Class Statement

Namespace

Amazon.Auth.AccessControlPolicy

Assembly

AWSSDK.Core.dll

A statement is the formal description of a single permission, and is always contained within a policy object.

A statement describes a rule for allowing or denying access to a specific AWS resource based on how the resource is being accessed, and who is attempting to access the resource. Statements can also optionally contain a list of conditions that specify when a statement is to be honored.

For example, consider a statement that:

There are many resources and conditions available for use in statements, and you can combine them to form fine grained custom access control polices.

public class Statement

Inheritance

object

Statement

Inherited Members

object.GetType()

object.MemberwiseClone()

object.ToString()

object.Equals(object)

object.Equals(object, object)

object.ReferenceEquals(object, object)

object.GetHashCode()

Constructors

Statement(StatementEffect)

Constructs a new access control policy statement with the specified effect.

Before a statement is valid and can be sent to AWS, callers must set the principals, resources, and actions (as well as any optional conditions) involved in the statement.

public Statement(Statement.StatementEffect effect)

Parameters

effect Statement.StatementEffect

The effect this statement has (allowing access or denying access) when all conditions, resources, principals, and actions are matched.

Properties

Actions

Gets and Sets the list of actions to which this policy statement applies. Actions limit a policy statement to specific service operations that are being allowed or denied by the policy statement. For example, you might want to allow any AWS user to post messages to your SQS queue using the SendMessage action, but you don't want to allow those users other actions such as ReceiveMessage or DeleteQueue.

public IList<ActionIdentifier> Actions { get; set; }

Property Value

IList<ActionIdentifier>

Conditions

Gets and Sets the conditions associated with this policy statement. Conditions allow policy statements to be conditionally evaluated based on the many available condition types.

For example, a statement that allows access to an Amazon SQS queue could use a condition to only apply the effect of that statement for requests that are made before a certain date, or that originate from a range of IP addresses.

When multiple conditions are included in a single statement, all conditions must evaluate to true in order for the statement to take effect.

public IList<Condition> Conditions { get; set; }

Property Value

IList<Condition>

Effect

Gets and Sets the result effect of this policy statement when it is evaluated. A policy statement can either allow access or explicitly

public Statement.StatementEffect Effect { get; set; }

Property Value

Statement.StatementEffect

Id

Gets and Sets the ID for this statement. Statement IDs serve to help keep track of multiple statements, and are often used to give the statement a meaningful, human readable name.

Developers should be careful to not use the same statement ID for multiple statements in the same policy. Reusing the same statement ID in different policies is not a problem.

public string Id { get; set; }

Property Value

string

Principals

Gets and Sets the principals associated with this policy statement, indicating which AWS accounts are affected by this policy statement.

public IList<Principal> Principals { get; set; }

Property Value

IList<Principal>

Resources

Gets and Sets the resources associated with this policy statement. Resources are what a policy statement is allowing or denying access to, such as an Amazon SQS queue or an Amazon SNS topic.

Note that some services allow only one resource to be specified per policy statement.

public IList<Resource> Resources { get; set; }

Property Value

IList<Resource>

Methods

WithActionIdentifiers(params ActionIdentifier[])

Sets the list of actions to which this policy statement applies and returns this updated Statement object so that additional method calls can be chained together.

Actions limit a policy statement to specific service operations that are being allowed or denied by the policy statement. For example, you might want to allow any AWS user to post messages to your SQS queue using the SendMessage action, but you don't want to allow those users other actions such as ReceiveMessage or DeleteQueue.

public Statement WithActionIdentifiers(params ActionIdentifier[] actions)

Parameters

actions ActionIdentifier[]

The list of actions to which this statement applies.

Returns

Statement

this instance

WithConditions(params Condition[])

Sets the conditions associated with this policy statement, and returns this updated Statement object so that additional method calls can be chained together.

Conditions allow policy statements to be conditionally evaluated based on the many available condition types.

For example, a statement that allows access to an Amazon SQS queue could use a condition to only apply the effect of that statement for requests that are made before a certain date, or that originate from a range of IP addresses.

Multiple conditions can be included in a single statement, and all conditions must evaluate to true in order for the statement to take effect.

public Statement WithConditions(params Condition[] conditions)

Parameters

conditions Condition[]

The conditions associated with this policy statement.

Returns

Statement

this instance

WithId(string)

Sets the ID for this statement and returns the updated statement so multiple calls can be chained together.

Statement IDs serve to help keep track of multiple statements, and are often used to give the statement a meaningful, human readable name.

Developers should be careful to not use the same statement ID for multiple statements in the same policy. Reusing the same statement ID in different policies is not a problem.

public Statement WithId(string id)

Parameters

id string

The new statement ID for this statement.

Returns

Statement

this instance

WithPrincipals(params Principal[])

Sets the principals associated with this policy statement, and returns this updated Statement object. Principals control which AWS accounts are affected by this policy statement.

If you don't want to restrict your policy to specific users, you can use AllUsers to apply the policy to any user trying to access your resource.

public Statement WithPrincipals(params Principal[] principals)

Parameters

principals Principal[]

The list of principals associated with this policy statement.

Returns

Statement

this instance

WithResources(params Resource[])

Sets the resources associated with this policy statement and returns this updated Statement object so that additional method calls can be chained together.

Resources are what a policy statement is allowing or denying access to, such as an Amazon SQS queue or an Amazon SNS topic.

Note that some services allow only one resource to be specified per policy statement.

public Statement WithResources(params Resource[] resources)

Parameters

resources Resource[]

The resources associated with this policy statement.

Returns

Statement

this instance