Resource
A resource is an AWS entity that serves as the target of an operation. When we delete an S3 bucket, the resource is the bucket. When a user assumes a role, the resource is the role. Most requests have a resource.
An Amazon Resource Name (ARN) is a global identifier for resources inside AWS. Usually, these are what we need to input when we want to specify an entity.
An ARN is made up of several parts:
arn:partition:service:region:account-id:resource-id
- The
partition
is usuallyaws
, the exceptions are regions in China and the US GovCloud. - The
service
is the AWS product, such ass3
oriam
. - The
region
specifies which region the resource is located if any. There are global resources, such as IAM users, that do not have a region. - The
account-id
is the 12-digits account number. - And finally, the
resource-id
is the local identifier of the resource. It can specify sub-resources too, such as the name of objects inside an S3 bucket.
For example, an sts:AssumeRole
operation specifies the role to assume by its ARN: arn:aws:iam::123456789012:role/test-role
. This resource is inside the IAM service, which is non-regional, the region is missing, in the 123456789012
account, where it’s a role
named test-role
.
Each resource type uses a different structure and they are detailed in the reference documentation for each service.
For example, the S3 service defines these resource types:
Get hands-on with 1200+ tech skills courses.