Amazon Web Services
Allgemeine Referenz (Version 1.0)

Amazon-Ressourcennamen (ARNs) und AWS-Service-Namespaces

Amazon-Ressourcennamen (ARNs) sind eindeutige Bezeichner für AWS-Ressourcen. Ein ARN ist erforderlich, um eine Ressource im gesamten AWS-System eindeutig anzugeben, z. B. in IAM-Richtlinien, Amazon Relational Database Service-Tags (Amazon RDS) und API-Aufrufen.

ARN-Format

Hier sind einige Beispiele für ARNs:

<!-- Elastic Beanstalk application version --> arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment <!-- IAM user name --> arn:aws:iam::123456789012:user/David <!-- Amazon RDS instance used for tagging --> arn:aws:rds:eu-west-1:123456789012:db:mysql-db <!-- Object in an Amazon S3 bucket --> arn:aws:s3:::my_corporate_bucket/exampleobject.png

Im Folgenden sind allgemeine Formate für ARNs aufgeführt; welche Komponenten und Werte verwendet werden, hängt vom AWS-Service ab.

arn:partition:service:region:account-id:resource arn:partition:service:region:account-id:resourcetype/resource arn:partition:service:region:account-id:resourcetype/resource/qualifier arn:partition:service:region:account-id:resourcetype/resource:qualifier arn:partition:service:region:account-id:resourcetype:resource arn:partition:service:region:account-id:resourcetype:resource:qualifier
Partition

Die Partition, in der sich die Ressource befindet. Für AWS-Standardregionen lautet die Partition aws. Wenn Sie Ressourcen in anderen Partitionen haben, lautet die Partition aws-partitionname. Die Partition für Ressourcen in der Region China (Peking) ist beispielsweise aws-cn.

Service nicht zulässig

Der Service-Namespace, der das AWS-Produkt identifiziert (z. B. Amazon S3, IAM oder Amazon RDS). Eine Liste von Namespaces finden Sie unter AWS-Service-Namespaces.

Region

Die Region, in der sich die Ressource befindet. Beachten Sie, dass die ARNs für einige Ressourcen keine Region benötigen, sodass diese Komponente eventuell weggelassen werden kann.

Konto

Die ID des AWS-Kontos, zu dem die Ressource gehört (ohne Bindestriche). Beispiel, 123456789012. Beachten Sie, dass die ARNs für einige Ressourcen keine Kontonummer benötigen, sodass diese Komponente eventuell weggelassen werden kann.

resource, resourcetype:resource oder resourcetype/resource

Der Inhalt dieses Teils der ARN variiert je nach Service. Darin ist oft ein Hinweis für die Art von Ressource enthalten, z. B. ein IAM-Benutzer oder eine Amazon RDS-Datenbank, gefolgt von einem Schrägstrich (/) oder einem Doppelpunkt (:), gefolgt vom Ressourcennamen selbst. Einige Services unterstützen Pfade für Ressourcennamen, wie unter Pfade in ARNs beschrieben.

Beispiele für ARNs

In den folgenden Abschnitten werden die Syntax und Beispiele für ARNs unterschiedlicher Services vorgestellt. Weitere Informationen zur Verwendung von ARNs in einem bestimmten AWS-Service finden Sie in der Dokumentation des jeweiligen Service.

Einige Services unterstützen IAM-Berechtigungen auf Ressourcenebene. Weitere Informationen finden Sie unter AWS-Services, die mit IAM funktionieren.

Alexa for Business

Syntax:

arn:aws:a4b:region:accountid:resourcetype/resource

Beispiel:

arn:aws:a4b:us-east-1:123456789012:room/7315ffdf0eeb874dc4ab8a546e8b70ec/5f90e5d608b6baa9c88db56654aef158

Amazon API Gateway

Syntax:

arn:aws:apigateway:region::resource-path arn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-path

Beispiele:

arn:aws:apigateway:us-east-1::/restapis/a123456789012bc3de45678901f23a45/* arn:aws:apigateway:us-east-1::a123456789012bc3de45678901f23a45:/test/mydemoresource/* arn:aws:apigateway:*::a123456789012bc3de45678901f23a45:/*/petstorewalkthrough/pets arn:aws:execute-api:us-east-1:123456789012:qsxrty/test/GET/mydemoresource/*

AWS AppSync

Syntax:

arn:aws:appsync:your-region:account-id:apis/AppSyncEndpointName/types/Query/fields/field-name arn:aws:appsync:your-region:account-id:apis/AppSyncEndpointName/types/Mutation/fields/field-name arn:aws:appsync:your-region:account-id:apis/AppSyncEndpointName/types/Subscription/fields/field-name

Beispiele:

arn:aws:appsync:us-west-2:123456789012:apis/AppSyncEndpointName/types/Query/fields/posts arn:aws:appsync:us-west-2:123456789012:apis/AppSyncEndpointName/types/Mutation/fields/addPost arn:aws:appsync:us-west-2:123456789012:apis/AppSyncEndpointName/types/Query/fields/my-subscription

AWS Artifact

Syntax:

arn:aws:artifact:::report-package/document-type/report-type

Beispiele:

arn:aws:artifact:::report-package/Certifications and Attestations/SOC/* arn:aws:artifact:::report-package/Certifications and Attestations/ISO/* arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*

Amazon EC2 Auto Scaling

Syntax:

arn:aws:autoscaling:region:account-id:scalingPolicy:policyid:autoScalingGroupName/groupfriendlyname:policyName/policyfriendlyname arn:aws:autoscaling:region:account-id:autoScalingGroup:groupid:autoScalingGroupName/groupfriendlyname

Beispiel:

arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:c7a27f55-d35e-4153-b044-8ca9155fc467:autoScalingGroupName/my-test-asg1:policyName/my-scaleout-policy

Auto Scaling von Anwendungen

Syntax:

arn:aws:autoscaling:region:account-id:scalingPolicy:policy-id:resource/service-namespace/resource-id:policyName/policyfriendlyname arn:aws:autoscaling:region:account-id:scheduledAction:action-id:resource/service-namespace/resource-id:scheduledActionName/actionfriendlyname

Beispiel:

arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:c7a27f55-d35e-4153-b044-8ca9155fc467:resource/ec2/spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE:policyName/cpu40 arn:aws:autoscaling:us-east-1:123456789012:scheduledAction:38c84579-0f51-4adc-879b-a2cc4EXAMPLE:resource/ec2/spot-fleet-request/sfr-09d694de-4d82-4b48-a4f4-2f38fEXAMPLE:scheduledActionName/my-action

AWS Batch

Syntax:

arn:aws:batch:region:account-id:compute-environment/name arn:aws:batch:region:account-id:job-definition/job-name:revision arn:aws:batch:region:account-id:job-queue/queue-name

Beispiel:

arn:aws:batch:us-east-1:123456789012:compute-environment/my-environment arn:aws:batch:us-east-1:123456789012:job-definition/my-job-definition:1 arn:aws:batch:us-east-1:123456789012:job-queue/my-queue

