Wildcards

You can use wildcard characters (* and ?) within any value of the policy (action, resource, condition value...) to represent:

• Any combination of characters (*)
• Any single character (?)

You can use multiple or ? characters in each segment. If the wildcard is the last character of a resource ARN segment, it can expand to match beyond the colon boundaries. We recommend you use wildcards (* and ?) within ARN segments separated by a colon.

The following example refers to all IAM users whose path is /accounting.

"Resource": "arn:YOUR_PARTITION:iam::YOUR_ACCOUNT_ID:user/accounting/*"

The following example refers to all items within a specific Amazon S3 bucket.

"Resource": "arn:YOUR_PARTITION:s3:::amzn-s3-demo-bucket/*"

The asterisk (*) character can expand to replace everything within a segment, including characters like a forward slash (/) that may otherwise appear to be a delimiter within a given service namespace. For example, consider the following Astran S3 ARN as the same wildcard expansion logic applies to all services.

"Resource": "arn:YOUR_PARTITION:s3:::s3-demo-bucket/*/test/*"

The wildcards in the ARN apply to all of the following objects in the bucket, not only the first object listed.

amzn-s3-demo-bucket/1/test/object.jpg
amzn-s3-demo-bucket/1/2/test/object.jpg
amzn-s3-demo-bucket/1/2/test/3/object.jpg 
amzn-s3-demo-bucket/1/2/3/test/4/object.jpg
amzn-s3-demo-bucket/1///test///object.jpg
amzn-s3-demo-bucket/1/test/.jpg
amzn-s3-demo-bucket//test/object.jpg
amzn-s3-demo-bucket/1/test/

Consider the last two objects in the previous list. An Astran S3 object name can begin or end with the conventional delimiter forward slash (/) character. While / works as a delimiter, there is no specific significance when this character is used within a resource ARN. It is treated the same as any other valid character. The ARN would not match the following objects:

amzn-s3-demo-bucket/1-test/object.jpg
amzn-s3-demo-bucket/test/object.jpg
amzn-s3-demo-bucket/1/2/test.jpg