Amazon Web Services
General Reference (Version 1.0)
« PreviousNext »
Did this page help you?  Yes | No |  Tell us about it...

Amazon Resource Names (ARNs) and AWS Service Namespaces

Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.

ARN Format

Here are some example ARNs:

    <!-- AWS Elastic Beanstalk application version -->
arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment

<!-- IAM user name -->
arn:aws:iam::123456789012:user/David

<!-- Amazon RDS tag -->
arn:aws:rds:eu-west-1:001234567890:db:mysql-db

<!-- Amazon S3 bucket (and all objects in it)-->
arn:aws:s3:::my_corporate_bucket/*

The following are the general formats for ARNs; the specific components and values used depend on the AWS service.

arn:aws:service:region:account:resource
arn:aws:service:region:account:resourcetype/resource
arn:aws:service:region:account:resourcetype:resource
service

The service namespace that identifies the AWS product (for example, Amazon S3, IAM, or Amazon RDS). For a list of namespaces, see AWS Service Namespaces.

region

The region the resource resides in. Note that the ARNs for some resources do not require a region, so this component might be omitted.

account

The ID of the AWS account that owns the resource, without the hyphens. For example, 123456789012. Note that the ARNs for some resources don't require an account number, so this component might be omitted.

resource, resourcetype:resource, or resourcetype/resource

The content of this part of the ARN varies by service. It often includes an indicator of the type of resource—for example, an IAM user or Amazon RDS database —followed by a slash (/) or a colon (:), followed by the resource name itself. Some services allows paths for resource names, as described in Paths in ARNs.

Example ARNs

The following sections provide syntax and examples of the ARNs for different services. For more information about using ARNs in a specific AWS service, see the documentation for that service.

Amazon DynamoDB

Syntax:

arn:aws:dynamodb:region:account:table/tablename

Example:

arn:aws:dynamodb:us-east-1:123456789012:table/books_table

Amazon Elastic Compute Cloud (Amazon EC2)

Syntax:

arn:aws:ec2:region:account:customer-gateway/cgw-id
arn:aws:ec2:region:account:dhcp-options/dhcp-options-id
arn:aws:ec2:region::image/image-id
arn:aws:ec2:region:account:instance/instance-id
arn:aws:iam::account:instance-profile/instance-profile-name
arn:aws:ec2:region:account:internet-gateway/igw-id
arn:aws:ec2:region:account:key-pair/key-pair-name
arn:aws:ec2:region:account:network-acl/nacl-id
arn:aws:ec2:region:account:network-interface/eni-id
arn:aws:ec2:region:account:placement-group/placement-group-name
arn:aws:ec2:region:account:route-table/route-table-id
arn:aws:ec2:region:account:security-group/security-group-id
arn:aws:ec2:region::snapshot/snapshot-id
arn:aws:ec2:region:account:subnet/subnet-id
arn:aws:ec2:region:account:volume/volume-id
arn:aws:ec2:region:account:vpc/vpc-id
arn:aws:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id

Examples:

arn:aws:ec2:us-east-1::image/ami-1a2b3c4d
arn:aws:ec2:us-east-1:123456789012:instance/*
arn:aws:ec2:us-east-1:123456789012:volume/*
arn:aws:ec2:us-east-1:123456789012:volume/vol-1a2b3c4d

Amazon Glacier

Syntax:

arn:aws:glacier:region:account:vaults/vaultname

Examples:

arn:aws:glacier:us-east-1:123456789012:vaults/examplevault
arn:aws:glacier:us-east-1:123456789012:vaults/example*
arn:aws:glacier:us-east-1:123456789012:vaults/*

Amazon Redshift

Syntax:

arn:aws:redshift:region:account:cluster:clustername
arn:aws:redshift:region:account:parametergroup:parametergroupname
arn:aws:redshift:region:account:securitygroup:securitygroupname
arn:aws:redshift:region:account:snapshot:clustername/snapshotname
arn:aws:redshift:region:account:subnetgroup:subnetgroupname

Examples:

arn:aws:redshift:us-east-1:123456789012:cluster:my-cluster
arn:aws:redshift:us-east-1:123456789012:parametergroup:my-parameter-group
arn:aws:redshift:us-east-1:123456789012:securitygroup:my-public-group
arn:aws:redshift:us-east-1:123456789012:snapshot:my-cluster/my-snapshot20130807
arn:aws:redshift:us-east-1:123456789012:subnetgroup:my-subnet-10
                    

Amazon Relational Database Service (Amazon RDS)

ARNs are used in Amazon RDS only with tags for DB instances. For more information, see Tagging a DB Instance in the Amazon Relational Database Service User Guide.