AWS Certificate Manager

Syntax:

arn:aws:acm:region:account-id:certificate/certificate-id

Beispiel:

arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012

Private Zertifizierungsstelle für AWS Certificate Manager

Syntax (private Zertifizierungsstelle):

arn:aws:acm-pca:region:account-id:certificate-authority/ca-id

Beispiel:

arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012

Syntax (privates Zertifikat):

arn:aws:acm-pca:region:account-id:certificate-authority/ca-id/certificate/certificate-id

Beispiel:

arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/e8cbd2bedb122329f97706bcfec990f8

AWS Cloud9

Syntax:

arn:aws:cloud9:region:account-id:environment:environment-id

Beispiel:

arn:aws:cloud9:us-west-2:123456789012:environment:81e900317347585a0601e04c8d52eaEX

Amazon Cloud Directory

Syntax:

arn:aws:clouddirectory:region:account-id:directory/directoryID

Beispiel:

arn:aws:clouddirectory:us-west-2:123456789012:directory/ARIqk1HD-UjdtmcIrJHEvPI

AWS CloudFormation

Syntax:

arn:aws:cloudformation:region:account-id:stack/stackname/additionalidentifier
arn:aws:cloudformation:region:account-id:changeSet/changesetname/additionalidentifier

Beispiele:

arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c
arn:aws:cloudformation:us-east-1:123456789012:changeSet/MyProductionChangeSet/abc9dbf0-43c2-11e3-a6e8-50fa526be49c

Amazon CloudFront

Syntax:

arn:aws:cloudfront::account-id:*

Beispiel:

arn:aws:cloudfront::123456789012:*

Amazon CloudSearch

Syntax:

arn:aws:cloudsearch:region:account-id:domain/domainname

Beispiel:

arn:aws:cloudsearch:us-east-1:123456789012:domain/imdb-movies

AWS CloudTrail

Syntax:

arn:aws:cloudtrail:region:account-id:trail/trailname

Beispiel:

arn:aws:cloudtrail:us-east-1:123456789012:trail/mytrailname

Amazon CloudWatch

Syntax:

arn:aws:cloudwatch:region:account-id:alarm:alarm-name
arn:aws:cloudwatch::account-id:dashboard/dashboard-name

Beispiele:

arn:aws:cloudwatch:us-east-1:123456789012:alarm:* arn:aws:cloudwatch:us-east-1:123456789012:alarm:MyAlarmName arn:aws:cloudwatch::123456789012:dashboard/MyDashboardName

Amazon CloudWatch Events

Syntax:

arn:aws:events:region:*:*

Beispiele:

arn:aws:events:us-east-1:*:* arn:aws:events:us-east-1:123456789012:* arn:aws:events:us-east-1:123456789012:rule/my-rule

Amazon CloudWatch Logs

Syntax:

arn:aws:logs:region:*:*

Beispiele:

arn:aws:logs:us-east-1:*:* arn:aws:logs:us-east-1:123456789012:* arn:aws:logs:us-east-1:123456789012:log-group:my-log-group arn:aws:logs:us-east-1:123456789012:log-group:my-log-group:* arn:aws:logs:us-east-1:123456789012:log-group:my-log-group* arn:aws:logs:us-east-1:123456789012:log-group:my-log-group:log-stream:my-log-stream arn:aws:logs:us-east-1:123456789012:log-group:my-log-group:log-stream:my-log-stream* arn:aws:logs:us-east-1:123456789012:log-group:my-log-group*:log-stream:my-log-stream*

AWS CodeBuild

Syntax:

arn:aws:codebuild:region:account-id:resourcetype/resource

Beispiele:

arn:aws:codebuild:us-east-1:123456789012:project/my-demo-project arn:aws:codebuild:us-east-1:123456789012:build/my-demo-project:7b7416ae-89b4-46cc-8236-61129df660ad

AWS CodeCommit

Syntax:

arn:aws:codecommit:region:account-id:resource-specifier

Beispiel:

arn:aws:codecommit:us-east-1:123456789012:MyDemoRepo

AWS CodeDeploy

Syntax:

arn:aws:codedeploy:region:account-id:resource-type:resource-specifier arn:aws:codedeploy:region:account-id:resource-type/resource-specifier

Beispiel:

arn:aws:codedeploy:us-east-1:123456789012:application:WordPress_App arn:aws:codedeploy:us-east-1:123456789012:instance/AssetTag*

Amazon Cognito – Eigene Benutzerpools

Syntax:

arn:aws:cognito-idp:region:account-id:userpool/user-pool-id

Beispiel:

arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1:1a1a1a1a-ffff-1111-9999-12345678

Amazon Cognito – Verbundidentitäten

Syntax:

arn:aws:cognito-identity:region:account-id:identitypool/identity-pool-id

Beispiel:

arn:aws:cognito-identity:us-east-1:123456789012:/identitypool/us-east-1:1a1a1a1a-ffff-1111-9999-12345678

Amazon Cognito Sync

Syntax:

arn:aws:cognito-sync:region:account-id:identitypool/identity-pool-id
arn:aws:cognito-sync:region:account-id:identitypool/identity-pool-id/identity/identity-id
arn:aws:cognito-sync:region:account-id:identitypool/identity-pool-id/identity/identity-id/dataset/dataset-name

Beispiel:

arn:aws:cognito-sync:us-east-1:123456789012:identitypool/us-east-1:1a1a1a1a-ffff-1111-9999-12345678

AWS Config

Syntax:

arn:aws:config:region:account-id:config-rule/config-rule-id

Beispiel:

arn:aws:config:us-east-1:123456789012:config-rule/config-rule-8fngan

AWS CodePipeline

Syntax:

arn:aws:codepipeline:region:account-id:resource-specifier

Beispiel:

arn:aws:codepipeline:us-east-1:123456789012:MyDemoPipeline

AWS CodeStar

Syntax:

arn:aws:codestar:region:account-id:resource-specifier

Beispiel:

arn:aws:codestar:us-east-1:123456789012:my-first-project

AWS Direct Connect

Syntax:

arn:aws:directconnect:region:account-id:dxcon/connection-id arn:aws:directconnect:region:account-id:dxlag/lag-id arn:aws:directconnect:region:account-id:dxvif/virtual-interface-id

Beispiele:

arn:aws:directconnect:us-east-1:123456789012:dxcon/dxcon-fgase048 arn:aws:directconnect:us-east-1:123456789012:dxlag/dxlag-ffy7zraq arn:aws:directconnect:us-east-1:123456789012:dxvif/dxvif-fgrb110x

AWS Directory Service

Syntax:

arn:aws:ds:region:account-id:directory/directoryId

Beispiel:

arn:aws:ds:us-west-2:123456789012:directory/ARIqk1HD-UjdtmcIrJHEvPI

Amazon DynamoDB

Syntax:

arn:aws:dynamodb:region:account-id:table/tablename arn:aws:dynamodb:region:account-id:table/tablename/stream/label

