Amazon Resource Names (ARNs) and AWS Service Namespaces
Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.
ARN Format
Here are some example ARNs:
<!-- Elastic Beanstalk application version --> arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment <!-- IAM user name --> arn:aws:iam::123456789012:user/David <!-- Amazon RDS instance used for tagging --> arn:aws:rds:eu-west-1:123456789012:db:mysql-db <!-- Object in an Amazon S3 bucket --> arn:aws:s3:::my_corporate_bucket/exampleobject.png
The following are the general formats for ARNs; the specific components and values
used
depend on the AWS service. To use an ARN, replace the red
italicized text in the example with your own information.
arn:partition:service:region:account-id:resourcearn:partition:service:region:account-id:resourcetype/resourcearn:partition:service:region:account-id:resourcetype/resource/qualifierarn:partition:service:region:account-id:resourcetype/resource:qualifierarn:partition:service:region:account-id:resourcetype:resourcearn:partition:service:region:account-id:resourcetype:resource:qualifier
partition-
The partition that the resource is in. For standard AWS regions, the partition is
aws. If you have resources in other partitions, the partition isaws-. For example, the partition for resources in the China (Beijing) region ispartitionnameaws-cn. service-
The service namespace that identifies the AWS product (for example, Amazon S3, IAM, or Amazon RDS). For a list of namespaces, see AWS Service Namespaces.
region-
The region the resource resides in. Note that the ARNs for some resources do not require a region, so this component might be omitted.
account-
The ID of the AWS account that owns the resource, without the hyphens. For example, 123456789012. Note that the ARNs for some resources don't require an account number, so this component might be omitted.
resource,resourcetype:resource, orresourcetype/resource-
The content of this part of the ARN varies by service. It often includes an indicator of the type of resource—for example, an IAM user or Amazon RDS database —followed by a slash (
/) or a colon (:), followed by the resource name itself. Some services allow paths for resource names, as described in Paths in ARNs.
Example ARNs
The following sections provide syntax and examples of the ARNs for different services.
For
more information about using ARNs in a specific AWS service, see the documentation
for that
service. To use an ARN, replace the red italicized text in the
example with your own information.
Some services support IAM resource-level permissions. For more information, see AWS Services That Work with IAM.
Alexa for Business
Syntax:
arn:aws:a4b:region:accountid:resourcetype/resource
Example:
arn:aws:a4b:us-east-1:123456789012:room/7315ffdf0eeb874dc4ab8a546e8b70ec/5f90e5d608b6baa9c88db56654aef158
Amazon API Gateway
Syntax:
arn:aws:apigateway:region::resource-patharn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-patharn:aws:execute-api:region:account-id:api-id/stage-name/route-key
Examples:
arn:aws:apigateway:us-east-1::/restapis/a123456789012bc3de45678901f23a45/* arn:aws:apigateway:us-east-1::a123456789012bc3de45678901f23a45:/test/mydemoresource/* arn:aws:apigateway:*::a123456789012bc3de45678901f23a45:/*/petstorewalkthrough/pets arn:aws:apigateway:us-east-1::/apis/a123456789012bc3de45678901f23a45/* arn:aws:execute-api:us-east-1:123456789012:qsxrty/test/GET/mydemoresource/* arn:aws:execute-api:us-east-1:123456789012:qsxrty/test/$connect arn:aws:execute-api:us-east-1:123456789012:qsxrty/test/$route1
AWS AppSync
Syntax:
arn:aws:appsync:your-region:account-id:apis/AppSyncEndpointName/types/Query/fields/field-namearn:aws:appsync:your-region:account-id:apis/AppSyncEndpointName/types/Mutation/fields/field-namearn:aws:appsync:your-region:account-id:apis/AppSyncEndpointName/types/Subscription/fields/field-name
Examples:
arn:aws:appsync:us-west-2:123456789012:apis/AppSyncEndpointName/types/Query/fields/posts arn:aws:appsync:us-west-2:123456789012:apis/AppSyncEndpointName/types/Mutation/fields/addPost arn:aws:appsync:us-west-2:123456789012:apis/AppSyncEndpointName/types/Query/fields/my-subscription
AWS Artifact
Syntax:
arn:aws:artifact:::report-package/document-type/report-type
Examples:
arn:aws:artifact:::report-package/Certifications and Attestations/SOC/* arn:aws:artifact:::report-package/Certifications and Attestations/ISO/* arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*
Amazon EC2 Auto Scaling
Syntax:
arn:aws:autoscaling:region:account-id:scalingPolicy:policyid:autoScalingGroupName/groupfriendlyname:policyName/policyfriendlynamearn:aws:autoscaling:region:account-id:autoScalingGroup:groupid:autoScalingGroupName/groupfriendlyname
Example:
arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:c7a27f55-d35e-4153-b044-8ca9155fc467:autoScalingGroupName/my-test-asg1:policyName/my-scaleout-policy
Application Auto Scaling
Syntax:
arn:aws:autoscaling:region:account-id:scalingPolicy:policy-id:resource/service-namespace/resource-id:policyName/policyfriendlynamearn:aws:autoscaling:region:account-id:scheduledAction:action-id:resource/service-namespace/resource-id:scheduledActionName/actionfriendlyname
Example:
arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:c7a27f55-d35e-4153-b044-8ca9155fc467:resource/ec2/spot-fleet-request/sfr-73fbd2ce-aa30-494c-8788-1cee4EXAMPLE:policyName/cpu40 arn:aws:autoscaling:us-east-1:123456789012:scheduledAction:38c84579-0f51-4adc-879b-a2cc4EXAMPLE:resource/ec2/spot-fleet-request/sfr-09d694de-4d82-4b48-a4f4-2f38fEXAMPLE:scheduledActionName/my-action
AWS Batch
Syntax:
arn:aws:batch:region:account-id:compute-environment/namearn:aws:batch:region:account-id:job-definition/job-name:revisionarn:aws:batch:region:account-id:job-queue/queue-name
Example:
arn:aws:batch:us-east-1:123456789012:compute-environment/my-environment arn:aws:batch:us-east-1:123456789012:job-definition/my-job-definition:1 arn:aws:batch:us-east-1:123456789012:job-queue/my-queue
AWS Certificate Manager
Syntax:
arn:aws:acm:region:account-id:certificate/certificate-id
Example:
arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
AWS Certificate Manager Private Certificate Authority
Syntax (private certificate authority):
arn:aws:acm-pca:region:account-id:certificate-authority/ca-id
Example:
arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/e8cbd2bedb122329f97706bcfec990f8
AWS Cloud9
Syntax:
arn:aws:cloud9:region:account-id:environment:environment-id
Example:
arn:aws:cloud9:us-west-2:123456789012:environment:81e900317347585a0601e04c8d52eaEX
Amazon Cloud Directory
Syntax:
arn:aws:clouddirectory:region:account-id:directory/directoryID
Example:
arn:aws:clouddirectory:us-west-2:123456789012:directory/ARIqk1HD-UjdtmcIrJHEvPI
AWS CloudFormation
Syntax:
arn:aws:cloudformation:region:account-id:stack/stackname/additionalidentifierarn:aws:cloudformation:region:account-id:changeSet/changesetname/additionalidentifier
Examples:
arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c arn:aws:cloudformation:us-east-1:123456789012:changeSet/MyProductionChangeSet/abc9dbf0-43c2-11e3-a6e8-50fa526be49c
Amazon CloudFront
Syntax:
arn:aws:cloudfront::account-id:*
Example:
arn:aws:cloudfront::123456789012:*
AWS Cloud Map
Syntax:
arn:aws:servicediscovery:region:account-id:namespace/namespace-idarn:aws:servicediscovery:region:account-id:service/service-id
AWS Cloud Map does not require an account number or region in ARNs.
