If system policies do not meet your business requirements, you can create custom policies to implement the principle of least privilege. You can use custom policies to manage permissions in a fine-grained manner and improve resource access security. This topic describes the scenarios in which custom policies for Simple Message Queue (formerly MNS) are used. This topic also provides sample custom policies.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You need to maintain custom policies.
After you create a custom policy, you need to attach it to a RAM user, a user group, or a RAM role so that the permissions specified in the policy can be granted to the principal.
You can delete a RAM policy that is not attached to a principal. If the RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Create custom policies in the SMQ console
When you access Simple Message Queue (formerly MNS) resources in the SMQ console or by calling the SMQ API, you can create the following custom policies.
Queue management
Operation | Description | Action | Resource |
Queries a list of queues. | mns:ListQueue | acs:mns:${regionId}:${accountId}:/queues | |
Creates a queue. | mns:CreateQueue | acs:mns:${regionId}:${accountId}:/queues/${queueName} | |
Deletes a queue. | mns:DeleteQueue | ||
Queries the attributes of a queue. | mns:GetQueueAttributes | ||
Configures the attributes of a queue. | mns:SetQueueAttributes |
Topic management
Operation | Description | Action | Resource |
Queries a list of topics. | mns:ListTopic | acs:mns:${regionId}:${accountId}:/topics | |
Creates a topic. | mns:CreateTopic | acs:mns:${regionId}:${accountId}:/topics/${topicName} | |
Deletes a topic. | mns:DeleteTopic | ||
Queries the attributes of a topic. | mns:GetTopicAttributes | ||
Configures the attributes of a topic. | mns:SetTopicAttributes |
Subscription management
Operation | Description | Action | Resource |
Queries a list of subscriptions. If you specify a topic name, SMQ filters subscriptions based on the topic name. | mns:ListSubscriptionByTopic | acs:mns:${regionId}:${accountId}:/topics/${topicName}/subscriptions | |
Queries the attributes of a subscription. | mns:GetSubscriptionAttributes | acs:mns:${regionId}:${accountId}:/topics/${topicName}/subscriptions/${subscriptionName} | |
Configures the attributes of a subscription. | mns:SetSubscriptionAttributes | ||
Subscribes to messages of a specific topic. | mns:Subscribe | ||
Unsubscribes from messages of a specific topic. | mns:Unsubscribe |
Sample custom policies
Example 2: Authorize a RAM user to access the SMQ console and read messages from all queues
Example 3: Authorize a RAM user to manage messages of only a specific queue
Example 4: Authorize a RAM user to access the SMQ console and read messages of all topics
Example 5: Authorize a RAM user to manage messages of only a specific topic
Create custom policies by using client SDKs
When you use client SDKs to send and receive messages, Simple Message Queue (formerly MNS) supports the following custom policies. For more information, see List of operations by function.
Queue-related messaging
Operation | Description | Action | Resource |
Sends a message to a queue. | mns:SendMessage | acs:mns:${regionId}:${accountId}:/queues/${queueName}/messages | |
Sends multiple messages to a queue at a time. | mns:SendMessage | ||
Receives a message from a queue. | mns:ReceiveMessage | ||
Receives multiple messages from a queue at a time. | mns:ReceiveMessage | ||
Deletes a message that has been consumed. | mns:DeleteMessage | ||
Deletes multiple messages from a queue at a time. | mns:DeleteMessage | ||
Queries a message. | mns:PeekMessage | ||
Queries multiple messages at a time. | mns:PeekMessage | ||
Modifies the period after which a consumed message that remains in the Inactive state can be consumed again. | mns:ChangeMessageVisibility |
Topic-related messaging
Operation | Description | Action | Resource |
Publishes a message to a specific topic. | mns:PublishMessage | acs:mns:${regionId}:${accountId}:/topics/${topicName}/messages |