Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)

Specifying Resources in a Policy

The following is the common Amazon Resource Name (ARN) format to identify any resources in AWS.


For your Amazon S3 resources:

  • aws is a common partition name. If your resources are in the China (Beijing) Region, aws-cn is the partition name.

  • s3 is the service.

  • You don't specify region and namespace.

  • For Amazon S3, it can be a bucket-name or a bucket-name/object-key. You can use wild card.

Then the ARN format for Amazon S3 resources reduces to the following:

arn:aws:s3:::bucket_name arn:aws:s3:::bucket_name/key_name

The following are examples of Amazon S3 resource ARNs.

  • This ARN identifies the /developers/design_info.doc object in the examplebucket bucket.

  • You can use wildcards as part of the resource ARN. You can use wildcard characters (* and ?) within any ARN segment (the parts separated by colons). An asterisk (*) represents any combination of zero or more characters, and a question mark (?) represents any single character. You can use multiple * or ? characters in each segment, but a wildcard cannot span segments.

    • This ARN uses the wildcard '*' in the relative-ID part of the ARN to identify all objects in the examplebucket bucket.


      This ARN uses '*' to indicate all Amazon S3 resources (all S3 buckets and objects in your account).

    • This ARN uses both wildcards, '*', and '?', in the relative-ID part. It identifies all objects in buckets such as example1bucket, example2bucket, example3bucket, and so on.

  • You can use policy variables in Amazon S3 ARNs. At policy evaluation time, these predefined variables are replaced by their corresponding values. Suppose that you organize your bucket as a collection of folders, one folder for each of your users. The folder name is the same as the user name. To grant users permission to their folders, you can specify a policy variable in the resource ARN:


    At run time, when the policy is evaluated, the variable ${aws:username} in the resource ARN is substituted with the user name making the request.

For more information, see the following resources:

For more information about other access policy language elements, see Access Policy Language Overview.