Syntax:

arn:aws:service:region:account:db:databasename
arn:aws:service:region:account:snapshot:snapshotname

Examples:

arn:aws:rds:eu-west-1:123456789012:db:mysql-db
arn:aws:rds:us-east-1:123456789012:snapshot:my-snapshot2

Amazon Route 53

Syntax:

arn:aws:route53:::hostedzone/zoneid
arn:aws:route53:::change/changeid

Note that Amazon Route 53 does not require an account number or region in ARNs.

Examples:

arn:aws:route53:::hostedzone/Z148QEXAMPLE8V
arn:aws:route53:::change/C2RDJ5EXAMPLE2
arn:aws:route53:::change/*

Amazon Simple Notification Service (Amazon SNS)

Syntax:

arn:aws:sns:region:account:topicname
arn:aws:sns:region:account:topicname:subscriptionid

Examples:

arn:aws:sns:*:123456789012:my_corporate_topic
arn:aws:sns:us-east-1:123456789012:my_corporate_topic:02034b43-fefa-4e07-a5eb-3be56f8c54ce

Amazon Simple Queue Service (Amazon SQS)

Syntax:

arn:aws:sqs:region:account:queuename

Example:

arn:aws:sqs:us-east-1:123456789012:queue1

Amazon Simple Storage Service (Amazon S3)

Syntax:

arn:aws:s3:::bucketname
arn:aws:s3:::bucketname/objectpath

Note that Amazon S3 does not require an account number or region in ARNs.

Examples:

arn:aws:s3:::my_corporate_bucket
arn:aws:s3:::my_corporate_bucket/*
arn:aws:s3:::my_corporate_bucket/Development/*

Amazon Simple Workflow Service (Amazon SWF)

Syntax:

arn:aws:swf:region:account:/domain/domain_name

Examples:

arn:aws:swf:us-east-1:123456789012:/domain/department1
arn:aws:swf:*:123456789012:/domain/*

Auto Scaling

Syntax:

arn:aws:autoscaling:region:account:scalingPolicy:policyid:autoScalingGroupName/groupfriendlyname:policyname/policyfriendlyname
arn:aws:autoscaling:region:account:autoScalingGroup:groupid:autoScalingGroupName/groupfriendlyname

Example:

arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:c7a27f55-d35e-4153-b044-8ca9155fc467:autoScalingGroupName/my-test-asg1:policyName/my-scaleout-policy

AWS Elastic Beanstalk

Syntax:

arn:aws:elasticbeanstalk:region:account:application/applicationname
arn:aws:elasticbeanstalk:region:account:applicationversion/applicationname/versionlabel
arn:aws:elasticbeanstalk:region:account:environment/applicationname/environmentname
arn:aws:elasticbeanstalk:region::solutionstack/solutionstackname
arn:aws:elasticbeanstalk:region:account:template/applicationname/templatename

Examples:

arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App
arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version
arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment
arn:aws:elasticbeanstalk:us-east-1::solutionstack/32bit Amazon Linux running Tomcat 7
arn:aws:elasticbeanstalk:us-east-1:123456789012:template/My App/My Template

AWS Identity and Access Management (IAM)

Syntax:

arn:aws:iam::account:root
arn:aws:iam::account:user/username
arn:aws:iam::account:group/groupname
arn:aws:iam::account:role/rolename
arn:aws:iam::account:instance-profile/instanceprofilename
arn:aws:sts::account:federated-user/username
arn:aws:iam::account:mfa/virtualdevicename
arn:aws:iam::account:server-certificate/certificatename

Examples:

arn:aws:iam::123456789012:root
arn:aws:iam::123456789012:user/Bob
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob
arn:aws:iam::123456789012:group/Developers
arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developers
arn:aws:iam::123456789012:role/S3Access
arn:aws:iam::123456789012:role/application_abc/component_xyz/S3Access
arn:aws:iam::123456789012:instance-profile/Webserver
arn:aws:sts::123456789012:federated-user/Bob
arn:aws:iam::123456789012:mfa/BobJonesMFA
arn:aws:iam::123456789012:server-certificate/ProdServerCert
arn:aws:iam::123456789012:server-certificate/division_abc/subdivision_xyz/ProdServerCert