Beispiel:

arn:aws:dynamodb:us-east-1:123456789012:table/books_table arn:aws:dynamodb:us-east-1:123456789012:table/books_table/stream/2015-05-11T21:21:33.291

AWS Elastic Beanstalk

Syntax:

arn:aws:elasticbeanstalk:region:account-id:application/applicationname arn:aws:elasticbeanstalk:region:account-id:applicationversion/applicationname/versionlabel arn:aws:elasticbeanstalk:region:account-id:environment/applicationname/environmentname arn:aws:elasticbeanstalk:region::solutionstack/solutionstackname arn:aws:elasticbeanstalk:region:account-id:configurationtemplate/applicationname/templatename

Beispiele:

arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment arn:aws:elasticbeanstalk:us-east-1::solutionstack/32bit Amazon Linux running Tomcat 7 arn:aws:elasticbeanstalk:us-east-1:123456789012:configurationtemplate/My App/My Template

Amazon Elastic Compute Cloud (Amazon EC2)

Syntax:

arn:aws:ec2:region:account-id:customer-gateway/cgw-id arn:aws:ec2:region:account-id:dedicated-host/host_id arn:aws:ec2:region:account-id:dhcp-options/dhcp-options-id arn:aws:ec2:region:account-id:egress-only-internet-gateway/eigw-id arn:aws:ec2:region:account-id:elastic-gpu/elastic-gpu-id arn:aws:ec2:region::image/image-id arn:aws:ec2:region:account-id:instance/instance-id arn:aws:iam::account:instance-profile/instance-profile-name arn:aws:ec2:region:account-id:internet-gateway/igw-id arn:aws:ec2:region:account-id:key-pair/key-pair-name arn:aws:ec2:region:account-id:launch-template/launch-template-id arn:aws:ec2:region:account-id:natgateway/natgateway-id arn:aws:ec2:region:account-id:network-acl/nacl-id arn:aws:ec2:region:account-id:network-interface/eni-id arn:aws:ec2:region:account-id:placement-group/placement-group-name arn:aws:ec2:region:account-id:reserved-instances/reservation-id arn:aws:ec2:region:account-id:route-table/route-table-id arn:aws:ec2:region:account-id:security-group/security-group-id arn:aws:ec2:region::snapshot/snapshot-id arn:aws:ec2:region:account-id:spot-instances-request/spot-instance-request-id arn:aws:ec2:region:account-id:subnet/subnet-id arn:aws:ec2:region:account-id:volume/volume-id arn:aws:ec2:region:account-id:vpc/vpc-id arn:aws:ec2:region:account-id:vpc-peering-connection/vpc-peering-connection-id arn:aws:ec2:region:account-id:vpn-connection/vpn-id arn:aws:ec2:region:account-id:vpn-gateway/vgw-id

Beispiele:

arn:aws:ec2:us-east-1:123456789012:dedicated-host/h-12345678 arn:aws:ec2:us-east-1::image/ami-1a2b3c4d arn:aws:ec2:us-east-1:123456789012:instance/* arn:aws:ec2:us-east-1:123456789012:volume/* arn:aws:ec2:us-east-1:123456789012:volume/vol-1a2b3c4d

Amazon Elastic Container Registry (Amazon ECR)

Syntax:

arn:aws:ecr:region:account-id:repository/repository-name

Beispiel:

arn:aws:ecr:us-east-1:123456789012:repository/my-repository

Amazon Elastic Container Service (Amazon ECS)

Syntax:

arn:aws:ecs:region:account-id:cluster/cluster-name arn:aws:ecs:region:account-id:container-instance/cluster-name/container-instance-id arn:aws:ecs:region:account-id:task-definition/task-definition-family-name:task-definition-revision-number arn:aws:ecs:region:account-id:service/cluster-name/service-name arn:aws:ecs:region:account-id:task/cluster-name/task-id arn:aws:ecs:region:account-id:container/container-id

Beispiele:

arn:aws:ecs:us-east-1:123456789012:cluster/my-cluster arn:aws:ecs:us-east-1:123456789012:container-instance/my-cluster/403125b0-555c-4473-86b5-65982db28a6d arn:aws:ecs:us-east-1:123456789012:task-definition/hello_world:8 arn:aws:ecs:us-east-1:123456789012:service/my-cluster/sample-webapp arn:aws:ecs:us-east-1:123456789012:task/my-cluster/1abf0f6d-a411-4033-b8eb-a4eed3ad252a arn:aws:ecs:us-east-1:123456789012:container/476e7c41-17f2-4c17-9d14-412566202c8a

Amazon Elastic Container Service for Kubernetes (Amazon EKS)

Syntax:

arn:aws:eks:region:account-id:cluster/cluster-name

Beispiele:

arn:aws:eks:us-east-1:123456789012:cluster/my-cluster

Amazon Elastic File System

Syntax:

arn:aws:elasticfilesystem:region:account-id:file-system/file-system-id

Beispiel:

arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs12345678

Elastic Load Balancing (Application Load Balancer)

Syntax:

arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id arn:aws:elasticloadbalancing:region:account-id:listener/app/load-balancer-name/load-balancer-id/listener-id arn:aws:elasticloadbalancing:region:account-id:listener-rule/app/load-balancer-name/load-balancer-id/listener-id/rule-id arn:aws:elasticloadbalancing:region:account-id:targetgroup/target-group-name/target-group-id

Beispiele:

arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2 arn:aws:elasticloadbalancing:us-east-1:123456789012:listener-rule/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2/9683b2d02a6cabee arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/my-targets/73e2d6bc24d8a067

Elastic Load Balancing (Netzwerk-Load-Balancer)

Syntax:

arn:aws:elasticloadbalancing:region:account-id:loadbalancer/net/load-balancer-name/load-balancer-id arn:aws:elasticloadbalancing:region:account-id:listener/net/load-balancer-name/load-balancer-id/listener-id arn:aws:elasticloadbalancing:region:account-id:listener-rule/net/load-balancer-name/load-balancer-id/listener-id/rule-id arn:aws:elasticloadbalancing:region:account-id:targetgroup/target-group-name/target-group-id

Beispiele:

arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/my-load-balancer/50dc6c495c0c9188 arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2 arn:aws:elasticloadbalancing:us-east-1:123456789012:listener-rule/net/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2/9683b2d02a6cabee arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/my-targets/73e2d6bc24d8a067

Elastic Load Balancing (Classic Load Balancer)

Syntax:

arn:aws:elasticloadbalancing:region:account-id:loadbalancer/name

Beispiel:

arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/my-load-balancer

Amazon Elastic Transcoder

Syntax:

arn:aws:elastictranscoder:region:account-id:resource/id

Beispiel:

arn:aws:elastictranscoder:us-east-1:123456789012:preset/*

Amazon ElastiCache

Syntax:

arn:aws:elasticache:region:account-id:resourcetype:resourcename

Beispiele:

arn:aws:elasticache:us-east-2:123456789012:cluster:myCluster arn:aws:elasticache:us-east-2:123456789012:snapshot:mySnapshot

