Menu
Amazon Web Services
General Reference (Version 1.0)

Amazon Resource Names (ARNs) and AWS Service Namespaces

Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.

ARN Format

Here are some example ARNs:

<!-- Elastic Beanstalk application version -->
arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment

<!-- IAM user name -->
arn:aws:iam::123456789012:user/David

<!-- Amazon RDS instance used for tagging -->
arn:aws:rds:eu-west-1:123456789012:db:mysql-db

<!-- Object in an Amazon S3 bucket -->
arn:aws:s3:::my_corporate_bucket/exampleobject.png

The following are the general formats for ARNs; the specific components and values used depend on the AWS service.

arn:partition:service:region:account-id:resource
arn:partition:service:region:account-id:resourcetype/resource
arn:partition:service:region:account-id:resourcetype:resource
partition

The partition that the resource is in. For standard AWS regions, the partition is aws. If you have resources in other partitions, the partition is aws-partitionname. For example, the partition for resources in the China (Beijing) region is aws-cn.

service

The service namespace that identifies the AWS product (for example, Amazon S3, IAM, or Amazon RDS). For a list of namespaces, see AWS Service Namespaces.

region

The region the resource resides in. Note that the ARNs for some resources do not require a region, so this component might be omitted.

account

The ID of the AWS account that owns the resource, without the hyphens. For example, 123456789012. Note that the ARNs for some resources don't require an account number, so this component might be omitted.

resource, resourcetype:resource, or resourcetype/resource

The content of this part of the ARN varies by service. It often includes an indicator of the type of resource—for example, an IAM user or Amazon RDS database —followed by a slash (/) or a colon (:), followed by the resource name itself. Some services allows paths for resource names, as described in Paths in ARNs.

Example ARNs

The following sections provide syntax and examples of the ARNs for different services. For more information about using ARNs in a specific AWS service, see the documentation for that service.

Some services support IAM resource-level permissions. For more information, see AWS Services That Work with IAM.

Amazon API Gateway

Syntax:

arn:aws:apigateway:region::resource-path

Examples:

arn:aws:apigateway:us-east-1::/restapis/a123456789012bc3de45678901f23a45/*
arn:aws:apigateway:us-east-1::a123456789012bc3de45678901f23a45:/test/mydemoresource/*
arn:aws:apigateway:*::a123456789012bc3de45678901f23a45:/*/petstorewalkthrough/pets

AWS Artifact

Syntax:

arn:aws:artifact:::report-package/document-type/report-type

Examples:

arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*
arn:aws:artifact:::report-package/Certifications and Attestations/ISO/*
arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*

Auto Scaling

Syntax:

arn:aws:autoscaling:region:account-id:scalingPolicy:policyid:autoScalingGroupName/groupfriendlyname:policyname/policyfriendlyname
arn:aws:autoscaling:region:account-id:autoScalingGroup:groupid:autoScalingGroupName/groupfriendlyname

Example:

arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:c7a27f55-d35e-4153-b044-8ca9155fc467:autoScalingGroupName/my-test-asg1:policyName/my-scaleout-policy

AWS Certificate Manager

Syntax:

arn:aws:acm:region:account-id:certificate/certificate-id

Example:

arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012

AWS CloudFormation

Syntax:

arn:aws:cloudformation:region:account-id:stack/stackname/additionalidentifier

Example:

arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c

Amazon CloudSearch

Syntax:

arn:aws:cloudsearch:region:account-id:domain/domainname

Example:

arn:aws:cloudsearch:us-east-1:123456789012:domain/imdb-movies

AWS CloudTrail

Syntax:

arn:aws:cloudtrail:region:account-id:trail/trailname

Example:

arn:aws:cloudtrail:us-east-1:123456789012:trail/mytrailname

Amazon CloudWatch Events

Syntax:

arn:aws:events:region:*:*

Examples:

arn:aws:events:us-east-1:*:*
arn:aws:events:us-east-1:account-id:*
arn:aws:events:us-east-1:account-id:rule/rule_name

