Menu
AWS GovCloud (US)
User Guide

Amazon Resource Names (ARNs) in AWS GovCloud (US)

Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon S3 bucket names, and API calls. In the AWS GovCloud (US) Region, ARNs have an identifier that is different from the one in other AWS regions. For all other regions, ARNs begin with:

Copy
arn:aws

In the AWS GovCloud (US) Region, ARNs begin with:

Copy
arn:aws-us-gov

If an ARN requires a region, for the AWS GovCloud (US) Region, the region should be identified as us-gov-west-1.

ARN Format

Here are some example ARNs:

Copy
<!-- IAM user name --> arn:aws-us-gov:iam::123456789012:David <!-- Amazon EC2 instances --> arn:aws-us-gov:ec2:us-gov-west-1:001234567890:instance/* <!-- Amazon S3 bucket (and all objects in it)--> arn:aws-us-gov:s3:::my_corporate_bucket/*

The following are the general formats for ARNs. The specific components and values used depend on the AWS service.

Copy
arn:aws-us-gov:service:region:account:resource arn:aws-us-gov:service:region:account:resourcetype/resource arn:aws-us-gov:service:region:account:resourcetype:resource
service

The service namespace that identifies the AWS product (for example, Amazon S3 or IAM). For a list of namespaces, see AWS Service Namespaces in the Amazon Web Services General Reference.

region

The region in which the resource reside. The ARNs for some resources do not require a region, so this component might be omitted. For the AWS GovCloud (US) Region, the region is us-gov-west-1.

account

The ID of the AWS account that owns the resource, without the hyphens (for example, 123456789012). The ARNs for some resources don't require an account number, so this component might be omitted.

resource, resourcetype:resource, or resourcetype/resource

The content of this part of the ARN varies by service. It often includes an indicator of the type of resource—for example, IAM user—followed by a slash (/) or a colon (:), followed by the resource name itself. Some services allow paths for resource names, as described in Paths in ARNs.

Example ARNs

The following sections provide syntax and examples of the ARNs for different services. For more information about using ARNs in a specific AWS service, see the documentation for that service.

Amazon API Gateway

Syntax:

Copy
arn:aws-us-gov:apigateway:region::resource-path arn:aws-us-gov:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-path

Example:

Copy
arn:aws-us-gov:apigateway:us-gov-west-1::/restapis/a123456789012bc3de45678901f23a45/*
Copy
arn:aws-us-gov:apigateway:us-gov-west-1::a123456789012bc3de45678901f23a45:/test/mydemoresource/*
Copy
arn:aws-us-gov:apigateway*::a123456789012bc3de45678901f23a45:/*/petstorewalkthrough/pets
Copy
arn:aws-us-gov:execute-api: us-gov-west-1:123456789012:qsxrty/test/GET/mydemoresource/*

Auto Scaling

Syntax:

Copy
arn:aws-us-gov:autoscaling:region:account:scalingPolicy:policyid:autoScalingGroupName/groupfriendlyname:policyname/policyfriendlyname arn:aws-us-gov:autoscaling:region:account:autoScalingGroup:groupid:autoScalingGroupName/groupfriendlyname

Example:

Copy
arn:aws-us-gov:autoscaling:us-gov-west-1:123456789012:scalingPolicy:c7a27f55-d35e-4153-b044-8ca9155fc467:autoScalingGroupName/my-test-asg1:policyName/my-scaleout-policy

AWS Certificate Manager

Syntax:

Copy
arn:aws-us-gov:acm:region:account-id:certificate/certificate-id

Example:

Copy
arn:aws-us-gov:acm:us-gov-west-1:123456789012:certificate/12345678-1234-1234-1234-123456789012

Amazon CloudWatch Events

Syntax:

Copy
arn:aws-us-gov:events:us-gov-west-1:*:*
Copy
arn:aws-us-gov:events:us-gov-west-1:123456789012:*
Copy
arn:aws-us-gov:events:us-gov-west-1:123456789012:rule/my-rule

AWS CodeDeploy

Syntax:

Copy
arn:aws-us-gov:codedeploy:account-id:application/applicationname
Copy
arn:aws-us-gov:codedeploy:account-id:deploymentgroup/deployment-group-name
Copy
arn:aws-us-gov:codedeploy:account-id:deploymentconfig/deployment-configuration-name
Copy
arn:aws-us-gov:codedeploy:account-id:instance/instanceid
Copy
arn:aws-us-gov:codedeploy:*
Copy
arn:aws-us-gov:codedeploy:account-id:*