Amazon Elasticsearch Service

Syntax:

arn:aws:es:region:account-id:domain/domain-name

Beispiel:

arn:aws:es:us-east-1:123456789012:domain/streaming-logs

Amazon S3 Glacier

Syntax:

arn:aws:glacier:region:account-id:vaults/vaultname

Beispiele:

arn:aws:glacier:us-east-1:123456789012:vaults/examplevault arn:aws:glacier:us-east-1:123456789012:vaults/example* arn:aws:glacier:us-east-1:123456789012:vaults/*

Amazon GuardDuty

Syntax:

arn:aws:guardduty:region:account-id:detector/detector-id
arn:aws:guardduty:region:account-id:ipset/ipset-id
arn:aws:guardduty:region:account-id:threatintelset/threatintelset-id

Beispiele:

arn:aws:guardduty:us-east-1:123456789012:detector/12abc34d567e8fa901bc2d34e56789f0
arn:aws:guardduty:us-east-1:123456789012:ipset/0cb0141ab9fbde177613ab9436212e90
arn:aws:guardduty:us-east-1:123456789012:threatintelset/12a34567890bc1de2345f67ab8901234

AWS Health / Personal Health Dashboard

Syntax:

arn:aws:health:region::event/event-id arn:aws:health:region:account-id:entity/entity-id

Beispiele:

arn:aws:health:us-east-1::event/AWS_EC2_EXAMPLE_ID arn:aws:health:us-east-1:123456789012:entity/AVh5GGT7ul1arKr1sE1K

AWS Identity and Access Management (IAM)

Syntax:

arn:aws:iam::account-id:root arn:aws:iam::account-id:user/user-name arn:aws:iam::account-id:group/group-name arn:aws:iam::account-id:role/role-name arn:aws:iam::account-id:policy/policy-name arn:aws:iam::account-id:instance-profile/instance-profile-name arn:aws:sts::account-id:federated-user/user-name arn:aws:sts::account-id:assumed-role/role-name/role-session-name arn:aws:iam::account-id:mfa/virtual-device-name arn:aws:iam::account-id:server-certificate/certificate-name arn:aws:iam::account-id:saml-provider/provider-name arn:aws:iam::account-id:oidc-provider/provider-name

Beispiele:

arn:aws:iam::123456789012:root arn:aws:iam::123456789012:user/Bob arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob arn:aws:iam::123456789012:group/Developers arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developers arn:aws:iam::123456789012:role/S3Access arn:aws:iam::123456789012:role/application_abc/component_xyz/S3Access arn:aws:iam::123456789012:policy/UsersManageOwnCredentials arn:aws:iam::123456789012:policy/division_abc/subdivision_xyz/UsersManageOwnCredentials arn:aws:iam::123456789012:instance-profile/Webserver arn:aws:sts::123456789012:federated-user/Bob arn:aws:sts::123456789012:assumed-role/Accounting-Role/Mary arn:aws:iam::123456789012:mfa/BobJonesMFA arn:aws:iam::123456789012:server-certificate/ProdServerCert arn:aws:iam::123456789012:server-certificate/division_abc/subdivision_xyz/ProdServerCert arn:aws:iam::123456789012:saml-provider/ADFSProvider arn:aws:iam::123456789012:oidc-provider/GoogleProvider

Weitere Informationen zum Erstellen von IAM-ARNs finden Sie unter IAM-ARNs im IAM-Benutzerhandbuch.

AWS IoT

Syntax:

arn:aws:iot:your-region:account-id:cert/cert-ID arn:aws:iot:your-region:account-id:policy/policy-name arn:aws:iot:your-region:account-id:rule/rule-name arn:aws:iot:your-region:account-id:client/client-id/rule-name

Beispiele:

arn:aws:iot:your-region:123456789012:cert/123a456b789c123d456e789f123a456b789c123d456e789f123a456b789c123c456d7 arn:aws:iot:your-region:123456789012:policy/MyIoTPolicy arn:aws:iot:your-region:123456789012:rule/MyIoTRule arn:aws:iot:your-region:123456789012:client/client101

AWS Key Management Service (AWS KMS)

Syntax:

arn:aws:kms:region:account-id:key/key-id arn:aws:kms:region:account-id:alias/alias

Beispiele:

arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 arn:aws:kms:us-east-1:123456789012:alias/example-alias

Amazon Kinesis Data Firehose (Kinesis Data Firehose)

Syntax:

arn:aws:firehose:region:account-id:deliverystream/delivery-stream-name

Beispiel:

arn:aws:firehose:us-east-1:123456789012:deliverystream/example-stream-name

Amazon Kinesis Data Streams (Kinesis Data Streams)

Syntax:

arn:aws:kinesis:region:account-id:stream/stream-name arn:aws:kinesis:region:account-id:stream/stream-name/consumer/consumer-name:consumer-creation-timestamp

Beispiel:

arn:aws:kinesis:us-east-1:123456789012:stream/example-stream-name arn:aws:kinesis:us-east-1:123456789012:stream/example-stream-name/consumer/example-consumer-name:1525898737

Amazon Kinesis Data Analytics (Kinesis Data Analytics)

Syntax:

arn:aws:kinesisanalytics:region:account-id:application/application-name

Beispiel:

arn:aws:kinesisanalytics:us-east-1:123456789012:application/example-application-name

Amazon Kinesis-Videostreams (Kinesis-Videostreams)

Syntax:

arn:aws:kinesisvideo:region:account-id:application/stream-name/code

Beispiel:

arn:aws:kinesisvideo:us-east-1:123456789012:stream/example-stream-name/0123456789012

AWS Lambda (Lambda)

Syntax:

arn:aws:lambda:region:account-id:function:function-name arn:aws:lambda:region:account-id:function:function-name:alias-name arn:aws:lambda:region:account-id:function:function-name:version arn:aws:lambda:region:account-id:event-source-mappings:event-source-mapping-id

Beispiele:

arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords:your alias arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords:1.0 arn:aws:lambda:us-east-1:123456789012:event-source-mappings:kinesis-stream-arn

Amazon Macie

Syntax:

arn:aws:macie:region:account-id:trigger/triggerID arn:aws:macie:region:account-id:trigger/triggerID/alert/alertID

Beispiele:

arn:aws:macie:us-east-1:123456789012:trigger/example61b3df36bff1dafaf1aa304b0ef1a975 arn:aws:macie:us-east-1:123456789012:trigger/example61b3df36bff1dafaf1aa304b0ef1a975/alert/example8780e9ca227f98dae37665c3fd22b585 arn:aws:macie:us-east-1:123456789012:trigger/behavioral/alert/example8780e9ca227f98dae37665c3fd22b585

Amazon Machine Learning (Amazon ML)

Syntax:

arn:aws:machinelearning:region:account-id:datasource/datasourceID arn:aws:machinelearning:region:account-id:mlmodel/mlmodelID arn:aws:machinelearning:region:account-id:batchprediction/batchpredictionlID arn:aws:machinelearning:region:account-id:evaluation/evaluationID

