These are the general formats for Amazon Resource Names (ARNs):
- arn:partition:service:region:account-id:resource-id
- arn:partition:service:region:account-id:resource-type/resource-id
- arn:partition:service:region:account-id:resource-type:resource-id
[https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html][1]
The challenge with S3:
S3 buckets are globally unique (well, if we exclude Gov Cloud and China regions). That is why S3 ARNs do not include region and the AWS account ID:
arn:aws:s3:::examplebucket
Now, what the customer is saying:
- we own a bucket
- we write a policy allowing service X to write secret file Y to the bucket
- we delete the bucket (and its contents), forgetting about service X
- someone else creates a bucket and allows anybody to write to it
- service X writes to "the bucket" (now owned by someone else)
It would be trivial to avoid by only allowing service X to write to "bucket foo" in a particular account, but AWS IAM explicitly disallows bucket ARNs with account IDs in them.
Is there any workaround for this?