Amazon CloudWatch Logs

Syntax:

arn:aws:logs:region:*:*

Examples:

arn:aws:logs:us-east-1:*:*
arn:aws:logs:us-east-1:account-id:*
arn:aws:logs:us-east-1:account-id:log-group:log_group_name
arn:aws:logs:us-east-1:account-id:log-group:log_group_name:*
arn:aws:logs:us-east-1:account-id:log-group:log_group_name_prefix*
arn:aws:logs:us-east-1:account-id:log-group:log_group_name:log-stream:log_stream_name
arn:aws:logs:us-east-1:account-id:log-group:log_group_name:log-stream:log_stream_name_prefix*
arn:aws:logs:us-east-1:account-id:log-group:log_group_name_prefix*:log-stream:log_stream_name_prefix*

AWS CodeBuild

Syntax:

arn:aws:codebuild:region:account-id:resourcetype/resource

Examples:

arn:aws:codebuild:us-east-1:123456789012:project/my-demo-project
arn:aws:codebuild:us-east-1:123456789012:build/my-demo-project:7b7416ae-89b4-46cc-8236-61129df660ad

AWS CodeCommit

Syntax:

arn:aws:codecommit:region:account-id:resource-specifier

Example:

arn:aws:codecommit:us-east-1:123456789012:MyDemoRepo

AWS CodeDeploy

Syntax:

arn:aws:codedeploy:region:account-id:resource-type:resource-specifier
arn:aws:codedeploy:region:account-id:resource-type/resource-specifier

Example:

arn:aws:codedeploy:us-east-1:123456789012:application:WordPress_App
arn:aws:codedeploy:us-east-1:123456789012:instance/AssetTag*

AWS CodePipeline

Syntax:

arn:aws:codepipeline:region:account-id:resource-specifier

Example:

arn:aws:codepipeline:us-east-1:123456789012:MyDemoPipeline

AWS Direct Connect

Syntax:

arn:aws:directconnect:region:account-id:dxcon/connection-id
arn:aws:directconnect:region:account-id:dxvif/virtual-interface-id

Examples:

arn:aws:directconnect:us-east-1:123456789012:dxcon/dxcon-fgase048
arn:aws:directconnect:us-east-1:123456789012:dxvif/dxvif-fgrb110x

Amazon DynamoDB

Syntax:

arn:aws:dynamodb:region:account-id:table/tablename

Example:

arn:aws:dynamodb:us-east-1:123456789012:table/books_table

Amazon EC2 Container Registry (Amazon ECR)

Syntax:

arn:aws:ecr:region:account-id:repository/repository-name

Example:

arn:aws:ecr:us-east-1:123456789012:repository/my-repository

Amazon EC2 Container Service (Amazon ECS)

Syntax:

arn:aws:ecs:region:account-id:cluster/cluster-name
arn:aws:ecs:region:account-id:container-instance/container-instance-id
arn:aws:ecs:region:account-id:task-definition/task-definition-family-name:task-definition-revision-number
arn:aws:ecs:region:account-id:service/service-name
arn:aws:ecs:region:account-id:task/task-id
arn:aws:ecs:region:account-id:container/container-id

Examples:

arn:aws:ecs:us-east-1:123456789012:cluster/my-cluster
arn:aws:ecs:us-east-1:123456789012:container-instance/403125b0-555c-4473-86b5-65982db28a6d
arn:aws:ecs:us-east-1:123456789012:task-definition/hello_world:8
arn:aws:ecs:us-east-1:123456789012:service/sample-webapp
arn:aws:ecs:us-east-1:123456789012:task/1abf0f6d-a411-4033-b8eb-a4eed3ad252a
arn:aws:ecs:us-east-1:123456789012:container/476e7c41-17f2-4c17-9d14-412566202c8a

Amazon Elastic Compute Cloud (Amazon EC2)