AWS Storage Gateway

Syntax:

arn:aws:storagegateway:region:account:gateway/gatewayname
arn:aws:storagegateway:region:account:gateway/gatewayname/volume/volumename
arn:aws:storagegateway:us-east-1:123456789012:gateway/gatewayname/target/targetname

Examples:

arn:aws:storagegateway:us-east-1:123456789012:gateway/mygateway
arn:aws:storagegateway:us-east-1:123456789012:gateway/mygateway/volume/*
arn:aws:storagegateway:us-east-1:123456789012:gateway/mygateway/volume/vol-1122AABB
arn:aws:storagegateway:us-east-1:123456789012:gateway/mygateway/target/iqn.1997-05.com.amazon:myvolume

Elastic Load Balancing

Syntax:

arn:aws:elasticloadbalancing:region:account:loadbalancer/loadbalancername

Example:

arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/myloadbalancer

Paths in ARNs

Some services let you specify a path for the resource name. For example, in Amazon S3, the resource identifier is an object name that can include slashes (/) to form a path. Similarly, IAM user names and group names can include paths.

In some circumstances, paths can include a wildcard character, namely an asterisk (*). For example, if you are writing an IAM policy and in the Resource element you want to specify all IAM users whose name includes the prefix product_1234, you can use a wildcard like this:

arn:aws:iam::123456789012:user/Development/product_1234/*

Similarly, in the Resource element of an IAM policy, at the end of the ARN you can specify user/* to mean all users or group/* to mean all groups, as in the following examples:

"Resource":"arn:aws:iam::123456789012:user/*"
"Resource":"arn:aws:iam::123456789012:group/*"

Note

You cannot use a wildcard to specify all users in the Principal element in a resource-based policy or a role trust policy. Groups are not supported as principals in any policy.

The following example shows ARNs for an Amazon S3 bucket in which the resource name includes a path:

arn:aws:s3:::my_corporate_bucket/*
arn:aws:s3:::my_corporate_bucket/Development/*

You cannot use a wildcard in the portion of the ARN that specifies the resource type, such as the term user in an IAM ARN. The following is not allowed:

arn:aws:iam::123456789012:u*

AWS Service Namespaces

When you create AWS IAM policies or work with Amazon Resource Names (ARNs), you identify an AWS service using a namespace. For example, the namespace for Amazon S3 is s3, and the namespace for Amazon EC2 is ec2. You use namespaces when identifying actions and resources.

The following example shows an IAM policy where the value of the Action elements and the values in the Resource and Condition elements use namespaces to identify the services for the actions and resources.

{
       "Statement":[{
             "Effect":"Allow",
             "Action":"iam:*",
             "Resource":["arn:aws:iam::123456789012:group/marketing/*",
                         "arn:aws:iam::123456789012:user/marketing/*"]
          },
          {
             "Effect":"Allow",
             "Action":"s3:*",
             "Resource":"arn:aws:s3:::example_bucket/marketing/*"
          },
          {
             "Effect":"Allow",
             "Action":"s3:ListBucket*",
             "Resource":"arn:aws:s3:::example_bucket",
             "Condition":{
                "StringLike":{
                   "s3:prefix":"marketing/*"
                }
             }
          }
       ]
    }

The following table lists the AWS service namespaces.

ServiceNamespace
AWS Billing and Cost Managementaws-portal
Auto Scalingautoscaling
AWS CloudFormationcloudformation
Amazon CloudFrontcloudfront
CloudWatchcloudwatch
DynamoDBdynamodb
Amazon EC2ec2
AWS Elastic Beanstalkelasticbeanstalk
Elastic Load Balancingelasticloadbalancing
Amazon Elastic MapReduceelasticmapreduce
Amazon ElastiCacheelasticache
Amazon Glacierglacier
AWS Identity and Access Managementiam
Amazon Kinesiskinesis
AWS Marketplaceaws-marketplace
AWS Marketplace Management Portalaws-marketplace-management
AWS OpsWorksopsworks
Amazon RDSrds
Amazon Redshiftredshift
Amazon Route 53route53
Amazon S3s3
Amazon SESses
Amazon SimpleDBsdb
Amazon SNSsns
Amazon SQSsqs
AWS Storage Gatewaystoragegateway
AWS STSsts
AWS Supportsupport
Amazon SWFswf
Amazon VPCec2