AWS IAM Fundamentals
Be the first to know when the book is ready!
Join our mailing list to get sample chapters and know when the book is releasedSign up at the end of the article!
arn stands for Amazon Resource Name and everything in AWS has an ARN. Every user, every EC2 instance, every load balancer, everything. Get used to seeing ARNs and being able to understand what they mean
aws here describes the normal AWS regions and services. You will 99.999% of the time use
aws here unless you have to use AWS China Regions (
aws-cn) or AWS GovCloud Regions (
us-east-1 tells us that this AWS resource is in the US East 1 (Northern Virginia) region.
123456789012 is the AWS account number described in the policy. This can be your account number or the AWS account number of another account you own, an account of a different division of your company, or a 3rd party. IAM can be used to grant cross account permissions the same as granting permissions in your own account.
bucketwithstuff/* is describing all of the objects inside of the S3 bucket
bucketwithstuff. Remember IAM is very explicit, this isn’t describing the bucket but, only the objects inside the bucket, so with only this resource listed with the permissions
s3:* you wouldn’t be able to delete the bucket but, you would be allowed to delete all of the contents of the bucket. You would need to state
bucketwithstuff (without the
*) to describe the bucket itself. (TODO verify)
At the start we said that
arn:aws:s3:::bucketwithstuff/* is actually shorthand for
arn:aws:s3:us-east-1:123456789012:bucketwithstuff/*. For ARNs there are some sensible defaults when you leave a blank
::. For example of the account ID, IAM assumes that you mean your account ID. The other missing element here is Region which works for some services, like S3, because they are global services in AWS. The vast majority of ARNs require a region to be stated.
You can look at ARNs to be formatted in this manner