Syntax:

arn:aws:ec2:region:account-id:customer-gateway/cgw-id
arn:aws:ec2:region:account_id:dedicated-host/host_id
arn:aws:ec2:region:account-id:dhcp-options/dhcp-options-id
arn:aws:ec2:region::image/image-id
arn:aws:ec2:region:account-id:instance/instance-id
arn:aws:iam::account:instance-profile/instance-profile-name
arn:aws:ec2:region:account-id:internet-gateway/igw-id
arn:aws:ec2:region:account-id:key-pair/key-pair-name
arn:aws:ec2:region:account-id:network-acl/nacl-id
arn:aws:ec2:region:account-id:network-interface/eni-id
arn:aws:ec2:region:account-id:placement-group/placement-group-name
arn:aws:ec2:region:account-id:route-table/route-table-id
arn:aws:ec2:region:account-id:security-group/security-group-id
arn:aws:ec2:region::snapshot/snapshot-id
arn:aws:ec2:region:account-id:subnet/subnet-id
arn:aws:ec2:region:account-id:volume/volume-id
arn:aws:ec2:region:account-id:vpc/vpc-id
arn:aws:ec2:region:account-id:vpc-peering-connection/vpc-peering-connection-id
arn:aws:ec2:region:account-id:vpn-connection/vpn-id
arn:aws:ec2:region:account-id:vpn-gateway/vgw-id

Examples:

arn:aws:ec2:us-east-1:123456789012:dedicated-host/h-12345678
arn:aws:ec2:us-east-1::image/ami-1a2b3c4d
arn:aws:ec2:us-east-1:123456789012:instance/*
arn:aws:ec2:us-east-1:123456789012:volume/*
arn:aws:ec2:us-east-1:123456789012:volume/vol-1a2b3c4d

AWS Elastic Beanstalk

Syntax:

arn:aws:elasticbeanstalk:region:account-id:application/applicationname
arn:aws:elasticbeanstalk:region:account-id:applicationversion/applicationname/versionlabel
arn:aws:elasticbeanstalk:region:account-id:environment/applicationname/environmentname
arn:aws:elasticbeanstalk:region::solutionstack/solutionstackname
arn:aws:elasticbeanstalk:region:account-id:configurationtemplate/applicationname/templatename

Examples:

arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App
arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version
arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment
arn:aws:elasticbeanstalk:us-east-1::solutionstack/32bit Amazon Linux running Tomcat 7
arn:aws:elasticbeanstalk:us-east-1:123456789012:configurationtemplate/My App/My Template

Amazon Elastic File System

Syntax:

arn:aws:elasticfilesystem:region:account-id:file-system/file-system-id

Example:

arn:aws:elasticfilesystem:us-east-1:123456789012:file-system-id/fs12345678

Elastic Load Balancing (Application Load Balancer)

Syntax:

arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id
arn:aws:elasticloadbalancing:region:account-id:listener/app/load-balancer-name/load-balancer-id/listener-id
arn:aws:elasticloadbalancing:region:account-id:listener-rule/app/load-balancer-name/load-balancer-id/listener-id/rule-id
arn:aws:elasticloadbalancing:region:account-id:targetgroup/target-group-name/target-group-id

Examples:

arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188
arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2
arn:aws:elasticloadbalancing:us-east-1:123456789012:listener-rule/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2/9683b2d02a6cabee
arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/my-targets/73e2d6bc24d8a067

Elastic Load Balancing (Classic Load Balancer)

Syntax:

arn:aws:elasticloadbalancing:region:account-id:loadbalancer/name

Example:

arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/my-load-balancer

Amazon Elastic Transcoder

Syntax:

arn:aws:elastictranscoder:region:account-id:resource/id

Example:

arn:aws:elastictranscoder:us-east-1:123456789012:preset/*

Amazon ElastiCache

Syntax:

arn:aws:elasticache:region:account-id:resourcetype:resourcename

Examples:

arn:aws:elasticache:us-west-2:123456789012:cluster:myCluster
arn:aws:elasticache:us-west-2:123456789012:snapshot:mySnapshot