Examples:
arn:aws:servicediscovery:us-east-1:123456789012:namespace/ns-e1tpmexample0001 arn:aws:servicediscovery:us-east-1:123456789012:service/srv-e4anhexample0004
Amazon CloudSearch
Syntax:
arn:aws:cloudsearch:region:account-id:domain/domainname
Example:
arn:aws:cloudsearch:us-east-1:123456789012:domain/imdb-movies
AWS CloudTrail
Syntax:
arn:aws:cloudtrail:region:account-id:trail/trailname
Example:
arn:aws:cloudtrail:us-east-1:123456789012:trail/mytrailname
Amazon CloudWatch
Syntax:
arn:aws:cloudwatch:region:account-id:alarm:alarm-namearn:aws:cloudwatch::account-id:dashboard/dashboard-name
Examples:
arn:aws:cloudwatch:us-east-1:123456789012:alarm:* arn:aws:cloudwatch:us-east-1:123456789012:alarm:MyAlarmName arn:aws:cloudwatch::123456789012:dashboard/MyDashboardName
Amazon CloudWatch Events
Syntax:
arn:aws:events:region:*:*
Examples:
arn:aws:events:us-east-1:*:* arn:aws:events:us-east-1:123456789012:* arn:aws:events:us-east-1:123456789012:rule/my-rule
Amazon CloudWatch Logs
Syntax:
arn:aws:logs:region:*:*
Examples:
arn:aws:logs:us-east-1:*:* arn:aws:logs:us-east-1:123456789012:* arn:aws:logs:us-east-1:123456789012:log-group:my-log-group arn:aws:logs:us-east-1:123456789012:log-group:my-log-group:* arn:aws:logs:us-east-1:123456789012:log-group:my-log-group* arn:aws:logs:us-east-1:123456789012:log-group:my-log-group:log-stream:my-log-stream arn:aws:logs:us-east-1:123456789012:log-group:my-log-group:log-stream:my-log-stream* arn:aws:logs:us-east-1:123456789012:log-group:my-log-group*:log-stream:my-log-stream*
CodeBuild
Syntax:
arn:aws:codebuild:region:account-id:resourcetype/resource
Examples:
arn:aws:codebuild:us-east-1:123456789012:project/my-demo-project arn:aws:codebuild:us-east-1:123456789012:build/my-demo-project:7b7416ae-89b4-46cc-8236-61129df660ad
AWS CodeCommit
Syntax:
arn:aws:codecommit:region:account-id:resource-specifier
Example:
arn:aws:codecommit:us-east-1:123456789012:MyDemoRepo
AWS CodeDeploy
Syntax:
arn:aws:codedeploy:region:account-id:resource-type:resource-specifierarn:aws:codedeploy:region:account-id:resource-type/resource-specifier
Example:
arn:aws:codedeploy:us-east-1:123456789012:application:WordPress_App arn:aws:codedeploy:us-east-1:123456789012:instance/AssetTag*
Amazon Cognito Your User Pools
Syntax:
arn:aws:cognito-idp:region:account-id:userpool/user-pool-id
Example:
arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1:1a1a1a1a-ffff-1111-9999-12345678
Amazon Cognito Federated Identities
Syntax:
arn:aws:cognito-identity:region:account-id:identitypool/identity-pool-id
Example:
arn:aws:cognito-identity:us-east-1:123456789012:/identitypool/us-east-1:1a1a1a1a-ffff-1111-9999-12345678
Amazon Cognito Sync
Syntax:
arn:aws:cognito-sync:region:account-id:identitypool/identity-pool-idarn:aws:cognito-sync:region:account-id:identitypool/identity-pool-id/identity/identity-idarn:aws:cognito-sync:region:account-id:identitypool/identity-pool-id/identity/identity-id/dataset/dataset-name
Example:
arn:aws:cognito-sync:us-east-1:123456789012:identitypool/us-east-1:1a1a1a1a-ffff-1111-9999-12345678
AWS Config
Syntax:
arn:aws:config:region:account-id:config-rule/config-rule-id
Example:
arn:aws:config:us-east-1:123456789012:config-rule/config-rule-8fngan
AWS CodePipeline
Syntax:
arn:aws:codepipeline:region:account-id:resource-specifier
Example:
arn:aws:codepipeline:us-east-1:123456789012:MyDemoPipeline
AWS CodeStar
Syntax:
arn:aws:codestar:region:account-id:project/resource-specifier
Example:
arn:aws:codestar:us-east-1:123456789012:project/my-first-project
AWS DataSync
arn:aws:datasync:region:account-id:agent/agent-idarn:aws:datasync:region:account-id:location/location-idarn:aws:datasync:region:account-id:task/task-idarn:aws:datasync:region:account-id:task/task-id/execution/exec-id
Examples:
arn:aws:datasync:us-east-2:111222333444:agent/agent-0b0addbeef44baca3 arn:aws:datasync:us-east-2:111222333444:location/loc-07db7abfc326c50fb arn:aws:datasync:us-east-2:111222333444:task/task-08de6e6697796f026 arn:aws:datasync:us-east-2:111222333444:task/task-08de6e6697796f026/execution/exec-04ce9d516d69bd52f
AWS Direct Connect
Syntax:
arn:aws:directconnect:region:account-id:dxcon/connection-idarn:aws:directconnect:region:account-id:dxlag/lag-idarn:aws:directconnect:region:account-id:dxvif/virtual-interface-id
Examples:
arn:aws:directconnect:us-east-1:123456789012:dxcon/dxcon-fgase048 arn:aws:directconnect:us-east-1:123456789012:dxlag/dxlag-ffy7zraq arn:aws:directconnect:us-east-1:123456789012:dxvif/dxvif-fgrb110x
AWS Directory Service
Syntax:
arn:aws:ds:region:account-id:directory/directoryId
Example:
arn:aws:ds:us-west-2:123456789012:directory/ARIqk1HD-UjdtmcIrJHEvPI
Amazon DynamoDB
Syntax:
arn:aws:dynamodb:region:account-id:table/tablenamearn:aws:dynamodb:region:account-id:table/tablename/stream/label