AWS Config

Syntax:

Copy
arn:aws-us-gov:config:region:account-id:config-rule/config-rule-name

Example:

Copy
arn:aws-us-gov:config:us-gov-west-1:123456789012:config-rule/MyConfigRule

AWS Database Migration Service

Syntax:

Copy
arn:aws-us-gov:dms:region:account number:resourcetype:resourcename

Example:

Copy
arn:aws-us-gov:dms:us-gov-west-1:123456789012:rep:QLXQZ64MH7CXF4QCQMGRVYVXAI

Amazon DynamoDB

Syntax:

Copy
arn:aws-us-gov:dynamodb:region:account:table/tablename

Example:

Copy
arn:aws-us-gov:dynamodb:us-gov-west-1:123456789012:table/books_table

AWS Elastic Beanstalk

Syntax:

Copy
arn:aws-us-gov:elasticbeanstalk:region:accountid:application/applicationname
Copy
arn:aws-us-gov:elasticbeanstalk:region:accountid:applicationversion/applicationname/versionlabel
Copy
arn:aws-us-gov:elasticbeanstalk:region:accountid:configurationtemplate/applicationname/templatename
Copy
arn:aws-us-gov:elasticbeanstalk:region:accountid:environment/applicationname/environmentname
Copy
arn:aws-us-gov:elasticbeanstalk:region:ACCOUNT_ID:platform/PLATFORM_NAME/PLATFORM_VERSION
Copy
arn:aws-us-gov:elasticbeanstalk:region::solutionstack/solutionstackname

Examples:

Copy
arn:aws-us-gov:elasticbeanstalk:us-west-2:123456789012:application/My App
Copy
arn:aws-us-gov:elasticbeanstalk:us-west-2:123456789012:applicationversion/My App/My Version
Copy
arn:aws-us-gov:elasticbeanstalk:us-west-2:123456789012:configurationtemplate/My App/My Template
Copy
arn:aws-us-gov:elasticbeanstalk:us-west-2:123456789012:environment/My App/MyEnvironment
Copy
arn:aws-us-gov:elasticbeanstalk:us-west-2:123456789012:platform/MyPlatform/1.0
Copy
arn:aws-us-gov:elasticbeanstalk:us-west-2::solutionstack/32bit Amazon Linux running Tomcat 7

Amazon Elastic Compute Cloud

Syntax:

Copy
arn:aws-us-gov:ec2:region:account:instance/instance-id arn:aws-us-gov:ec2:region:account:placement-group/placement-group-name arn:aws-us-gov:ec2:region::snapshot/snapshot-id arn:aws-us-gov:ec2:region:account:volume/volume-id

Examples:

Copy
arn:aws-us-gov:ec2:us-gov-west-1:123456789012:instance/* arn:aws-us-gov:ec2:us-gov-west-1:123456789012:volume/* arn:aws-us-gov:ec2:us-gov-west-1:123456789012:volume/vol-1a2b3c4d

AWS Identity and Access Management

Syntax:

Copy
arn:aws-us-gov:iam::account:root arn:aws-us-gov:iam::account:user/username arn:aws-us-gov:iam::account:group/groupname arn:aws-us-gov:iam::account:role/rolename arn:aws-us-gov:iam::account:instance-profile/instanceprofilename arn:aws-us-gov:sts::account:federated-user/username arn:aws-us-gov:iam::account:mfa/virtualdevicename arn:aws-us-gov:iam::account:server-certificate/certificatename

Examples:

Copy
arn:aws-us-gov:iam::123456789012:root arn:aws-us-gov:iam::123456789012:user/Bob arn:aws-us-gov:iam::123456789012:user/division_abc/subdivision_xyz/Bob arn:aws-us-gov:iam::123456789012:group/Developers arn:aws-us-gov:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developers arn:aws-us-gov:iam::123456789012:role/S3Access arn:aws-us-gov:iam::123456789012:role/application_abc/component_xyz/S3Access arn:aws-us-gov:iam::123456789012:instance-profile/Webserver arn:aws-us-gov:sts::123456789012:federated-user/Bob arn:aws-us-gov:iam::123456789012:mfa/BobJonesMFA arn:aws-us-gov:iam::123456789012:server-certificate/ProdServerCert arn:aws-us-gov:iam::123456789012:server-certificate/division_abc/subdivision_xyz/ProdServerCert

