S3 Object ARN — Referencing Files Inside Buckets
Parse an S3 object ARN to understand how bucket names and object keys combine into a single resource identifier. Covers wildcard patterns for IAM policies.
Detailed Explanation
Targeting Specific Objects in S3
While an S3 bucket ARN references the bucket itself, an S3 object ARN points to a specific file (object) within that bucket. The object key — the full path including any prefixes — follows the bucket name after a slash.
Example ARN
arn:aws:s3:::my-app-data/reports/2024/q4-summary.csv
Parsed Components
| Component | Value |
|---|---|
| Partition | aws |
| Service | s3 |
| Region | (empty) |
| Account ID | (empty) |
| Resource Type | (none — bucket name is implicit) |
| Resource ID | my-app-data/reports/2024/q4-summary.csv |
Wildcard Patterns in IAM Policies
In IAM policies, you often need to grant access to a group of objects rather than a single file. S3 object ARNs support wildcard patterns:
- All objects in a bucket:
arn:aws:s3:::my-app-data/* - Objects under a prefix:
arn:aws:s3:::my-app-data/reports/* - Objects matching a pattern:
arn:aws:s3:::my-app-data/reports/2024/*.csv
Bucket vs. Object Permissions
A common IAM policy mistake is granting s3:ListBucket on the object ARN instead of the bucket ARN. List operations target the bucket (arn:aws:s3:::bucket), while Get/Put operations target objects (arn:aws:s3:::bucket/*). Confusing the two results in silent access denials that are difficult to debug.
Use Case
Creating fine-grained IAM policies that restrict access to specific prefixes (folders) or file types within an S3 bucket, common in multi-tenant applications where each tenant's data lives under a separate prefix.