Amazon Elasticsearch Service

Syntax:

arn:aws:es:region:account-id:domain/domain-name

Example:

arn:aws:es:us-east-1:123456789012:domain/streaming-logs

Amazon Glacier

Syntax:

arn:aws:glacier:region:account-id:vaults/vaultname

Examples:

arn:aws:glacier:us-east-1:123456789012:vaults/examplevault
arn:aws:glacier:us-east-1:123456789012:vaults/example*
arn:aws:glacier:us-east-1:123456789012:vaults/*

AWS Health / Personal Health Dashboard

Syntax:

arn:aws:health:region::event/event-id
arn:aws:health:region:account-id:entity/entity-id

Examples:

arn:aws:health:us-east-1::event/AWS_EC2_EXAMPLE_ID
arn:aws:health:us-east-1:123456789012:entity/AVh5GGT7ul1arKr1sE1K

AWS Identity and Access Management (IAM)

Syntax:

arn:aws:iam::account-id:root
arn:aws:iam::account-id:user/user-name
arn:aws:iam::account-id:group/group-name
arn:aws:iam::account-id:role/role-name
arn:aws:iam::account-id:policy/policy-name
arn:aws:iam::account-id:instance-profile/instance-profile-name
arn:aws:sts::account-id:federated-user/user-name
arn:aws:sts::account-id:assumed-role/role-name/role-session-name
arn:aws:iam::account-id:mfa/virtual-device-name
arn:aws:iam::account-id:server-certificate/certificate-name
arn:aws:iam::account-id:saml-provider/provider-name
arn:aws:iam::account-id:oidc-provider/provider-name

Examples:

arn:aws:iam::123456789012:root
arn:aws:iam::123456789012:user/Bob
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob
arn:aws:iam::123456789012:group/Developers
arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developers
arn:aws:iam::123456789012:role/S3Access
arn:aws:iam::123456789012:role/application_abc/component_xyz/S3Access
arn:aws:iam::123456789012:policy/UsersManageOwnCredentials
arn:aws:iam::123456789012:policy/division_abc/subdivision_xyz/UsersManageOwnCredentials
arn:aws:iam::123456789012:instance-profile/Webserver
arn:aws:sts::123456789012:federated-user/Bob
arn:aws:sts::123456789012:assumed-role/Accounting-Role/Mary
arn:aws:iam::123456789012:mfa/BobJonesMFA
arn:aws:iam::123456789012:server-certificate/ProdServerCert
arn:aws:iam::123456789012:server-certificate/division_abc/subdivision_xyz/ProdServerCert
arn:aws:iam::123456789012:saml-provider/ADFSProvider
arn:aws:iam::123456789012:oidc-provider/GoogleProvider

For more information about IAM ARNs, see IAM ARNs in IAM User Guide.

AWS IoT

Syntax:

arn:aws:iot:account-id:cert/cert-ID
arn:aws:iot:account-id:policy/policy-name
arn:aws:iot:account-id:rule/rule-name

Examples:

arn:aws:iot:123456789012:cert/123a456b789c123d456e789f123a456b789c123d456e789f123a456b789c123c456d7
arn:aws:iot:123456789012:policy/MyIoTPolicy
arn:aws:iam::123456789012:rule/MyIoTRule

AWS Key Management Service (AWS KMS)

Syntax:

arn:aws:kms:region:account-id:key/key-id
arn:aws:kms:region:account-id:alias/alias

Examples:

arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
arn:aws:kms:us-east-1:123456789012:alias/example-alias

Amazon Kinesis Firehose (Firehose)

Syntax:

arn:aws:firehose:region:account-id:deliverystream/delivery-stream-name

Example:

arn:aws:firehose:us-east-1:123456789012:deliverystream/example-stream-name

Amazon Kinesis Streams (Streams)