Example:
arn:aws:dynamodb:us-east-1:123456789012:table/books_table arn:aws:dynamodb:us-east-1:123456789012:table/books_table/stream/2015-05-11T21:21:33.291
AWS Elastic Beanstalk
Syntax:
arn:aws:elasticbeanstalk:region:account-id:application/applicationnamearn:aws:elasticbeanstalk:region:account-id:applicationversion/applicationname/versionlabelarn:aws:elasticbeanstalk:region:account-id:environment/applicationname/environmentnamearn:aws:elasticbeanstalk:region::solutionstack/solutionstacknamearn:aws:elasticbeanstalk:region:account-id:configurationtemplate/applicationname/templatename
Examples:
arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment arn:aws:elasticbeanstalk:us-east-1::solutionstack/32bit Amazon Linux running Tomcat 7 arn:aws:elasticbeanstalk:us-east-1:123456789012:configurationtemplate/My App/My Template
Amazon Elastic Compute Cloud (Amazon EC2)
Syntax:
arn:aws:ec2:region:account-id:customer-gateway/cgw-idarn:aws:ec2:region:account-id:dedicated-host/host-idarn:aws:ec2:region:account-id:dhcp-options/dhcp-options-idarn:aws:ec2:region:account-id:egress-only-internet-gateway/eigw-idarn:aws:ec2:region:account-id:elastic-gpu/elastic-gpu-idarn:aws:ec2:region::image/image-idarn:aws:ec2:region:account-id:instance/instance-idarn:aws:ec2:region:account-id:internet-gateway/igw-idarn:aws:ec2:region:account-id:key-pair/key-pair-namearn:aws:ec2:region:account-id:launch-template/launch-template-idarn:aws:ec2:region:account-id:natgateway/natgateway-idarn:aws:ec2:region:account-id:network-acl/nacl-idarn:aws:ec2:region:account-id:network-interface/eni-idarn:aws:ec2:region:account-id:placement-group/placement-group-namearn:aws:ec2:region:account-id:reserved-instances/reservation-idarn:aws:ec2:region:account-id:route-table/route-table-idarn:aws:ec2:region:account-id:security-group/security-group-idarn:aws:ec2:region::snapshot/snapshot-idarn:aws:ec2:region:account-id:spot-instances-request/spot-instance-request-idarn:aws:ec2:region:account-id:subnet/subnet-idarn:aws:ec2:region:account-id:transit-gateway/tgw-idarn:aws:ec2:region:account-id:volume/volume-idarn:aws:ec2:region:account-id:vpc/vpc-idarn:aws:ec2:region:account-id:vpc-peering-connection/vpc-peering-connection-idarn:aws:ec2:region:account-id:vpn-connection/vpn-idarn:aws:ec2:region:account-id:vpn-gateway/vgw-id
Examples:
arn:aws:ec2:us-east-1:123456789012:dedicated-host/h-12345678 arn:aws:ec2:us-east-1::image/ami-1a2b3c4d arn:aws:ec2:us-east-1:123456789012:instance/* arn:aws:ec2:us-east-1:123456789012:volume/* arn:aws:ec2:us-east-1:123456789012:volume/vol-1a2b3c4d
Amazon Elastic Container Registry (Amazon ECR)
Syntax:
arn:aws:ecr:region:account-id:repository/repository-name
Example:
arn:aws:ecr:us-east-1:123456789012:repository/my-repository
Amazon Elastic Container Service (Amazon ECS)
Syntax:
arn:aws:ecs:region:account-id:cluster/cluster-namearn:aws:ecs:region:account-id:container-instance/cluster-name/container-instance-idarn:aws:ecs:region:account-id:task-definition/task-definition-family-name:task-definition-revision-numberarn:aws:ecs:region:account-id:service/cluster-name/service-namearn:aws:ecs:region:account-id:task/cluster-name/task-idarn:aws:ecs:region:account-id:container/container-id
Examples:
arn:aws:ecs:us-east-1:123456789012:cluster/my-cluster arn:aws:ecs:us-east-1:123456789012:container-instance/my-cluster/403125b0-555c-4473-86b5-65982db28a6d arn:aws:ecs:us-east-1:123456789012:task-definition/hello_world:8 arn:aws:ecs:us-east-1:123456789012:service/my-cluster/sample-webapp arn:aws:ecs:us-east-1:123456789012:task/my-cluster/1abf0f6d-a411-4033-b8eb-a4eed3ad252a arn:aws:ecs:us-east-1:123456789012:container/476e7c41-17f2-4c17-9d14-412566202c8a
Amazon Elastic Container Service for Kubernetes (Amazon EKS)
Syntax:
arn:aws:eks:region:account-id:cluster/cluster-name
Examples:
arn:aws:eks:us-east-1:123456789012:cluster/my-cluster
Amazon Elastic File System
Syntax:
arn:aws:elasticfilesystem:region:account-id:file-system/file-system-id
Example:
arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs12345678
Elastic Load Balancing (Application Load Balancer)
Syntax:
arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-idarn:aws:elasticloadbalancing:region:account-id:listener/app/load-balancer-name/load-balancer-id/listener-idarn:aws:elasticloadbalancing:region:account-id:listener-rule/app/load-balancer-name/load-balancer-id/listener-id/rule-idarn:aws:elasticloadbalancing:region:account-id:targetgroup/target-group-name/target-group-id
Examples:
arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2 arn:aws:elasticloadbalancing:us-east-1:123456789012:listener-rule/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2/9683b2d02a6cabee arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/my-targets/73e2d6bc24d8a067
