S3 ARNs are too bucket centric

[michael-k]

awacs.s3.ARN sets account to the empty string.

awacs/awacs/s3.py

Lines 18 to 21 in aba4018

	class ARN(BaseARN):
	def __init__(self, resource: str = "", region: str = "", account: str = "") -> None:
	# account is empty for S3
	super().__init__(service=prefix, resource=resource, region=region, account="")

• This is fine for buckets and their objects. It could also set the region to the empty string.
• But it removes the account also from other resource types that support accounts: access points, jobs, and storage lens configurations.
  
  Source https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-resources-for-iam-policies

[michael-k]

It could also set the region to the empty string.

Oh, I see that's done in BaseARN and is also not correct for access points, jobs, and storage lens configurations. I just tried to deploy an access point (with BaseARN to mitigate the missing account) and it always failed with Policy has invalid resource. Somehow I didn't notice the missing region and only figured it out after switching from BaseARN to a plain string¹.

¹ Sub("arn:${AWS::Partition}:s3:${AWS::Region}:${AWS::AccountId}:accesspoint/<access_point_name>/object/*")