AWS IAM Fundamentals
Be the first to know when the book is ready!
Join our mailing list to get sample chapters and know when the book is released
Sign up at the end of the article!ARN
arn
stands for Amazon Resource Name and everything in AWS has an ARN. Every user, every EC2 instance, every load balancer, everything. Get used to seeing ARNs and being able to understand what they mean
Partition
arn:aws
The aws
here describes the normal AWS regions and services. You will 99.999% of the time use aws
here unless you have to use AWS China Regions (aws-cn
) or AWS GovCloud Regions (aws-us-gov
)
Region
arn:aws:s3:us-east-1
The us-east-1
tells us that this AWS resource is in the US East 1 (Northern Virginia) region.
Account ID
arn:aws:s3:us-east-1:123456789012
The 123456789012
is the AWS account number described in the policy. This can be your account number or the AWS account number of another account you own, an account of a different division of your company, or a 3rd party. IAM can be used to grant cross account permissions the same as granting permissions in your own account.
Resource ID
arn:aws:s3:us-east-1:123456789012:bucketwithstuff/*
The bucketwithstuff/*
is describing all of the objects inside of the S3 bucket bucketwithstuff
. Remember IAM is very explicit, this isn’t describing the bucket but, only the objects inside the bucket, so with only this resource listed with the permissions s3:*
you wouldn’t be able to delete the bucket but, you would be allowed to delete all of the contents of the bucket. You would need to state bucketwithstuff
(without the *
) to describe the bucket itself. (TODO verify)
Shorthand
At the start we said that arn:aws:s3:::bucketwithstuff/*
is actually shorthand for arn:aws:s3:us-east-1:123456789012:bucketwithstuff/*
. For ARNs there are some sensible defaults when you leave a blank ::
. For example of the account ID, IAM assumes that you mean your account ID. The other missing element here is Region which works for some services, like S3, because they are global services in AWS. The vast majority of ARNs require a region to be stated.
You can look at ARNs to be formatted in this manner arn:partition:service:region:account-id:resource-id