S3 ARNs are too bucket centric

[michael-k]

awacs.s3.ARN sets account to the empty string.

https://github.com/cloudtools/awacs/blob/aba401851bcba1c92080055091ee627c1a632612/awacs/s3.py#L18-L21

• This is fine for buckets and their objects. It could also set the region to the empty string.
• But it removes the account also from other resource types that support accounts: access points, jobs, and storage lens configurations. Source https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-resources-for-iam-policies

[michael-k]

It could also set the region to the empty string.

Oh, I see that's done in BaseARN and is also not correct for access points, jobs, and storage lens configurations. I just tried to deploy an access point (with BaseARN to mitigate the missing account) and it always failed with Policy has invalid resource. Somehow I didn't notice the missing region and only figured it out after switching from BaseARN to a plain string¹.

¹ Sub("arn:${AWS::Partition}:s3:${AWS::Region}:${AWS::AccountId}:accesspoint/<access_point_name>/object/*")