Why does S3 bucket ARN not contain AWS account number?

5
votes

Unlike other AWS services, s3 resources, ARN does not contain AWS account number.
Few sample ARNs are:

  • -- Elastic Beanstalk application version --
    arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment

  • -- IAM user name --
    arn:aws:iam::123456789012:user/David

  • -- Amazon RDS instance used for tagging --
    arn:aws:rds:eu-west-1:123456789012:db:mysql-db

On the other hand s3 bucket ARN looks like:

  • arn:aws:s3:::my_corporate_bucket/exampleobject.png
3
amazon-web-servicesamazon-s3

3 Answers

13
votes

S3 Bucket ARNs do not require an account number or region since bucket names are unique across all accounts/regions.

2
votes

The problem with this, however, is that it is not possible to write a policy that restricts actions only on a bucket in my account. The risk being that some user in my account may leak data out by pushing data to another account’s bucket.

0
votes

The question is "Why does S3 bucket ARN not contain AWS account number?" and the answer to that is because S3 was the first AWS service to be launched and many things have changed since then. S3 hasn't managed yet to implement the ARN in the bucket name. We don't know why that is. It could be that it's technically challenging or that it's just not being prioritized by the service team.

One way to validate that the bucket objects are being uploaded to belongs to you to avoid accidental data leak to other people's buckets is to use the recently released bucket owner condition:

https://aws.amazon.com/about-aws/whats-new/2020/09/amazon-s3-bucket-owner-condition-helps-validate-correct-bucket-ownership https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html

Another way (where supported) is to use S3 Access Points: https://aws.amazon.com/s3/features/access-points/