UserName: "testUser"
Tags:
-
Key: "environment"
Value: "beta"
```
# Testing attribute-based access control in Amazon SQS
The following examples show you how to test attribute-based access control in Amazon SQS.
## Create a queue with the tag key set to environment and the tag value set to prod
Run this AWS CLI command to test creating the queue with the tag key set to environment and the tag value set to prod. If you don't have AWS CLI, you can [download and configure](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) it for your machine.
```
aws sqs create-queue --queue-name prodQueue —region us-east-1 —tags "environment=prod"
```
You receive an `AccessDenied` error from the Amazon SQS endpoint:
```
An error occurred (AccessDenied) when calling the CreateQueue operation: Access to the resource is denied.
```
This is because the tag value on the IAM user does not match the tag passed in the [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_CreateQueue.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_CreateQueue.html) API call. Remember that we applied a tag to the IAM user with the key set to `environment` and the value set to `beta`.
## Create a queue with the tag key set to environment and the tag value set to beta
Run the this CLI command to test creating a queue with the tag key set to `environment` and the tag value set to `beta`.
```
aws sqs create-queue --queue-name betaQueue —region us-east-1 —tags "environment=beta"
```
You receive a message confirming the successful creation of the queue, similar to the one below.
```
{
"QueueUrl": "“
}
```
## Sending a message to a queue
Run this CLI command to test sending a message to a queue.
```
aws sqs send-message --queue-url --message-body testMessage
```
The response shows a successful message delivery to the Amazon SQS queue. The IAM user permission allows you to send a message to a queue that has a `beta` tag. The response includes `MD5OfMessageBody` and `MessageId` containing the message.
```
{
"MD5OfMessageBody": "",
"MessageId": ""
}
```