Beispiele:

arn:aws:machinelearning:us-east-1:123456789012:datasource/my-datasource-1 arn:aws:machinelearning:us-east-1:123456789012:mlmodel/my-mlmodel arn:aws:machinelearning:us-east-1:123456789012:batchprediction/my-batchprediction arn:aws:machinelearning:us-east-1:123456789012:evaluation/my-evaluation

MediaConvert

Syntax:

arn:aws:mediaconvert:region:account-id:jobs/jobID arn:aws:mediaconvert:region:account-id:jobTemplates/jobTemplateID arn:aws:mediaconvert:region:account-id:presets/presetID arn:aws:mediaconvert:region:account-id:queues/queueID

Beispiele:

arn:aws:mediaconvert:us-east-1:111111111111:jobs/0123456789012-abc123 arn:aws:mediaconvert:us-east-1:111111111111:jobTemplates/2345678 arn:aws:mediaconvert:us-east-1:111111111111:presets/System-169_WIFI_1080p arn:aws:mediaconvert:us-east-1:111111111111:queues/default

MediaLive

Syntax:

arn:aws:medialive:region:account-id:inputSecurityGroup:inputSecurityGroupID arn:aws:medialive:region:account-id:input:inputID arn:aws:medialive:region:account-id:channel:channelID

Beispiele:

arn:aws:medialive:us-east-1:111111111111:inputSecurityGroup:1234567 arn:aws:medialive:us-east-1:111111111111:input:2345678 arn:aws:medialive:us-east-1:111111111111:channel:3456789

MediaPackage

Syntax:

arn:aws:mediapackage:region:account-id:channels/channelID arn:aws:mediapackage:region:account-id:origin_endpoints/originEndpointID

Beispiele:

arn:aws:mediapackage:eu-west-1:111122223333:channels/0a1234bc567890d12efghi3j456k789m arn:aws:mediapackage:eu-west-1:111122223333:origin_endpoints/1b2345cd678901e34fghij4k567m890n

MediaStore

Syntax:

arn:aws:mediastore:region:account-id:resourceType/resourceID

Beispiele:

arn:aws:mediastore:us-east-1:111111111111:container/ExampleName/example-folder/folder-segment.ts

MediaTailor

Syntax:

arn:aws:mediatailor:region:account-id:configurations/configurationID

Beispiele:

arn:aws:mediatailor:us-east-1:111111111111:configurations/2c3456de789012f34ghijk5m678n901o

AWS Mobile Hub

Syntax:

arn:aws:mobilehub:region:account-id:project/projectID

Beispiele:

arn:aws:mobilehub:us-east-1:123456789012:project/a01234567-b012345678-123c-d013456789abc

Amazon MQ

Syntax:

arn:aws:mq:region:account-id:broker:broker-name:broker-id arn:aws:mq:region:account-id:configuration:configuration-name:configuration-id

Beispiele:

arn:aws:mq:us-east-1:123456789012:broker:MyBroker:b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9 arn:aws:mq:us-east-1:123456789012:configuration:MyConfiguration:c-1234a5b6-78cd-901e-2fgh-3i45j6k178l9

AWS Organizations

Syntax:

arn:aws:organizations::master-account-id:organization/o-organization-id arn:aws:organizations::master-account-id:root/o-organization-id/r-root-id arn:aws:organizations::master-account-id:account/o-organization-id/account-id arn:aws:organizations::master-account-id:ou/o-organization-id/ou-organizational-unit-id arn:aws:organizations::master-account-id:policy/o-organization-id/policy-type/p-policy-id arn:aws:organizations::master-account-id:handshake/o-organization-id/handshake-type/h-handshake-id

Beispiel:

arn:aws:organizations::123456789012:organization/o-a1b2c3d4e5example arn:aws:organizations::123456789012:root/o-a1b2c3d4e5/r-f6g7h8i9j0example arn:aws:organizations::123456789012:account/o-a1b2c3d4e5/123456789012 arn:aws:organizations::123456789012:ou/o-a1b2c3d4e5/ou-1a2b3c-k9l8m7n6o5example arn:aws:organizations::123456789012:policy/o-a1b2c3d4e5/service_control_policy/p-p4q3r2s1t0example arn:aws:organizations::123456789012:handshake/o-a1b2c3d4e5/invite/h-u2v4w5x8y0example

Amazon Pinpoint

Syntax:

arn:aws:mobiletargeting:us-east-1:account-id:apps/appId arn:aws:mobiletargeting:us-east-1:account-id:apps/appId/campaigns/campaignId arn:aws:mobiletargeting:us-east-1:account-id:apps/appId/segments/segmentId

Beispiele:

arn:aws:mobiletargeting:us-east-1:123456789012:apps/0d72ff0905e7f8b2b879fe7744d4952a9b arn:aws:mobiletargeting:us-east-1:123456789012:apps/0d72ff0905e7f8b2b879fe7744d4952a9b/campaigns/8c95f63b24089f85819443be7c92d7 arn:aws:mobiletargeting:us-east-1:123456789012:apps/0d72ff0905e7f8b2b879fe7744d4952a9b/segments/6cdc025ba495672bb0aea4983afebf

Amazon Polly

Syntax:

arn:aws:polly:region:account-id:lexicon/LexiconName

Beispiel:

arn:aws:polly:us-east-1:123456789012:lexicon/myLexicon

Amazon Redshift

Syntax:

arn:aws:redshift:region:account-id:cluster:cluster-name arn:aws:redshift:region:account-id:dbname:cluster-name/database-name arn:aws:redshift:region:account-id:dbuser:cluster-name/database-user-name arn:aws:redshift:region:account-id:dbgroup:cluster-name/database-group-name arn:aws:redshift:region:account-id:parametergroup:parameter-group-name arn:aws:redshift:region:account-id:securitygroup:security-group-name arn:aws:redshift:region:account-id:snapshot:cluster-name/snapshot-name arn:aws:redshift:region:account-id:subnetgroup:subnet-group-name

Beispiele:

arn:aws:redshift:us-east-1:123456789012:cluster:my-cluster arn:aws:redshift:us-east-1:123456789012:dbname:my-cluster/my-database arn:aws:redshift:us-east-1:123456789012:dbuser:my-cluster/my-database-user arn:aws:redshift:us-east-1:123456789012:dbgroup:my-cluster/my-database-group arn:aws:redshift:us-east-1:123456789012:parametergroup:my-parameter-group arn:aws:redshift:us-east-1:123456789012:securitygroup:my-public-group arn:aws:redshift:us-east-1:123456789012:snapshot:my-cluster/my-snapshot20130807 arn:aws:redshift:us-east-1:123456789012:subnetgroup:my-subnet-10

Amazon Relational Database Service (Amazon RDS)

ARNs werden in Amazon RDS nur mit Tags für DB-Instances verwendet. Weitere Informationen finden Sie unter Verwenden von Tags für eine DB-Instance im Amazon RDS-Benutzerhandbuch.

