public class Statement extends Object
A statement describes a rule for allowing or denying access to a specific AWS resource based on how the resource is being accessed, and who is attempting to access the resource. Statements can also optionally contain a list of conditions that specify when a statement is to be honored.
For example, consider a statement that:
Statements takes the form: "A has permission to do B to C where D applies".
There are many resources and conditions available for use in statements, and you can combine them to form fine grained custom access control polices.
Modifier and Type | Class and Description |
---|---|
static class |
Statement.Effect
The effect is the result that you want a policy statement to return at
evaluation time.
|
Constructor and Description |
---|
Statement(Statement.Effect effect)
Constructs a new access control policy statement with the specified
effect.
|
Modifier and Type | Method and Description |
---|---|
List<Action> |
getActions()
Returns the list of actions to which this policy statement applies.
|
List<Condition> |
getConditions()
Returns the conditions associated with this policy statement.
|
Statement.Effect |
getEffect()
Returns the result effect of this policy statement when it is evaluated.
|
String |
getId()
Returns the ID for this statement.
|
List<Principal> |
getPrincipals()
Returns the principals associated with this policy statement, indicating
which AWS accounts are affected by this policy statement.
|
List<Resource> |
getResources()
Returns the resources associated with this policy statement.
|
void |
setActions(Collection<Action> actions)
Sets the list of actions to which this policy statement applies.
|
void |
setConditions(List<Condition> conditions)
Sets the conditions associated with this policy statement.
|
void |
setEffect(Statement.Effect effect)
Sets the result effect of this policy statement when it is evaluated.
|
void |
setId(String id)
Sets the ID for this statement.
|
void |
setPrincipals(Collection<Principal> principals)
Sets the principals associated with this policy statement, indicating
which AWS accounts are affected by this policy statement.
|
void |
setPrincipals(Principal... principals)
Sets the principals associated with this policy statement, indicating
which AWS accounts are affected by this policy statement.
|
void |
setResources(Collection<Resource> resources)
Sets the resources associated with this policy statement.
|
Statement |
withActions(Action... actions)
Sets the list of actions to which this policy statement applies and
returns this updated Statement object so that additional method calls can
be chained together.
|
Statement |
withConditions(Condition... conditions)
Sets the conditions associated with this policy statement, and returns
this updated Statement object so that additional method calls can be
chained together.
|
Statement |
withId(String id)
Sets the ID for this statement and returns the updated statement so
multiple calls can be chained together.
|
Statement |
withPrincipals(Principal... principals)
Sets the principals associated with this policy statement, and returns
this updated Statement object.
|
Statement |
withResources(Resource... resources)
Sets the resources associated with this policy statement and returns this
updated Statement object so that additional method calls can be chained
together.
|
public Statement(Statement.Effect effect)
Before a statement is valid and can be sent to AWS, callers must set the principals, resources, and actions (as well as any optional conditions) involved in the statement.
effect
- The effect this statement has (allowing access or denying
access) when all conditions, resources, principals, and
actions are matched.public String getId()
Statement IDs must be unique within a policy, but are not required to be globally unique.
If you do not explicitly assign an ID to a statement, a unique ID will be automatically assigned when the statement is added to a policy.
Developers should be careful to not use the same statement ID for multiple statements in the same policy. Reusing the same statement ID in different policies is not a problem.
public void setId(String id)
Statement IDs must be unique within a policy, but are not required to be globally unique.
If you do not explicitly assign an ID to a statement, a unique ID will be automatically assigned when the statement is added to a policy.
Developers should be careful to not use the same statement ID for multiple statements in the same policy. Reusing the same statement ID in different policies is not a problem.
id
- The new statement ID for this statement.public Statement withId(String id)
Statement IDs serve to help keep track of multiple statements, and are often used to give the statement a meaningful, human readable name.
If you do not explicitly assign an ID to a statement, a unique ID will be automatically assigned when the statement is added to a policy.
Developers should be careful to not use the same statement ID for multiple statements in the same policy. Reusing the same statement ID in different policies is not a problem.
id
- The new statement ID for this statement.public Statement.Effect getEffect()
public void setEffect(Statement.Effect effect)
effect
- The result effect of this policy statement.public List<Action> getActions()
public void setActions(Collection<Action> actions)
actions
- The list of actions to which this policy statement applies.public Statement withActions(Action... actions)
Actions limit a policy statement to specific service operations that are being allowed or denied by the policy statement. For example, you might want to allow any AWS user to post messages to your SQS queue using the SendMessage action, but you don't want to allow those users other actions such as ReceiveMessage or DeleteQueue.
actions
- The list of actions to which this statement applies.public List<Resource> getResources()
Note that some services allow only one resource to be specified per policy statement.
public void setResources(Collection<Resource> resources)
Note that some services allow only one resource to be specified per policy statement.
resources
- The resources associated with this policy statement.public Statement withResources(Resource... resources)
Resources are what a policy statement is allowing or denying access to, such as an Amazon SQS queue or an Amazon SNS topic.
Note that some services allow only one resource to be specified per policy statement.
resources
- The resources associated with this policy statement.public List<Condition> getConditions()
For example, a statement that allows access to an Amazon SQS queue could use a condition to only apply the effect of that statement for requests that are made before a certain date, or that originate from a range of IP addresses.
When multiple conditions are included in a single statement, all conditions must evaluate to true in order for the statement to take effect.
public void setConditions(List<Condition> conditions)
For example, a statement that allows access to an Amazon SQS queue could use a condition to only apply the effect of that statement for requests that are made before a certain date, or that originate from a range of IP addresses.
Multiple conditions can be included in a single statement, and all conditions must evaluate to true in order for the statement to take effect.
conditions
- The conditions associated with this policy statement.public Statement withConditions(Condition... conditions)
Conditions allow policy statements to be conditionally evaluated based on the many available condition types.
For example, a statement that allows access to an Amazon SQS queue could use a condition to only apply the effect of that statement for requests that are made before a certain date, or that originate from a range of IP addresses.
Multiple conditions can be included in a single statement, and all conditions must evaluate to true in order for the statement to take effect.
conditions
- The conditions associated with this policy statement.public List<Principal> getPrincipals()
public void setPrincipals(Collection<Principal> principals)
If you don't want to restrict your policy to specific users, you can use
Principal.AllUsers
to apply the policy to any user trying to
access your resource.
principals
- The list of principals associated with this policy statement.public void setPrincipals(Principal... principals)
If you don't want to restrict your policy to specific users, you can use
Principal.AllUsers
to apply the policy to any user trying to
access your resource.
principals
- The list of principals associated with this policy statement.public Statement withPrincipals(Principal... principals)
If you don't want to restrict your policy to specific users, you can use
Principal.AllUsers
to apply the policy to any user trying to
access your resource.
principals
- The list of principals associated with this policy statement.Copyright © 2013 Amazon Web Services, Inc. All Rights Reserved.