Elastic Load Balancing (Network Load Balancer)
Syntax:
arn:aws:elasticloadbalancing:region:account-id:loadbalancer/net/load-balancer-name/load-balancer-idarn:aws:elasticloadbalancing:region:account-id:listener/net/load-balancer-name/load-balancer-id/listener-idarn:aws:elasticloadbalancing:region:account-id:listener-rule/net/load-balancer-name/load-balancer-id/listener-id/rule-idarn:aws:elasticloadbalancing:region:account-id:targetgroup/target-group-name/target-group-id
Examples:
arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/my-load-balancer/50dc6c495c0c9188 arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2 arn:aws:elasticloadbalancing:us-east-1:123456789012:listener-rule/net/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2/9683b2d02a6cabee arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/my-targets/73e2d6bc24d8a067
Elastic Load Balancing (Classic Load Balancer)
Syntax:
arn:aws:elasticloadbalancing:region:account-id:loadbalancer/name
Example:
arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/my-load-balancer
Amazon Elastic Transcoder
Syntax:
arn:aws:elastictranscoder:region:account-id:resource/id
Example:
arn:aws:elastictranscoder:us-east-1:123456789012:preset/*
Amazon ElastiCache
Syntax:
arn:aws:elasticache:region:account-id:resourcetype:resourcename
Examples:
arn:aws:elasticache:us-east-2:123456789012:cluster:myCluster arn:aws:elasticache:us-east-2:123456789012:snapshot:mySnapshot
Amazon Elasticsearch Service
Syntax:
arn:aws:es:region:account-id:domain/domain-name
Example:
arn:aws:es:us-east-1:123456789012:domain/streaming-logs
Amazon S3 Glacier
Syntax:
arn:aws:glacier:region:account-id:vaults/vaultname
Examples:
arn:aws:glacier:us-east-1:123456789012:vaults/examplevault arn:aws:glacier:us-east-1:123456789012:vaults/example* arn:aws:glacier:us-east-1:123456789012:vaults/*
AWS Global Accelerator
Syntax:
arn:aws:globalaccelerator::account-id:accelerator/accelerator-id
Example:
arn:aws:globalaccelerator::123456789012:accelerator/123abc4567e8fa901bc2d3example
Amazon GuardDuty
Syntax:
arn:aws:guardduty:region:account-id:detector/detector-idarn:aws:guardduty:region:account-id:filter/filter-idarn:aws:guardduty:region:account-id:ipset/ipset-idarn:aws:guardduty:region:account-id:threatintelset/threatintelset-id
Examples:
arn:aws:guardduty:us-east-1:123456789012:detector/12abc34d567e8fa901bc2d34e56789f0 arn:aws:guardduty:us-east-1:123456789012:filter/fb1574d5a6ba2d77d2a656aba08aa3c3 arn:aws:guardduty:us-east-1:123456789012:ipset/0cb0141ab9fbde177613ab9436212e90 arn:aws:guardduty:us-east-1:123456789012:threatintelset/12a34567890bc1de2345f67ab8901234
AWS Health / Personal Health Dashboard
Syntax:
arn:aws:health:region::event/event-idarn:aws:health:region:account-id:entity/entity-id
Examples:
arn:aws:health:us-east-1::event/AWS_EC2_EXAMPLE_ID arn:aws:health:us-east-1:123456789012:entity/AVh5GGT7ul1arKr1sE1K
AWS Identity and Access Management (IAM)
Syntax:
arn:aws:iam::account-id:root arn:aws:iam::account-id:user/user-namearn:aws:iam::account-id:group/group-namearn:aws:iam::account-id:role/role-namearn:aws:iam::account-id:policy/policy-namearn:aws:iam::account-id:instance-profile/instance-profile-namearn:aws:sts::account-id:federated-user/user-namearn:aws:sts::account-id:assumed-role/role-name/role-session-namearn:aws:iam::account-id:mfa/virtual-device-namearn:aws:iam::account-id:u2f/u2f-token-idarn:aws:iam::account-id:server-certificate/certificate-namearn:aws:iam::account-id:saml-provider/provider-namearn:aws:iam::account-id:oidc-provider/provider-name
Examples:
arn:aws:iam::123456789012:root arn:aws:iam::123456789012:user/JohnDoe arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/JaneDoe arn:aws:iam::123456789012:group/Developers arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developers arn:aws:iam::123456789012:role/S3Access arn:aws:iam::123456789012:role/application_abc/component_xyz/S3Access arn:aws:iam::123456789012:policy/UsersManageOwnCredentials arn:aws:iam::123456789012:policy/division_abc/subdivision_xyz/UsersManageOwnCredentials arn:aws:iam::123456789012:instance-profile/Webserver arn:aws:sts::123456789012:federated-user/JohnDoe arn:aws:sts::123456789012:assumed-role/Accounting-Role/JaneDoe arn:aws:iam::123456789012:mfa/JaneDoeMFA arn:aws:iam::123456789012:u2f/user/JohnDoe/default (U2F security key) arn:aws:iam::123456789012:server-certificate/ProdServerCert arn:aws:iam::123456789012:server-certificate/division_abc/subdivision_xyz/ProdServerCert arn:aws:iam::123456789012:saml-provider/ADFSProvider arn:aws:iam::123456789012:oidc-provider/GoogleProvider
For more information about IAM ARNs, see IAM ARNs in IAM User Guide.
