Resource
The Resource element in an IAM policy statement defines the object or objects that the statement applies to. Statements must include a Resource element.
You specify a resource using an Amazon Resource Name (ARN). The format of the ARN depends on the Astran service and the specific resource you're referring to. Although the ARN format varies you always use an ARN to identify a resource. For information about how to specify a resource, refer to the documentation for the service you want to write a statement.
Some Astran services do not allow you to specify actions for individual resources. In these cases, any actions that you list in the Action element apply to all resources in that service. When this is the case, you use the wildcard character (*) in the Resource element.
The following example refers to the IAM user with email bob@astran.io in an AWS account.
"Resource": "arn:YOUR_PARTITION:iam::YOUR_ACCOUNT_ID:user/bob@astran.io"
The following example refers to the object myobject in the mybucket bucket in an AWS account. (note the absence of account Id)
"Resource": "arn:YOUR_PARTITION:s3:::mybucket/myobject"
You can specify multiple resources by using an array.
"Resource": [
"arn:YOUR_PARTITION:s3:::table/books_table",
"arn:YOUR_PARTITION:s3:::table/magazines_table"
]
In the Resource element, you can use JSON policy variables in the part of the ARN that identifies the specific resource (that is, in the trailing part of the ARN). For example, you can use the key aws:username as part of a resource ARN to indicate that the current user's name should be included as part of the resource's name. The following example shows how you can use the aws:username key in a Resource element. The policy allows access to all objects within a virtual folder that matches the current user's email.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:YOUR_PARTITION:s3:::user-buckets/${aws:username}/*"
}
}