Simplest possible IAM Policy is Denied. Why?

0
votes

Having trouble getting an IAM policy to work for my SQS queue, I tried the IAM Policy Simulator. No matter how simple I make my policy, it always says it is denied.

The policy below is intended to allow any action on any SQS resource. It is a policy that I am attaching to a specific user, which is why the Principal is not specified. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Action": "sqs:*",
        "Effect": "Allow",
        "Resource": "arn:aws:sqs:::*"
    }
  ]
}

When I try and run this in the policy simulator for a listQueues action, I get denied: Implicitly denied (no matching statments). How could this statement possibly not match?

Here'a a screenshot of that being denied on the policy editor:

enter image description here

2
amazon-web-servicesamazon-sqsamazon-iam

2 Answers

2
votes

That's not the simplest possible IAM policy. This is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action":  "*",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Are you clicking "Apply" at the bottom of the policy editor before you run the simulation?

3
votes

By default, the IAM Policy simulator sets the ARN of the resource you are simulating accessing to *. For some reason, this is not matched by a Resource clause of "Resource": "arn:aws:sqs:*:*:*"

Once I expanded the resource part of the simulator (see screenshot below), and pasted in the ARN for a valid SQS resource, the policy matched. See the bottom of the screenshot below.

Another thing that I found fixed the problem was what @Mark-B suggested. Changing the Resource clause to "Resource": "*". did match the Policy Simulator's default resource of * whereas "Resource": "arn:aws:sqs:*:*:*" did not.

enter image description here