ARN Formats
ARNs are delimited by colons, and composed of segments, which are the
				parts separated by colons (:). The specific components and values used
				in the segments of an ARN depend on which AWS service the ARN is for. The following
				example shows how ARNs are constructed.
arn:partition:service:region:account-id:resource-idarn:partition:service:region:account-id:resource-type/resource-idarn:partition:service:region:account-id:resource-type:resource-id
These ARNs contain the following segments:
partitionaws. If you have resources in other partitions, the
				partition is aws-partitionname. For example, the
				partition for resources in the China (Beijing) Region is aws-cn. 
servicequicksight identifies Amazon Quick Sight, s3 identifies Amazon S3,
					iam identifies IAM, and so on. 
region
account-id
arn:aws:s3:::bucket_namearn:aws:s3:::bucket_name/key_name
resourceresource-typeuser/Bob or
					instance/i-1234567890abcdef0) or a resource path. For example, some
				resource identifiers include a parent resource (
						sub-resource-type/parent-resource/sub-resourceresource-type:resource-name:qualifier). 
Some resource ARNs can include a path, a variable, or a wildcard.
You can use wildcard characters (* and ?) within any ARN segment
				. An asterisk (*) represents any combination of zero or more
				characters, and a question mark (?) represents any single character.
				You can use multiple * or ? characters in each segment. If you are using the ARN for permissions, avoid using *
				wildcards if possible, to limit access to only the required elements. Following are
				some examples of using paths, wildcards, and variables.
For the following example, we use an S3 ARN. You might use this when you give permissions to S3 in an IAM policy. This S3 ARN shows a path and file are specified.
Note
The term key name is used to describe what looks like a path and file
					after bucketname/. These are called key names because a bucket
					doesn't actually contain folder structures like those used in your computer's
					file system. Instead the slash (/) is a delimiter that helps to
					make the organization of the bucket more intuitive. In this case, the bucket
					name is amzn-s3-demo-bucket, and the key name is
						developers/design_info.doc. 
arn:aws:s3:::amzn-s3-demo-bucket/my-data/sales-export-2019-q4.json
If you want to identify all the objects in the bucket, you can use a wildcard to indicate that all key names (or paths and files) are included in the ARN, as follows.
arn:aws:s3:::amzn-s3-demo-bucket/*
You can use part of a key name plus the wildcard to identify all the objects that begin
				with a specific pattern. In this case, it resembles a folder name plus a wildcard,
				as shown following. However, this ARN also includes any "subfolders" inside of
					my-data.
arn:aws:s3:::amzn-s3-demo-bucket/my-data/*
You can specify a partial name by adding a wildcard. This one identifies any objects
				beginning with my-data/sales-export*. 
arn:aws:s3:::amzn-s3-demo-bucket/my-data/sales-export*
In this case, specifying using this wildcard includes the objects with names like the following:
- 
					my-data/sales-export-1.xlsx
- 
					my-data/sales-export-new.txt
- 
					my-data/sales-export-2019/file1.txt
You can use wildcards of both types (asterisks and question marks) in combination or separately, as shown following.
arn:aws:s3:::amzn-s3-demo-bucket/my-data/sales-export-2019-q?.*arn:aws:s3:::amzn-s3-demo-bucket/my-data/sales-export-20??-q?.*
Or, if you want to future-proof the ARN, you can replace the entire year with a wildcard, rather than just using wildcards for the last two digits.
arn:aws:s3:::amzn-s3-demo-bucket/my-data/sales-export-????-q?.*arn:aws:s3:::amzn-s3-demo-bucket/my-data/sales-export-*-q?.*
To read more about S3 ARNs, see Specifying Resources in a Policy and Object Key and Metadata in the Amazon Simple Storage Service User Guide.