On page 144 there is Table 6.3 which provides examples of valid ARNs. I believe ARN strings for S3 resources do not permit the use of region and account number. It seems like a mistake to show an ARN example for S3 that includes region and account number, per this documentation: Specifying Resources in a Policy - Amazon Simple Storage Service