IAM :
- everything in AWS has an arn
- IAM is a mapping from arn principals to a list of other ARNs
- these other ARNs are actions you are allowed to do
- every action is labeled with an ARN
- in this context () is allowed to do this action.ARN in this environment