AWS IoT
Syntax:
arn:aws:iot:your-region:account-id:cert/cert-IDarn:aws:iot:your-region:account-id:policy/policy-namearn:aws:iot:your-region:account-id:rule/rule-namearn:aws:iot:your-region:account-id:client/client-id/rule-name
Examples:
arn:aws:iot:your-region:123456789012:cert/123a456b789c123d456e789f123a456b789c123d456e789f123a456b789c123c456d7 arn:aws:iot:your-region:123456789012:policy/MyIoTPolicy arn:aws:iot:your-region:123456789012:rule/MyIoTRule arn:aws:iot:your-region:123456789012:client/client101
AWS Key Management Service (AWS KMS)
Syntax:
arn:aws:kms:region:account-id:key/key-idarn:aws:kms:region:account-id:alias/alias
Examples:
arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 arn:aws:kms:us-east-1:123456789012:alias/example-alias
Amazon Kinesis Data Firehose (Kinesis Data Firehose)
Syntax:
arn:aws:firehose:region:account-id:deliverystream/delivery-stream-name
Example:
arn:aws:firehose:us-east-1:123456789012:deliverystream/example-stream-name
Amazon Kinesis Data Streams (Kinesis Data Streams)
Syntax:
arn:aws:kinesis:region:account-id:stream/stream-namearn:aws:kinesis:region:account-id:stream/stream-name/consumer/consumer-name:consumer-creation-timestamp
Example:
arn:aws:kinesis:us-east-1:123456789012:stream/example-stream-name arn:aws:kinesis:us-east-1:123456789012:stream/example-stream-name/consumer/example-consumer-name:1525898737
Amazon Kinesis Data Analytics (Kinesis Data Analytics)
Syntax:
arn:aws:kinesisanalytics:region:account-id:application/application-name
Example:
arn:aws:kinesisanalytics:us-east-1:123456789012:application/example-application-name
Amazon Kinesis Video Streams (Kinesis Video Streams)
Syntax:
arn:aws:kinesisvideo:region:account-id:application/stream-name/code
Example:
arn:aws:kinesisvideo:us-east-1:123456789012:stream/example-stream-name/0123456789012
AWS Lambda (Lambda)
Syntax:
arn:aws:lambda:region:account-id:function:function-namearn:aws:lambda:region:account-id:function:function-name:alias-namearn:aws:lambda:region:account-id:function:function-name:versionarn:aws:lambda:region:account-id:event-source-mappings:event-source-mapping-id
Examples:
arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords:your aliasarn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords:1.0 arn:aws:lambda:us-east-1:123456789012:event-source-mappings:kinesis-stream-arn
Amazon Macie
Syntax:
arn:aws:macie:region:account-id:trigger/triggerIDarn:aws:macie:region:account-id:trigger/triggerID/alert/alertID
Examples:
arn:aws:macie:us-east-1:123456789012:trigger/example61b3df36bff1dafaf1aa304b0ef1a975 arn:aws:macie:us-east-1:123456789012:trigger/example61b3df36bff1dafaf1aa304b0ef1a975/alert/example8780e9ca227f98dae37665c3fd22b585 arn:aws:macie:us-east-1:123456789012:trigger/behavioral/alert/example8780e9ca227f98dae37665c3fd22b585
Amazon Machine Learning (Amazon ML)
Syntax:
arn:aws:machinelearning:region:account-id:datasource/datasourceIDarn:aws:machinelearning:region:account-id:mlmodel/mlmodelIDarn:aws:machinelearning:region:account-id:batchprediction/batchpredictionlIDarn:aws:machinelearning:region:account-id:evaluation/evaluationID
Examples:
arn:aws:machinelearning:us-east-1:123456789012:datasource/my-datasource-1 arn:aws:machinelearning:us-east-1:123456789012:mlmodel/my-mlmodel arn:aws:machinelearning:us-east-1:123456789012:batchprediction/my-batchprediction arn:aws:machinelearning:us-east-1:123456789012:evaluation/my-evaluation
AWS Elemental MediaConnect
Syntax:
arn:aws:mediaconnect:region:account-id:entitlement:resourceID:resourceNamearn:aws:mediaconnect:region:account-id:flow:resourceID:resourceNamearn:aws:mediaconnect:region:account-id:output:resourceID:resourceNamearn:aws:mediaconnect:region:account-id:source:resourceID:resourceName
Examples:
arn:aws:mediaconnect:us-east-1:111111111111:entitlement:1-1a2b3c4d5e6f7g8h-123456abcDEF:EntitlementName arn:aws:mediaconnect:us-east-1:111111111111:flow:1-12345678abcdefgh-654321abcDEF:FlowName arn:aws:mediaconnect:us-east-1:111111111111:output:1-abcDEFGH12345678-abcDEF123456:OutputName arn:aws:mediaconnect:us-east-1:111111111111:source:1-abc12345678defgh-ABCdef654321:SourceName
AWS Elemental MediaConvert
Syntax:
arn:aws:mediaconvert:region:account-id:jobs/jobIDarn:aws:mediaconvert:region:account-id:jobTemplates/jobTemplateIDarn:aws:mediaconvert:region:account-id:presets/presetIDarn:aws:mediaconvert:region:account-id:queues/queueID
Examples:
arn:aws:mediaconvert:us-east-1:111111111111:jobs/0123456789012-abc123 arn:aws:mediaconvert:us-east-1:111111111111:jobTemplates/2345678 arn:aws:mediaconvert:us-east-1:111111111111:presets/System-169_WIFI_1080p arn:aws:mediaconvert:us-east-1:111111111111:queues/default
AWS Elemental MediaLive
Syntax:
arn:aws:medialive:region:account-id:inputSecurityGroup:inputSecurityGroupIDarn:aws:medialive:region:account-id:input:inputIDarn:aws:medialive:region:account-id:channel:channelID
Examples:
arn:aws:medialive:us-east-1:111111111111:inputSecurityGroup:1234567 arn:aws:medialive:us-east-1:111111111111:input:2345678 arn:aws:medialive:us-east-1:111111111111:channel:3456789
AWS Elemental MediaPackage
Syntax:
