AWS SQS add-permission deny access

Question

Reading and using this

http://docs.aws.amazon.com/cli/latest/reference/sqs/add-permission.html ,

but I can't see a way to add a 'deny' rule for a user+action combination, it is adding an 'allow' rule by default, and I can't seem to modify it.

Through the web management console, you can easily add 'deny' rules.

Ideas?

Answer 1

Update: It looks as if the actual answer is the CLI tool simply offers limited functionality when it comes to permissions unless you want to write your own policy document, but the first part of my answer was incorrect:

As I understand it, SQS permissions don't "deny" -- they only "allow", but the "allow" can be subject to conditions you can add in the console or via the API to associate other "but only if" tests with the permission such as date ranges and IP address ranges.

It looks like the design of the CLI is such that conditions [add: and policies with "Effect = Deny"] aren't handled by add-permission, which only supports simple grants... to attach conditions, you have to generate a policy document, which you can attach with set-queue-attributes.

add-permission writes an SQS-generated policy. If you want to write your own policy, use set-queue-attributes to upload your policy.