Amazon Kinesis Streams

Syntax:

Copy
arn:aws-us-gov:kinesis:region:account:stream/stream-name

Examples:

Copy
arn:aws-us-gov:kinesis:us-gov-west-1:123456789012:stream/my_stream

AWS Lambda

Syntax:

Copy
arn:aws-us-gov:lambda:account-id:function:function-name
Copy
arn:aws-us-gov:lambda:account-id:function:function-name:alias-name
Copy
arn:aws-us-gov:lambda:account-id:function:function-name:version
Copy
arn:aws-us-gov:lambda:account-id:event-source-mappings:event-source-mapping-id

Examples:

Copy
arn:aws-us-gov:lambda:us-gov-west-1:123456789012:function:ProcessKinesisRecords
Copy
arn:aws-us-gov:lambda:us-gov-west-1:123456789012:function:ProcessKinesisRecords:your alias
Copy
arn:aws-us-gov:lambda:us-gov-west-1:123456789012:function:ProcessKinesisRecords:1.0
Copy
arn:aws-us-gov:lambda:us-gov-west-1:123456789012:event-source-mappings:kinesis-stream-arn

Amazon Rekognition

Syntax:

Copy
arn:aws-us-gov:rekognition:region:account-id:collection/collection-id arn:aws-us-gov:rekognition:region:account-id:*

Examples:

Copy
arn:aws-us-gov:rekognition:us-gov-west-1:123456789012:mycollection/mycollection-id arn:aws-us-gov:rekognition:us-gov-west-1:123456789012:mycollection

Amazon Simple Notification Service

Syntax:

Copy
arn:aws-us-gov:sns:region:account:topicname arn:aws-us-gov:sns:region:account:topicname:subscriptionid

Examples:

Copy
arn:aws-us-gov:sns:us-gov-west-1:123456789012:my_corporate_topic arn:aws-us-gov:sns:us-gov-west-1:123456789012:my_corporate_topic:02034b43-fefa-4e07-a5eb-3be56f8c54ce

Amazon Simple Queue Service

Syntax:

Copy
arn:aws-us-gov:sqs:region:account:queuename

Example:

Copy
arn:aws-us-gov:sqs:us-gov-west-1:123456789012:queue1

Amazon Simple Storage Service

Syntax:

Copy
arn:aws-us-gov:s3:::bucketname arn:aws-us-gov:s3:::bucketname/objectpath

Amazon S3 does not require an account number or region in ARNs.

Examples:

Copy
arn:aws-us-gov:s3:::my_corporate_bucket arn:aws-us-gov:s3:::my_corporate_bucket/* arn:aws-us-gov:s3:::my_corporate_bucket/Development/*

Amazon Simple Workflow Service

Syntax:

Copy
arn:aws-us-gov:swf:region:account:domain/domainname

Examples:

Copy
arn:aws-us-gov:swf:us-gov-west-1:123456789012:domain/department1 arn:aws-us-gov:swf:us-gov-west-1:123456789012:/domain/*

Paths in ARNs

Some services let you specify a path for the resource name. For example, in Amazon S3, the resource identifier is an object name that can include slashes (/) to form a path. Similarly, IAM user names and group names can include paths.

Paths can include wildcard characters such as an asterisk (*). For example, to specify all IAM users whose user name includes the prefix product_1234, you can use a wildcard like this:

Copy
arn:aws-us-gov:iam::123456789012:user/Development/product_1234/*

To specify all IAM users or IAM groups in the AWS account, use a wildcard after the user/ or group/part of the ARN, respectively.

Copy
arn:aws-us-gov:iam::123456789012:user/* arn:aws-us-gov:iam::123456789012:group/*

The following example shows ARNs for an Amazon S3 bucket in which the resource name includes a path:

Copy
arn:aws-us-gov:s3:::my_corporate_bucket/* arn:aws-us-gov:s3:::my_corporate_bucket/Development/*

You cannot use a wildcard in the resource type, such as the term user in an IAM ARN. The following is not allowed:

Copy
arn:aws-us-gov:iam::123456789012:u*

For more information, see Amazon Resource Names (ARNs) and AWS Service Namespaces.