arn:aws:mediapackage:region:account-id:channels/channelIDarn:aws:mediapackage:region:account-id:origin_endpoints/originEndpointID
Examples:
arn:aws:mediapackage:eu-west-1:111122223333:channels/0a1234bc567890d12efghi3j456k789m arn:aws:mediapackage:eu-west-1:111122223333:origin_endpoints/1b2345cd678901e34fghij4k567m890n
AWS Elemental MediaStore
Syntax:
arn:aws:mediastore:region:account-id:resourceType/resourceID
Examples:
arn:aws:mediastore:us-east-1:111111111111:container/ExampleName/example-folder/folder-segment.ts
AWS Elemental MediaTailor
Syntax:
arn:aws:mediatailor:region:account-id:playbackConfiguration/Name
Examples:
arn:aws:mediatailor:us-east-1:111111111111:playbackConfiguration/exampleConfig
AWS Mobile Hub
Syntax:
arn:aws:mobilehub:region:account-id:project/projectID
Examples:
arn:aws:mobilehub:us-east-1:123456789012:project/a01234567-b012345678-123c-d013456789abc
Amazon MQ
Syntax:
arn:aws:mq:region:account-id:broker:broker-name:broker-idarn:aws:mq:region:account-id:configuration:configuration-name:configuration-id
Examples:
arn:aws:mq:us-east-1:123456789012:broker:MyBroker:b-1234a5b6-78cd-901e-2fgh-3i45j6k178l9 arn:aws:mq:us-east-1:123456789012:configuration:MyConfiguration:c-1234a5b6-78cd-901e-2fgh-3i45j6k178l9
AWS OpsWorks for Chef Automate and AWS OpsWorks for Puppet Enterprise
Syntax:
arn:aws:opsworks-cm:us-east-1:master-account-id:server/server-name-random-ID-suffix/server-id
Example:
arn:aws:opsworks-cm:us-east-1:123456789012:server/TestServer-0123456789/EXAMPLEa-1199-43a6-aa00-8a000EXAMPLE
AWS OpsWorks Stacks
Syntax:
arn:aws:opsworks:us-east-1:master-account-id:stack/stack-idarn:aws:opsworks:us-east-1:master-account-id:layer/layer-idarn:aws:opsworks:us-east-1:master-account-id:instance/opsworks-instance-idarn:aws:opsworks:us-east-1:master-account-id:app/opsworks-app-id
Example:
arn:aws:opsworks:us-east-1:123456789012:stack/EXAMPLEe-aa21-4z92-a110-a4a44EXAMPLE arn:aws:opsworks:us-east-1:123456789012:layer/EXAMPLEe-aa21-4z92-a110-a4a44EXAMPLE arn:aws:opsworks:us-east-1:123456789012:instance/EXAMPLEe-aa21-4z92-a110-a4a44EXAMPLE arn:aws:opsworks:us-east-1:123456789012:app/EXAMPLEe-aa21-4z92-a110-a4a44EXAMPLE
AWS Organizations
Syntax:
arn:aws:organizations::master-account-id:organization/o-organization-idarn:aws:organizations::master-account-id:root/o-organization-id/r-root-idarn:aws:organizations::master-account-id:account/o-organization-id/account-idarn:aws:organizations::master-account-id:ou/o-organization-id/ou-organizational-unit-idarn:aws:organizations::master-account-id:policy/o-organization-id/policy-type/p-policy-idarn:aws:organizations::master-account-id:handshake/o-organization-id/handshake-type/h-handshake-id
Example:
arn:aws:organizations::123456789012:organization/o-a1b2c3d4e5example arn:aws:organizations::123456789012:root/o-a1b2c3d4e5/r-f6g7h8i9j0example arn:aws:organizations::123456789012:account/o-a1b2c3d4e5/123456789012 arn:aws:organizations::123456789012:ou/o-a1b2c3d4e5/ou-1a2b3c-k9l8m7n6o5example arn:aws:organizations::123456789012:policy/o-a1b2c3d4e5/service_control_policy/p-p4q3r2s1t0example arn:aws:organizations::123456789012:handshake/o-a1b2c3d4e5/invite/h-u2v4w5x8y0example
Amazon Pinpoint
Syntax:
arn:aws:mobiletargeting:us-east-1:account-id:apps/appIdarn:aws:mobiletargeting:us-east-1:account-id:apps/appId/campaigns/campaignIdarn:aws:mobiletargeting:us-east-1:account-id:apps/appId/segments/segmentId
Examples:
arn:aws:mobiletargeting:us-east-1:123456789012:apps/0d72ff0905e7f8b2b879fe7744d4952a9b arn:aws:mobiletargeting:us-east-1:123456789012:apps/0d72ff0905e7f8b2b879fe7744d4952a9b/campaigns/8c95f63b24089f85819443be7c92d7 arn:aws:mobiletargeting:us-east-1:123456789012:apps/0d72ff0905e7f8b2b879fe7744d4952a9b/segments/6cdc025ba495672bb0aea4983afebf
Amazon Polly
Syntax:
arn:aws:polly:region:account-id:lexicon/LexiconName
Example:
arn:aws:polly:us-east-1:123456789012:lexicon/myLexicon
Amazon Redshift
Syntax:
arn:aws:redshift:region:account-id:cluster:cluster-namearn:aws:redshift:region:account-id:dbname:cluster-name/database-namearn:aws:redshift:region:account-id:dbuser:cluster-name/database-user-namearn:aws:redshift:region:account-id:dbgroup:cluster-name/database-group-namearn:aws:redshift:region:account-id:parametergroup:parameter-group-namearn:aws:redshift:region:account-id:securitygroup:security-group-namearn:aws:redshift:region:account-id:snapshot:cluster-name/snapshot-namearn:aws:redshift:region:account-id:subnetgroup:subnet-group-name
Examples:
arn:aws:redshift:us-east-1:123456789012:cluster:my-cluster arn:aws:redshift:us-east-1:123456789012:dbname:my-cluster/my-database arn:aws:redshift:us-east-1:123456789012:dbuser:my-cluster/my-database-user arn:aws:redshift:us-east-1:123456789012:dbgroup:my-cluster/my-database-group arn:aws:redshift:us-east-1:123456789012:parametergroup:my-parameter-group arn:aws:redshift:us-east-1:123456789012:securitygroup:my-public-group arn:aws:redshift:us-east-1:123456789012:snapshot:my-cluster/my-snapshot20130807 arn:aws:redshift:us-east-1:123456789012:subnetgroup:my-subnet-10
Amazon Relational Database Service (Amazon RDS)
ARNs are used in Amazon RDS only with tags for DB instances. For more information, see Tagging a DB Instance in the Amazon RDS User Guide.