Syntax:

arn:aws:kinesis:region:account-id:stream/stream-name

Example:

arn:aws:kinesis:us-east-1:123456789012:stream/example-stream-name

AWS Lambda (Lambda)

Syntax:

arn:aws:lambda:region:account-id:function:function-name
arn:aws:lambda:region:account-id:function:function-name:alias-name
arn:aws:lambda:region:account-id:function:function-name:version
arn:aws:lambda:region:account-id:event-source-mappings:event-source-mapping-id

Examples:

arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords
arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords:your alias
arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords:1.0
arn:aws:lambda:us-east-1:123456789012:event-source-mappings:kinesis-stream-arn

Amazon Machine Learning (Amazon ML)

Syntax:

arn:aws:machinelearning:region:account-id:datasource/datasourceID
arn:aws:machinelearning:region:account-id:mlmodel/mlmodelID
arn:aws:machinelearning:region:account-id:batchprediction/batchpredictionlID
arn:aws:machinelearning:region:account-id:evaluation/evaluationID

Examples:

arn:aws:machinelearning:us-east-1:123456789012:datasource/my-datasource-1
arn:aws:machinelearning:us-east-1:123456789012:mlmodel/my-mlmodel
arn:aws:machinelearning:us-east-1:123456789012:batchprediction/my-batchprediction
arn:aws:machinelearning:us-east-1:123456789012:evaluation/my-evaluation

AWS Polly

Syntax:

arn:aws:polly:region:account-id:lexicon/lexicon-name

Example:

arn:aws:polly:us-east-1:123456789012:lexicon/my-lexicon

Amazon Redshift

Syntax:

arn:aws:redshift:region:account-id:cluster:clustername
arn:aws:redshift:region:account-id:dbuser:clustername/dbusername
arn:aws:redshift:region:account-id:parametergroup:parametergroupname
arn:aws:redshift:region:account-id:securitygroup:securitygroupname
arn:aws:redshift:region:account-id:snapshot:clustername/snapshotname
arn:aws:redshift:region:account-id:subnetgroup:subnetgroupname

Examples:

arn:aws:redshift:us-east-1:123456789012:cluster:my-cluster
arn:aws:redshift:us-east-1:123456789012:my-cluster/my-dbuser-name
arn:aws:redshift:us-east-1:123456789012:parametergroup:my-parameter-group
arn:aws:redshift:us-east-1:123456789012:securitygroup:my-public-group
arn:aws:redshift:us-east-1:123456789012:snapshot:my-cluster/my-snapshot20130807
arn:aws:redshift:us-east-1:123456789012:subnetgroup:my-subnet-10                    

Amazon Relational Database Service (Amazon RDS)

ARNs are used in Amazon RDS only with tags for DB instances. For more information, see Tagging a DB Instance in the Amazon Relational Database Service User Guide.

Syntax:

arn:aws:rds:region:account-id:db:db-instance-name
arn:aws:rds:region:account-id:snapshot:snapshot-name
arn:aws:rds:region:account-id:cluster:db-cluster-name
arn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-name
arn:aws:rds:region:account-id:og:option-group-name
arn:aws:rds:region:account-id:pg:parameter-group-name
arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name
arn:aws:rds:region:account-id:secgrp:security-group-name
arn:aws:rds:region:account-id:subgrp:subnet-group-name
arn:aws:rds:region:account-id:es:subscription-name

Examples:

arn:aws:rds:us-east-1:123456789012:db:mysql-db-instance1
arn:aws:rds:us-east-1:123456789012:snapshot:my-snapshot2
arn:aws:rds:us-east-1:123456789012:cluster:my-cluster1
arn:aws:rds:us-east-1:123456789012:cluster-snapshot:cluster1-snapshot7
arn:aws:rds:us-east-1:123456789012:og:mysql-option-group1
arn:aws:rds:us-east-1:123456789012:pg:mysql-repl-pg1
arn:aws:rds:us-east-1:123456789012:cluster-pg:aurora-pg3
arn:aws:rds:us-east-1:123456789012:secgrp:dev-secgrp2
arn:aws:rds:us-east-1:123456789012:subgrp:prod-subgrp1
arn:aws:rds:us-east-1:123456789012:es:monitor-events2

