Home > Enterprise >  Why do some AWS ARNs require account segments to be specified and others do not?
Why do some AWS ARNs require account segments to be specified and others do not?

Time:01-20

I'm giving a lambda create tag access to all snapshots, volumes, and instances in an account. It only works when I specify the account ID for volumes and instances but not for snapshots.

Example IAM policy snippet

“Resource”: [
                “arn:aws:ec2:*:<account-id>:volume/*“,
                “arn:aws:ec2:*::snapshot/*“,
                “arn:aws:ec2:*:<account-id>:instance/*”
            ]

Why do you need to specify the account number for some resources, but when you do it fails for others?
What is the difference between :*: and ::?

I tried

“Resource”: [
                “arn:aws:ec2:*::volume/*“,
                “arn:aws:ec2:*::snapshot/*“,
                “arn:aws:ec2:*::instance/*”
            ]

and

“Resource”: [
                “arn:aws:ec2:*:<account-id>:volume/*“,
                “arn:aws:ec2:*:<account-id>:snapshot/*“,
                “arn:aws:ec2:*:<account-id>:instance/*”
            ]

but the first failed for volumes and the second failed for snapshots. I'd expect the format to be consistant.

CodePudding user response:

Why do you need to specify the account number for some resources, but when you do it fails for others?

For two, sometimes overlapping, reasons:

First, because specificity is required in some cases and not in others. S3 for example requires globally unique bucket names, so account is superfluous.

Otherwise, for legacy reasons. Again, S3 is a great example as one of the first... maybe the first AWS service, there was no concept of ARN yet.

What is the difference between :*: and ::?

Nothing, both are functionally the same, but only one will be generally accepted for a given resource type, because the ARN requirements vary from resource type to resource type. According to the QuickSight's ARN Documentation, "You can use wildcard characters (* and ?) within any ARN segment." However, if the segment is required for that resource type, you can use the wildcard to represent its value, but if the segment is not required I don't believe you can in all cases.

To look up the ARN specification for a resource type you can follow the Service Authorization Reference, select Actions, resources, and condition keys for AWS services, then find your specific resource type. In this case, one example is EC2 Snapshot.

So you can go to Amazon EC2 and find snapshot under Resource Types which yields this ARN format string. arn:${Partition}:ec2:${Region}::snapshot/${SnapshotId}

In this case, I would omit the account segment entirely for snapshot ARN's.

CodePudding user response:

I guess it's for security purpose. Keeping the accound_id blank or wildcard * means it's for any account. Specifying account_id means it's restricted to that specific account only.

  • Related