Syntax:
arn:aws:rds:region:account-id:db:db-instance-namearn:aws:rds:region:account-id:snapshot:snapshot-namearn:aws:rds:region:account-id:cluster:db-cluster-namearn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-namearn:aws:rds:region:account-id:og:option-group-namearn:aws:rds:region:account-id:pg:parameter-group-namearn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-namearn:aws:rds:region:account-id:secgrp:security-group-namearn:aws:rds:region:account-id:subgrp:subnet-group-namearn:aws:rds:region:account-id:es:subscription-name
Examples:
arn:aws:rds:us-east-1:123456789012:db:mysql-db-instance1 arn:aws:rds:us-east-1:123456789012:snapshot:my-snapshot2 arn:aws:rds:us-east-1:123456789012:cluster:my-cluster1 arn:aws:rds:us-east-1:123456789012:cluster-snapshot:cluster1-snapshot7 arn:aws:rds:us-east-1:123456789012:og:mysql-option-group1 arn:aws:rds:us-east-1:123456789012:pg:mysql-repl-pg1 arn:aws:rds:us-east-1:123456789012:cluster-pg:aurora-pg3 arn:aws:rds:us-east-1:123456789012:secgrp:dev-secgrp2 arn:aws:rds:us-east-1:123456789012:subgrp:prod-subgrp1 arn:aws:rds:us-east-1:123456789012:es:monitor-events2
AWS Resource Groups
In AWS Resource Groups, the only available resource is a group. Groups have unique Amazon Resource Names (ARNs) associated with them. Groups are specific to regions, within accounts. For more information about Resource Groups, see the AWS Resource Groups User Guide.
Syntax:
arn:aws:resource-groups:region:account:group/group-name
Example:
arn:aws:resource-groups:us-west-2:123456789012:group/MyExampleGroup
AWS RoboMaker
Syntax:
arn:aws:robomaker:region:account-id:robot-application/robotApplicationName/createdOnEpoch arn:aws:robomaker:region:account-id:simulation-application/simulationApplicationName/createdOnEpoch arn:aws:robomaker:region:account-id:simulation-job/simulationJobIdarn:aws:robomaker:region:account-id:deployment-job/deploymentJobIdarn:aws:robomaker:region:account-id:robot/robotName/createdOnEpoch arn:aws:robomaker:region:account-id:deployment-fleet/fleetName/createdOnEpoch
Examples:
arn:aws:robomaker:us-east-1:123456789012:robot-application/helloWorldRobotApplication/1546541198985 arn:aws:robomaker:us-east-1:123456789012:simulation-application/helloWorldSimulationApplication/1546541192487 arn:aws:robomaker:us-east-1:123456789012:simulation-job/sim-g8h6tzlmblg7 arn:aws:robomaker:us-east-1:123456789012:deployment-job/deployment-4t9g6rp25zdb arn:aws:robomaker:us-east-1:123456789012:robot/helloWorldRobot/1546541197111 arn:aws:robomaker:us-east-1:123456789012:deployment-fleet/helloWorldFleet/1546541199833
Amazon Route 53
Syntax:
arn:aws:route53:::hostedzone/zoneidarn:aws:route53:::change/change-idarn:aws:route53::account-id:domain/domain-namearn:aws:route53resolver:region:account-id:resolver-rule/rule-idarn:aws:route53resolver:region:account-id:resolver-endpoint/endpoint-id
Amazon Route 53 does not require an account number or region in ARNs.
Examples:
arn:aws:route53:::hostedzone/Z148QEXAMPLE8V arn:aws:route53:::change/C2RDJ5EXAMPLE2 arn:aws:route53:::change/* arn:aws:route53::123456789012:domain/example.com arn:aws:route53resolver:us-west-2:123456789012:resolver-rule/rslvr-rr-5328a0899aexample arn:aws:route53resolver:us-west-2:123456789012:resolver-endpoint/rslvr-in-60b9fd8fdbexample
Amazon Route 53 auto naming has been released as a separate service, AWS Cloud Map. See AWS Cloud Map.
Amazon SageMaker
Syntax:
arn:aws:sagemaker:region:account-id:notebook-instance:notebookInstanceNamearn:aws:sagemaker:region:account-id:notebook-instance-lifecycle-config:notebookInstanceLifecycleConfigNamearn:aws:sagemaker:region:account-id:training-job:trainingJobNamearn:aws:sagemaker:region:account-id:model:modelNamearn:aws:sagemaker:region:account-id:endpoint:endpointNamearn:aws:sagemaker:region:account-id:endpoint-config:endpointConfigNamearn:aws:sagemaker:region:account-id:hyper-parameter-tuning-job:hyperParameterTuningJobNamearn:aws:sagemaker:region:account-id:transform-job:transformJobName
Examples:
arn:aws:sagemaker:us-east-1:123456789012:notebook-instance:my-notebookInstance-1 arn:aws:sagemaker:us-east-1:123456789012:notebook-instance-lifecycle-config:my-notebookInstanceLifecycleConfig-1 arn:aws:sagemaker:us-east-1:123456789012:training-job:my-trainingJob-1 arn:aws:sagemaker:us-east-1:123456789012:model:my-mlModel-1 arn:aws:sagemaker:us-east-1:123456789012:endpoint:my-endpoint-1 arn:aws:sagemaker:us-east-1:123456789012:endpoint-config:my-endpointConfig-1 arn:aws:sagemaker:us-east-1:123456789012:hyper-parameter-tuning-job:my-hp-tuningJob-1 arn:aws:sagemaker:us-east-1:123456789012:transform-job:my-transformJob-1
AWS Secrets Manager
Syntax:
arn:aws:secretsmanager:region:account_id:secret:path/friendly_secret_name-uniqueness_code
Each secret includes an optional path, the friendly name of the secret as supplied by the user, and finally a dash followed by an AWS generated 6 character random code.