Syntax:

arn:aws:rds:region:account-id:db:db-instance-name arn:aws:rds:region:account-id:snapshot:snapshot-name arn:aws:rds:region:account-id:cluster:db-cluster-name arn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-name arn:aws:rds:region:account-id:og:option-group-name arn:aws:rds:region:account-id:pg:parameter-group-name arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name arn:aws:rds:region:account-id:secgrp:security-group-name arn:aws:rds:region:account-id:subgrp:subnet-group-name arn:aws:rds:region:account-id:es:subscription-name

Beispiele:

arn:aws:rds:us-east-1:123456789012:db:mysql-db-instance1 arn:aws:rds:us-east-1:123456789012:snapshot:my-snapshot2 arn:aws:rds:us-east-1:123456789012:cluster:my-cluster1 arn:aws:rds:us-east-1:123456789012:cluster-snapshot:cluster1-snapshot7 arn:aws:rds:us-east-1:123456789012:og:mysql-option-group1 arn:aws:rds:us-east-1:123456789012:pg:mysql-repl-pg1 arn:aws:rds:us-east-1:123456789012:cluster-pg:aurora-pg3 arn:aws:rds:us-east-1:123456789012:secgrp:dev-secgrp2 arn:aws:rds:us-east-1:123456789012:subgrp:prod-subgrp1 arn:aws:rds:us-east-1:123456789012:es:monitor-events2

AWS-Ressourcengruppen

Als einzige Ressource ist in AWS-Ressourcengruppen eine Gruppe verfügbar. Gruppen sind eindeutige Amazon-Ressourcennamen (ARN) zugeordnet. Gruppen sind für eine Region spezifisch und befinden sich in Konten. Weitere Informationen zu Ressourcengruppen finden Sie im Benutzerhandbuch zu AWS-Ressourcengruppen.

Syntax:

arn:aws:resource-groups:region:account:group/group-name

Beispiel:

arn:aws:resource-groups:us-west-2:123456789012:group/MyExampleGroup

Amazon Route 53

Syntax:

arn:aws:route53:::hostedzone/zoneid arn:aws:route53:::change/change-id arn:aws:route53::account-id:domain/domain-name arn:aws:route53resolver:region:account-id:resolver-rule/rule-id, arn:aws:route53resolver:region:account-id:resolver-endpoint/endpoint-id, arn:aws:servicediscovery:region:account-id:namespace/namespace-id arn:aws:servicediscovery:region:account-id:service/service-id

Amazon Route 53 benötigt keine Kontonummer oder Region in ARNs.

Beispiele:

arn:aws:route53:::hostedzone/Z148QEXAMPLE8V arn:aws:route53:::change/C2RDJ5EXAMPLE2 arn:aws:route53:::change/* arn:aws:route53::123456789012:domain/example.com arn:aws:route53resolver:us-west-2:123456789012:resolver-rule/rslvr-rr-5328a0899aexample arn:aws:route53resolver:us-west-2:123456789012:resolver-endpoint/rslvr-in-60b9fd8fdbexample

Amazon SageMaker

Syntax:

arn:aws:sagemaker:region:account-id:notebook-instance:notebookInstanceName arn:aws:sagemaker:region:account-id:notebook-instance-lifecycle-config:notebookInstanceLifecycleConfigName arn:aws:sagemaker:region:account-id:training-job:trainingJobName arn:aws:sagemaker:region:account-id:model:modelName arn:aws:sagemaker:region:account-id:endpoint:endpointName arn:aws:sagemaker:region:account-id:endpoint-config:endpointConfigName arn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job:hyperParameterTuningJobName arn:aws:sagemaker:region:account-id:transform-job:transformJobName

Beispiele:

arn:aws:sagemaker:us-east-1:123456789012:notebook-instance:my-notebookInstance-1 arn:aws:sagemaker:us-east-1:123456789012:notebook-instance-lifecycle-config:my-notebookInstanceLifecycleConfig-1 arn:aws:sagemaker:us-east-1:123456789012:training-job:my-trainingJob-1 arn:aws:sagemaker:us-east-1:123456789012:model:my-mlModel-1 arn:aws:sagemaker:us-east-1:123456789012:endpoint:my-endpoint-1 arn:aws:sagemaker:us-east-1:123456789012:endpoint-config:my-endpointConfig-1 arn:aws:sagemaker:us-east-1:123456789012:hyper-parameter-tuning-job:my-hp-tuningJob-1 arn:aws:sagemaker:us-east-1:123456789012:transform-job:my-transformJob-1

AWS Secrets Manager

Syntax:

arn:aws:secretsmanager:region:account_id:secret:path/friendly_secret_name-uniqueness_code

Jedes Secret enthält einen optionalen Pfad, den Anzeigenamen des Secrets wie vom Benutzer eingegeben und schließlich einen Bindestrich gefolgt von einem von AWS generierten, zufälligen Code aus 6 Zeichen.

Beispiel:

arn:aws:secretsmanager:us-east-1:123456789012:secret:myfolder/MyFirstSecret-ocq1Wq

AWS Serverless Application Repository

Syntax:

arn:aws:serverlessrepo:region:account-id:applications/application-name arn:aws:serverlessrepo:region:account-id:applications/application-name/versions/symantic-version

Beispiele:

arn:aws:serverlessrepo:us-east-1:123456789012:applications/myApp arn:aws:serverlessrepo:us-east-1:123456789012:applications/myApp/versions/1.0.0

Amazon Simple Email Service (Amazon SES)

In Amazon SES werden ARNs häufig verwendet, um eine Sendeberechtigung einzurichten. Weitere Informationen finden Sie unter Using Sending Authorization with Amazon SES im Amazon Simple Email Service-Entwicklerhandbuch.

Syntax:

arn:aws:ses:region:account-id:identity/identity

Beispiele:

arn:aws:ses:us-east-1:123456789012:identity/example.com arn:aws:ses:us-east-1:123456789012:identity/sender@example.net

Amazon Simple Notification Service (Amazon SNS)

Syntax:

arn:aws:sns:region:account-id:topicname arn:aws:sns:region:account-id:topicname:subscriptionid

Beispiele:

arn:aws:sns:*:123456789012:my_corporate_topic arn:aws:sns:us-east-1:123456789012:my_corporate_topic:02034b43-fefa-4e07-a5eb-3be56f8c54ce

Amazon Simple Queue Service (Amazon SQS)

Syntax:

arn:aws:sqs:region:account-id:queuename

Beispiel:

arn:aws:sqs:us-east-1:123456789012:queue1

Amazon Simple Storage Service (Amazon S3)

Syntax:

arn:aws:s3:::bucket_name arn:aws:s3:::bucket_name/key_name

Anmerkung

Amazon S3 benötigt keine Kontonummer oder Region in ARNs. Wenn Sie einen ARN für eine Richtlinie angeben, können Sie auch einen Platzhalter "*" im Teil der relativen ID der ARN verwenden.