Amazon Route 53

Syntax:

arn:aws:route53:::hostedzone/zoneid
arn:aws:route53:::change/changeid

Note that Amazon Route 53 does not require an account number or region in ARNs.

Examples:

arn:aws:route53:::hostedzone/Z148QEXAMPLE8V
arn:aws:route53:::change/C2RDJ5EXAMPLE2
arn:aws:route53:::change/*

Amazon EC2 Simple Systems Manager (SSM)

Syntax:

arn:aws:ssm:region:account-id:document/document_name

Example:

arn:aws:ssm:us-east-1:123456789012:document/highAvailabilityServerSetup

Amazon Simple Notification Service (Amazon SNS)

Syntax:

arn:aws:sns:region:account-id:topicname
arn:aws:sns:region:account-id:topicname:subscriptionid

Examples:

arn:aws:sns:*:123456789012:my_corporate_topic
arn:aws:sns:us-east-1:123456789012:my_corporate_topic:02034b43-fefa-4e07-a5eb-3be56f8c54ce

Amazon Simple Queue Service (Amazon SQS)

Syntax:

arn:aws:sqs:region:account-id:queuename

Example:

arn:aws:sqs:us-east-1:123456789012:queue1

Amazon Simple Storage Service (Amazon S3)

Syntax:

arn:aws:s3:::bucket_name
arn:aws:s3:::bucket_name/key_name

Note

Amazon S3 does not require an account number or region in ARNs. If you specify an ARN for a policy, you can also use a wildcard "*" character in the relative-ID part of the ARN.

Examples:

arn:aws:s3:::my_corporate_bucket
arn:aws:s3:::my_corporate_bucket/exampleobject.png
arn:aws:s3:::my_corporate_bucket/*
arn:aws:s3:::my_corporate_bucket/Development/*

For more information, see Specifying Resources in a Policy in the Amazon Simple Storage Service Developer Guide.

Amazon Simple Workflow Service (Amazon SWF)

Syntax:

arn:aws:swf:region:account-id:/domain/domain_name

Examples:

arn:aws:swf:us-east-1:123456789012:/domain/department1
arn:aws:swf:*:123456789012:/domain/*

AWS Step Functions

Syntax:

arn:aws:states:region:account-id:activity:activityName
arn:aws:states:region:account-id:stateMachine:stateMachineName   
arn:aws:states:region:account-id:execution:stateMachineName:executionName

Examples:

arn:aws:states:us-east-1:123456789012:activity:HelloActivity
arn:aws:states:us-east-1:123456789012:stateMachine:HelloStateMachine
arn:aws:states:us-east-1:123456789012:execution:HelloStateMachine:HelloStateMachineExecution

AWS Storage Gateway

Syntax:

arn:aws:storagegateway:region:account-id:gateway/gateway-id
arn:aws:storagegateway:region:account-id:gateway/gateway-id/volume/volume-id
arn:aws:storagegateway:region:account-id:tape/tapebarcode
arn:aws:storagegateway:region:account-id:gateway/gateway-id/target/iSCSItarget
arn:aws:storagegateway:region:account-id:gateway/gateway-id/device/vtldevice

Examples:

arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B
arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/volume/vol-1122AABB
arn:aws:storagegateway:us-east-1:123456789012:tape/AMZNC8A26D
arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/target/iqn.1997-05.com.amazon:vol-1122AABB
arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/device/AMZN_SGW-FF22CCDD_TAPEDRIVE_00010

Note

For each AWS Storage Gateway resource, you can specify a wild card (*).

