Search⌘ K
AI Features
Home
Courses
AWS Security Fundamentals: A Practical Guide to AWS IAM

Access elements: Resource, Action, and Metadata

Explore the core elements of AWS IAM access control by understanding resources represented by ARNs, the specific actions performed on those resources, and the metadata that affects access decisions. This lesson helps you grasp how requests are evaluated and guides you in writing effective access policies using real AWS examples.

We'll cover the following...

Resource

A resource is an AWS entity that serves as the target of an operation. When we delete an S3 bucket, the resource is the bucket. When a user assumes a role, the resource is the role. Most requests have a resource.

An Amazon Resource Name (ARN) is a global identifier for resources inside AWS. Usually, these are what we need to input when we want to specify an entity.

An ARN is made up of several parts:

arn:partition:service:region:account-id:resource-id
  • The partition is usually aws, the exceptions are regions in China and the US GovCloud.
  • The service is the AWS product, such as s3 or iam.
  • The region specifies which region the resource is located if any. There are global resources, such as IAM users, that do not have a region.
  • The account-id is the 12-digits account number.
  • And finally, the resource-id is the local identifier of the resource. It can specify sub-resources too, such as the name of objects inside an S3 bucket.

For example, an sts:AssumeRole operation specifies the role to assume by its ARN: arn:aws:iam::123456789012:role/test-role. This resource is inside the IAM service, which is non-regional, the region is missing, in the 123456789012 ...