Policy resource strings should be '*' or a valid ARN. Resource string arguments in the public API should be validated as ARNs.
Action - Resource matching can be made more specific by matching the action service (s3:GetObject) with the service in the resource ARN (arn:aws:s3:::foo).
The ARN format varies by service (e.g. s3 omits region and account, the resource format is bucket/object_path), so we need a way to augment ARN behavior with service-specific rules.
Policy resource strings should be '*' or a valid ARN. Resource string arguments in the public API should be validated as ARNs.
Action - Resource matching can be made more specific by matching the action service (
s3:GetObject
) with the service in the resource ARN (arn:aws:s3:::foo
).The ARN format varies by service (e.g. s3 omits region and account, the resource format is bucket/object_path), so we need a way to augment ARN behavior with service-specific rules.