Beispiele:

arn:aws:s3:::my_corporate_bucket arn:aws:s3:::my_corporate_bucket/exampleobject.png arn:aws:s3:::my_corporate_bucket/* arn:aws:s3:::my_corporate_bucket/Development/*

Weitere Informationen finden Sie unter Angeben von Ressourcen in einer Richtlinie im Entwicklerhandbuch für Amazon Simple Storage Service.

Amazon Simple Workflow Service (Amazon SWF)

Syntax:

arn:aws:swf:region:account-id:/domain/domain_name

Beispiele:

arn:aws:swf:us-east-1:123456789012:/domain/department1 arn:aws:swf:*:123456789012:/domain/*

AWS Step Functions

Syntax:

arn:aws:states:region:account-id:activity:activityName arn:aws:states:region:account-id:stateMachine:stateMachineName arn:aws:states:region:account-id:execution:stateMachineName:executionName

Beispiele:

arn:aws:states:us-east-1:123456789012:activity:HelloActivity arn:aws:states:us-east-1:123456789012:stateMachine:HelloStateMachine arn:aws:states:us-east-1:123456789012:execution:HelloStateMachine:HelloStateMachineExecution

AWS Storage Gateway

Syntax:

arn:aws:storagegateway:region:account-id:gateway/gateway-id arn:aws:storagegateway:region:account-id:share/share-id arn:aws:storagegateway:region:account-id:gateway/gateway-id/volume/volume-id arn:aws:storagegateway:region:account-id:tape/tapebarcode arn:aws:storagegateway:region:account-id:gateway/gateway-id/target/iSCSItarget arn:aws:storagegateway:region:account-id:gateway/gateway-id/device/vtldevice

Beispiele:

arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B arn:aws:storagegateway:us-east-1:123456789012:share/share-17A34572 arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/volume/vol-1122AABB arn:aws:storagegateway:us-east-1:123456789012:tape/AMZNC8A26D arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/target/iqn.1997-05.com.amazon:vol-1122AABB arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/device/AMZN_SGW-FF22CCDD_TAPEDRIVE_00010

Anmerkung

Für jede AWS Storage Gateway-Ressource können Sie einen Platzhalter (*) angeben.

AWS Systems Manager

Syntax:

arn:aws:ssm:region:account-id:document/document_name arn:aws:ssm:region:account-id:parameter/parameter_name arn:aws:ssm:region:account-id:patchbaseline/baseline_id arn:aws:ssm:region:account-id:maintenancewindow/window_id arn:aws:ssm:region:account-id:automation-execution/execution_id arn:aws:ssm:region:account-id:automation-Activity/activity_name arn:aws:ssm:region:account-id:automation-definition/definitionName:version arn:aws:ssm:region:account-id:managed-instance/instance_id arn:aws:ssm:region:account-id:managed-instance-inventory/instance_id

Beispiele:

arn:aws:ssm:us-east-1:123456789012:document/highAvailabilityServerSetup arn:aws:ssm:us-east-1:123456789012:parameter/myParameterName arn:aws:ssm:us-east-1:123456789012:patchbaseline/pb-12345678901234567 arn:aws:ssm:us-east-1:123456789012:maintenancewindow/mw-12345678901234567 arn:aws:ssm:us-east-1:123456789012:automation-execution/123456-6789-1a2b3-c4d5-e1a2b3c4d arn:aws:ssm:us-east-1:123456789012:automation-activity/myActivityName arn:aws:ssm:us-east-1:123456789012:automation-definition/myDefinitionName:1 arn:aws:ssm:us-east-1:123456789012:managed-instance/mi-12345678901234567 arn:aws:ssm:us-east-1:123456789012:managed-instance-inventory/i-12345661

AWS Trusted Advisor

Syntax:

arn:aws:trustedadvisor:*:account-id:checks/categorycode/checkid

Beispiel:

arn:aws:trustedadvisor:*:123456789012:checks/fault_tolerance/BueAdJ7NrP

AWS WAF

Syntax, WAF Global (für CloudFront):

arn:aws:waf::account-id:resource-type/resource-id

Syntax, WAF Regional (für Application Load Balancers):

arn:aws:waf-regional::account-id:resource-type/resource-id

Beispiele:

arn:aws:waf::123456789012:rule/41b5b052-1e4a-426b-8149-3595be6342c2 arn:aws:waf-regional:us-east-1:123456789012:rule/41b5b052-1e4a-426b-8149-3595be6342c2 arn:aws:waf::123456789012:webacl/3bffd3ed-fa2e-445e-869f-a6a7cf153fd3 arn:aws:waf-regional:us-east-1:123456789012:webacl/3bffd3ed-fa2e-445e-869f-a6a7cf153fd3 arn:aws:waf::123456789012:ipset/3f74bd8c-f046-4970-a1a7-41aa52e05480 arn:aws:waf-regional:us-east-1:123456789012:ipset/3f74bd8c-f046-4970-a1a7-41aa52e05480 arn:aws:waf::123456789012:bytematchset/d131bc0b-57be-4536-af1d-4894fd28acc4 arn:aws:waf-regional:us-east-1:123456789012:bytematchset/d131bc0b-57be-4536-af1d-4894fd28acc4

Pfade in ARNs

Für einige Services können Sie einen Pfad für den Ressourcennamen angeben. In Amazon S3 ist die Ressourcen-ID beispielsweise ein Objektname mit Schrägstrichen (/) zur Bildung eines Pfads. Auch IAM-Benutzernamen und -Gruppennamen können Pfade enthalten.

In einigen Fällen können Pfade ein Platzhalterzeichen beinhalten, d. h. ein Sternchen (*). Wenn Sie beispielsweise eine IAM-Richtlinie schreiben und im Resource-Element alle IAM-Benutzer angeben wollen, die den Pfad product_1234 haben, können Sie einen Platzhalter wie diesen verwenden:

arn:aws:iam::123456789012:user/Development/product_1234/*

Im Resource-Element einer IAM-Richtlinie können Sie analog dazu am Ende des ARN user/* für alle Benutzer oder group/* für alle Gruppen angeben. Beispiele:

"Resource":"arn:aws:iam::123456789012:user/*" "Resource":"arn:aws:iam::123456789012:group/*"

Es ist nicht möglich, einen Platzhalter zur Angabe aller Benutzer im Principal-Element in einer ressourcenbasierte Richtlinie oder einer Vertrauensrichtlinie für Rollen zu verwenden. Gruppen werden als Prinzipale in Richtlinien nicht unterstützt.

Das folgende Beispiel zeigt ARNs für einen Amazon S3-Bucket, in dem der Ressourcenname einen Pfad enthält:

arn:aws:s3:::my_corporate_bucket/* arn:aws:s3:::my_corporate_bucket/Development/*

Es ist nicht möglich, einen Platzhalter in dem Teil der ARN zu verwenden, der den Ressourcentyp angibt, z. B. das Wort user in einem IAM-ARN.

Folgendes ist nicht zulässig:

arn:aws:iam::123456789012:u*

AWS-Service-Namespaces

Wenn Sie IAM-Richtlinien erstellen oder mit Amazon-Ressourcennamen (ARNs) arbeiten, identifizieren Sie einen AWS-Service mit einem Namespace. Der Namespace für Amazon S3 lautet z. B. s3 und der für Amazon EC2 ec2. Sie verwenden Namespaces bei der Identifikation von Aktionen und Ressourcen.