AWS Trusted Advisor

Syntax:

arn:aws:trustedadvisor:*:account-id:checks/categorycode/checkid

Example:

arn:aws:trustedadvisor:*:123456789012:checks/fault_tolerance/BueAdJ7NrP

AWS WAF

Syntax:

arn:aws:waf:region:account-id:resource-type/resource-id

Examples:

arn:aws:waf:us-east-1:123456789012:rule/41b5b052-1e4a-426b-8149-3595be6342c2
arn:aws:waf:us-east-1:123456789012:webacl/3bffd3ed-fa2e-445e-869f-a6a7cf153fd3
arn:aws:waf:us-east-1:123456789012:ipset/3f74bd8c-f046-4970-a1a7-41aa52e05480
arn:aws:waf:us-east-1:123456789012:bytematchset/d131bc0b-57be-4536-af1d-4894fd28acc4
arn:aws:waf:us-east-1:123456789012:sqlinjectionset/2be79d6f-2f41-4c9b-8192-d719676873f0
arn:aws:waf:us-east-1:123456789012:changetoken/03ba2197-fc98-4ac0-a67d-5b839762b16b

Paths in ARNs

Some services let you specify a path for the resource name. For example, in Amazon S3, the resource identifier is an object name that can include slashes (/) to form a path. Similarly, IAM user names and group names can include paths.

In some circumstances, paths can include a wildcard character, namely an asterisk (*). For example, if you are writing an IAM policy and in the Resource element you want to specify all IAM users that have the path product_1234, you can use a wildcard like this:

arn:aws:iam::123456789012:user/Development/product_1234/*

Similarly, in the Resource element of an IAM policy, at the end of the ARN you can specify user/* to mean all users or group/* to mean all groups, as in the following examples:

"Resource":"arn:aws:iam::123456789012:user/*"
"Resource":"arn:aws:iam::123456789012:group/*"

You cannot use a wildcard to specify all users in the Principal element in a resource-based policy or a role trust policy. Groups are not supported as principals in any policy.

The following example shows ARNs for an Amazon S3 bucket in which the resource name includes a path:

arn:aws:s3:::my_corporate_bucket/*
arn:aws:s3:::my_corporate_bucket/Development/*

You cannot use a wildcard in the portion of the ARN that specifies the resource type, such as the term user in an IAM ARN.

The following is not allowed:

arn:aws:iam::123456789012:u*

AWS Service Namespaces

When you create AWS IAM policies or work with Amazon Resource Names (ARNs), you identify an AWS service using a namespace. For example, the namespace for Amazon S3 is s3, and the namespace for Amazon EC2 is ec2. You use namespaces when identifying actions and resources.

The following example shows an IAM policy where the value of the Action elements and the values in the Resource and Condition elements use namespaces to identify the services for the actions and resources.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": [
        "arn:aws:ec2:us-west-2:123456789012:customer-gateway/*",
        "arn:aws:ec2:us-west-2:123456789012:dhcp-options/*",
        "arn:aws:ec2:us-west-2::image/*",
        "arn:aws:ec2:us-west-2:123456789012:instance/*",
        "arn:aws:iam::123456789012:instance-profile/*",
        "arn:aws:ec2:us-west-2:123456789012:internet-gateway/*",
        "arn:aws:ec2:us-west-2:123456789012:key-pair/*",
        "arn:aws:ec2:us-west-2:123456789012:network-acl/*",
        "arn:aws:ec2:us-west-2:123456789012:network-interface/*",
        "arn:aws:ec2:us-west-2:123456789012:placement-group/*",
        "arn:aws:ec2:us-west-2:123456789012:route-table/*",
        "arn:aws:ec2:us-west-2:123456789012:security-group/*",
        "arn:aws:ec2:us-west-2::snapshot/*",
        "arn:aws:ec2:us-west-2:123456789012:subnet/*",
        "arn:aws:ec2:us-west-2:123456789012:volume/*",
        "arn:aws:ec2:us-west-2:123456789012:vpc/*",
        "arn:aws:ec2:us-west-2:123456789012:vpc-peering-connection/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example_bucket/marketing/*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket*",
      "Resource": "arn:aws:s3:::example_bucket",
      "Condition": {"StringLike": {"s3:prefix": "marketing/*"}}
    }
  ]
}

The following table contains the namespace for each AWS service.