Das folgende Beispiel zeigt eine IAM-Richtlinie, wobei der Wert der Action-Elemente und die Werte in den Elementen Resource und Condition Namespaces verwenden, um die Services für die Aktionen und Ressourcen zu identifizieren.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": [ "arn:aws:ec2:us-west-2:123456789012:customer-gateway/*", "arn:aws:ec2:us-west-2:123456789012:dhcp-options/*", "arn:aws:ec2:us-west-2::image/*", "arn:aws:ec2:us-west-2:123456789012:instance/*", "arn:aws:iam::123456789012:instance-profile/*", "arn:aws:ec2:us-west-2:123456789012:internet-gateway/*", "arn:aws:ec2:us-west-2:123456789012:key-pair/*", "arn:aws:ec2:us-west-2:123456789012:network-acl/*", "arn:aws:ec2:us-west-2:123456789012:network-interface/*", "arn:aws:ec2:us-west-2:123456789012:placement-group/*", "arn:aws:ec2:us-west-2:123456789012:route-table/*", "arn:aws:ec2:us-west-2:123456789012:security-group/*", "arn:aws:ec2:us-west-2::snapshot/*", "arn:aws:ec2:us-west-2:123456789012:subnet/*", "arn:aws:ec2:us-west-2:123456789012:volume/*", "arn:aws:ec2:us-west-2:123456789012:vpc/*", "arn:aws:ec2:us-west-2:123456789012:vpc-peering-connection/*" ] }, { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::example_bucket/marketing/*" }, { "Effect": "Allow", "Action": "s3:ListBucket*", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"StringLike": {"s3:prefix": "marketing/*"}} } ] }

Die folgende Tabelle enthält den Namespace für die einzelnen AWS-Services.

Service Namespace
Alexa for Business a4b
API Gateway apigateway
AWS Application Discovery Service discovery
Amazon AppStream appstream
AWS AppSync appsync
AWS Artifact artifact
Amazon Athena athena
Amazon EC2 Auto Scaling autoscaling
AWS Batch batch
AWS Billing and Cost Management aws-portal
AWS Budgets budgets
AWS Certificate Manager (ACM) acm
Amazon Chime chime
AWS Cloud9 cloud9
Amazon Cloud Directory clouddirectory
AWS CloudFormation cloudformation
Amazon CloudFront cloudfront
AWS CloudHSM cloudhsm
Amazon CloudSearch cloudsearch
AWS CloudTrail cloudtrail
Amazon CloudWatch cloudwatch
Amazon CloudWatch Events events
Amazon CloudWatch Logs logs
AWS CodeBuild codebuild
AWS CodeCommit codecommit
AWS CodeDeploy codedeploy
AWS CodePipeline codepipeline
AWS CodeStar codestar
Amazon Cognito – Eigene Benutzerpools cognito-idp
Amazon Cognito – Verbundidentitäten cognito-identity
Amazon Cognito Sync cognito-sync
Amazon Comprehend comprehend
AWS Config config
Amazon Connect connect
AWS Data Pipeline datapipeline
AWS Database Migration Service (AWS DMS) dms
AWS Device Farm devicefarm
AWS Direct Connect directconnect
AWS Directory Service ds
Amazon DynamoDB dynamodb
Amazon Elastic Compute Cloud (Amazon EC2) ec2
Amazon Elastic Container Registry (Amazon ECR) ecr
Amazon Elastic Container Service (Amazon ECS) ecs
Amazon Elastic Container Service for Kubernetes (Amazon EKS) eks
AWS Elastic Beanstalk elasticbeanstalk
Amazon Elastic File System (Amazon EFS) elasticfilesystem
Elastic Load Balancing elasticloadbalancing
Amazon EMR elasticmapreduce
Amazon Elastic Transcoder elastictranscoder
Amazon ElastiCache elasticache
Amazon Elasticsearch Service (Amazon ES) es
AWS Firewall Manager fms
Amazon FreeRTOS freertos
Amazon GameLift gamelift
Amazon S3 Glacier glacier
AWS Glue glue
AWS IoT Greengrass greengrass
Amazon GuardDuty guardduty
AWS Health / Personal Health Dashboard health
AWS Identity and Access Management (IAM) iam
AWS Import/Export importexport
Amazon Inspector inspector
AWS IoT iot
AWS Key Management Service (AWS KMS) kms
Amazon Kinesis Data Analytics kinesisanalytics
Amazon Kinesis Data Firehose firehose
Amazon Kinesis Data Streams kinesis
Amazon Kinesis-Videostreams kinesisvideo
AWS Lambda lambda
Amazon Lex lex
Amazon Lightsail lightsail
Amazon Macie macie
Amazon Machine Learning machinelearning
AWS Marketplace aws-marketplace
AWS Marketplace Management Portal aws-marketplace-management
AWS Elemental MediaConvert mediaconvert
AWS Elemental MediaLive medialive
AWS Elemental MediaPackage mediapackage
AWS Elemental MediaStore mediastore
AWS Elemental MediaTailor mediatailor
AWS Migration Hub mgh
Amazon Mobile Analytics mobileanalytics
AWS Mobile Hub mobilehub
Amazon MQ mq
AWS OpsWorks opsworks
AWS OpsWorks for Chef Automate opsworks-cm
AWS Organizations organizations
Amazon Pinpoint mobiletargeting
Amazon Polly polly
Amazon QuickSight quicksight
Amazon Redshift redshift
Amazon Rekognition rekognition
Amazon Relational Database Service (Amazon RDS) rds
AWS-Ressourcengruppen resource-groups
Amazon Route 53 route53
Automatische Benennung in Amazon Route 53 servicediscovery
Amazon Route 53-Domänen route53domains
Amazon Route 53-Resolver route53resolver
Amazon SageMaker sagemaker
AWS Secrets Manager secretsmanager
AWS Security Token Service (AWS STS) sts
AWS Serverless Application Repository serverlessrepo
AWS Service Catalog servicecatalog
AWS Shield shield
AWS Shield Advanced DDoSProtection
Amazon Simple Email Service (Amazon SES) ses
Amazon Simple Notification Service (Amazon SNS) sns
Amazon Simple Queue Service (Amazon SQS) sqs
Amazon Simple Storage Service (Amazon S3) s3
Amazon Simple Workflow Service (Amazon SWF) swf
Amazon SimpleDB sdb
AWS Step Functions states
AWS Storage Gateway storagegateway
Amazon Sumerian sumerian
AWS Support support
AWS Systems Manager ssm
Amazon Transcribe transcribe
Amazon Translate translate
AWS Trusted Advisor trustedadvisor
Amazon Virtual Private Cloud (Amazon VPC) ec2
AWS WAF waf
Amazon WorkDocs workdocs
Amazon WorkMail workmail
Amazon WorkSpaces workspaces
AWS X-Ray xray