ServiceNamespace
API Gatewayapigateway
Amazon AppStreamappstream
AWS Artifactartifact
Auto Scalingautoscaling
AWS Billing and Cost Managementaws-portal
AWS Certificate Manager (ACM)acm
AWS CloudFormationcloudformation
Amazon CloudFrontcloudfront
AWS CloudHSMcloudhsm
Amazon CloudSearchcloudsearch
AWS CloudTrailcloudtrail
Amazon CloudWatchcloudwatch
Amazon CloudWatch Eventsevents
Amazon CloudWatch Logslogs
AWS CodeBuildcodebuild
AWS CodeCommitcodecommit
AWS CodeDeploycodedeploy
AWS CodePipelinecodepipeline
Amazon Cognito Identitycognito-identity
Amazon Cognito Synccognito-sync
AWS Configconfig
AWS Data Pipelinedatapipeline
AWS Database Migration Service (AWS DMS)dms
AWS Device Farmdevicefarm
AWS Direct Connectdirectconnect
AWS Directory Serviceds
Amazon DynamoDBdynamodb
Amazon Elastic Compute Cloud (Amazon EC2)ec2
Amazon EC2 Container Registry (Amazon ECR)ecr
Amazon EC2 Container Service (Amazon ECS)ecs
Amazon EC2 Simple Systems Manager (SSM)ssm
AWS Elastic Beanstalkelasticbeanstalk
Amazon Elastic File System (Amazon EFS)elasticfilesystem
Elastic Load Balancingelasticloadbalancing
Amazon EMRelasticmapreduce
Amazon Elastic Transcoderelastictranscoder
Amazon ElastiCacheelasticache
Amazon Elasticsearch Service (Amazon ES)es
Amazon GameLiftgamelift
Amazon Glacierglacier
AWS Health / Personal Health Dashboardhealth
AWS Identity and Access Management (IAM)iam
AWS Import/Exportimportexport
Amazon Inspectorinspector
AWS IoTiot
AWS Key Management Service (AWS KMS)kms
Amazon Kinesis Analyticskinesisanalytics
Amazon Kinesis Firehosefirehose
Amazon Kinesis Streamskinesis
AWS Lambdalambda
Amazon Lightsaillightsail
Amazon Machine Learningmachinelearning
AWS Marketplaceaws-marketplace
AWS Marketplace Management Portalaws-marketplace-management
Amazon Mobile Analyticsmobileanalytics
AWS OpsWorksopsworks
AWS OpsWorks for Chef Automateopsworks-cm
Amazon PollyPolly
Amazon Redshiftredshift
Amazon Relational Database Service (Amazon RDS)rds
Amazon Route 53route53
Amazon Route 53 Domainsroute53domains
AWS Security Token Service (AWS STS)sts
AWS Service Catalogservicecatalog
Amazon Simple Email Service (Amazon SES)ses
Amazon Simple Notification Service (Amazon SNS)sns
Amazon Simple Queue Service (Amazon SQS)sqs
Amazon Simple Storage Service (Amazon S3)s3
Amazon Simple Workflow Service (Amazon SWF)swf
Amazon SimpleDBsdb
AWS Step Functionsstates
AWS Storage Gatewaystoragegateway
AWS Supportsupport
AWS Trusted Advisortrustedadvisor
Amazon Virtual Private Cloud (Amazon VPC)ec2
AWS WAFwaf
Amazon WorkMailworkmail
Amazon WorkSpacesworkspaces