Example:
arn:aws:secretsmanager:us-east-1:123456789012:secret:myfolder/MyFirstSecret-ocq1Wq
AWS Serverless Application Repository
Syntax:
arn:aws:serverlessrepo:region:account-id:applications/application-namearn:aws:serverlessrepo:region:account-id:applications/application-name/versions/symantic-version
Examples:
arn:aws:serverlessrepo:us-east-1:123456789012:applications/myApp arn:aws:serverlessrepo:us-east-1:123456789012:applications/myApp/versions/1.0.0
Amazon Simple Email Service (Amazon SES)
In Amazon SES, ARNs are most commonly used to set up Sending Authorization. For more information, see Using Sending Authorization with Amazon SES in the Amazon Simple Email Service Developer Guide.
Syntax:
arn:aws:ses:region:account-id:identity/identity
Examples:
arn:aws:ses:us-east-1:123456789012:identity/example.com arn:aws:ses:us-east-1:123456789012:identity/sender@example.net
Amazon Simple Notification Service (Amazon SNS)
Syntax:
arn:aws:sns:region:account-id:topicnamearn:aws:sns:region:account-id:topicname:subscriptionid
Examples:
arn:aws:sns:*:123456789012:my_corporate_topic arn:aws:sns:us-east-1:123456789012:my_corporate_topic:02034b43-fefa-4e07-a5eb-3be56f8c54ce
Amazon Simple Queue Service (Amazon SQS)
Syntax:
arn:aws:sqs:region:account-id:queuename
Example:
arn:aws:sqs:us-east-1:123456789012:queue1
Amazon Simple Storage Service (Amazon S3)
Syntax:
arn:aws:s3:::bucket_namearn:aws:s3:::bucket_name/key_name
Note
Amazon S3 does not require an account number or region in ARNs. If you specify an ARN for a policy, you can also use a wildcard "*" character in the relative-ID part of the ARN.
Examples:
arn:aws:s3:::my_corporate_bucket arn:aws:s3:::my_corporate_bucket/exampleobject.png arn:aws:s3:::my_corporate_bucket/* arn:aws:s3:::my_corporate_bucket/Development/*
For more information, see Specifying Resources in a Policy in the Amazon Simple Storage Service Developer Guide.
Amazon Simple Workflow Service (Amazon SWF)
Syntax:
arn:aws:swf:region:account-id:/domain/domain_name
Examples:
arn:aws:swf:us-east-1:123456789012:/domain/department1 arn:aws:swf:*:123456789012:/domain/*
AWS Step Functions
Syntax:
arn:aws:states:region:account-id:activity:activityNamearn:aws:states:region:account-id:stateMachine:stateMachineNamearn:aws:states:region:account-id:execution:stateMachineName:executionName
Examples:
arn:aws:states:us-east-1:123456789012:activity:HelloActivity arn:aws:states:us-east-1:123456789012:stateMachine:HelloStateMachine arn:aws:states:us-east-1:123456789012:execution:HelloStateMachine:HelloStateMachineExecution
AWS Storage Gateway
Syntax:
arn:aws:storagegateway:region:account-id:gateway/gateway-idarn:aws:storagegateway:region:account-id:share/share-idarn:aws:storagegateway:region:account-id:gateway/gateway-id/volume/volume-idarn:aws:storagegateway:region:account-id:tape/tapebarcodearn:aws:storagegateway:region:account-id:gateway/gateway-id/target/iSCSItargetarn:aws:storagegateway:region:account-id:gateway/gateway-id/device/vtldevice
Examples:
arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B arn:aws:storagegateway:us-east-1:123456789012:share/share-17A34572 arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/volume/vol-1122AABB arn:aws:storagegateway:us-east-1:123456789012:tape/AMZNC8A26D arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/target/iqn.1997-05.com.amazon:vol-1122AABB arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/device/AMZN_SGW-FF22CCDD_TAPEDRIVE_00010
Note
For each AWS Storage Gateway resource, you can specify a wild card (*).
AWS Systems Manager
Syntax:
arn:aws:ssm:region:account-id:document/document_namearn:aws:ssm:region:account-id:parameter/parameter_namearn:aws:ssm:region:account-id:patchbaseline/baseline_idarn:aws:ssm:region:account-id:maintenancewindow/window_idarn:aws:ssm:region:account-id:automation-execution/execution_idarn:aws:ssm:region:account-id:automation-Activity/activity_namearn:aws:ssm:region:account-id:automation-definition/definitionName:versionarn:aws:ssm:region:account-id:managed-instance/instance_idarn:aws:ssm:region:account-id:managed-instance-inventory/instance_id
Examples:
arn:aws:ssm:us-east-1:123456789012:document/highAvailabilityServerSetup arn:aws:ssm:us-east-1:123456789012:parameter/myParameterName arn:aws:ssm:us-east-1:123456789012:patchbaseline/pb-12345678901234567 arn:aws:ssm:us-east-1:123456789012:maintenancewindow/mw-12345678901234567 arn:aws:ssm:us-east-1:123456789012:automation-execution/123456-6789-1a2b3-c4d5-e1a2b3c4d arn:aws:ssm:us-east-1:123456789012:automation-activity/myActivityName arn:aws:ssm:us-east-1:123456789012:automation-definition/myDefinitionName:1 arn:aws:ssm:us-east-1:123456789012:managed-instance/mi-12345678901234567 arn:aws:ssm:us-east-1:123456789012:managed-instance-inventory/i-12345661
AWS Transfer for SFTP
Syntax:
arn:aws:transfer:region:account-id:server/server-idarn:aws:transfer:region:account-id:user/server-id/username
Example:
arn:aws:transfer:us-east-1:123456789012:server/s-01234567890abcdef arn:aws:transfer:us-east-1:123456789012:user/s-01234567890abcdef/user1
AWS Trusted Advisor
Syntax:
arn:aws:trustedadvisor:*:account-id:checks/categorycode/checkid
Example:
arn:aws:trustedadvisor:*:123456789012:checks/fault_tolerance/BueAdJ7NrP
AWS WAF
Syntax, WAF Global (Used for CloudFront):
arn:aws:waf::account-id:resource-type/resource-id
Syntax, WAF Regional (Used for Application Load Balancers):
arn:aws:waf-regional:region:account-id:resource-type/resource-id
Examples:
arn:aws:waf::123456789012:rule/41b5b052-1e4a-426b-8149-3595be6342c2 arn:aws:waf::123456789012:webacl/3bffd3ed-fa2e-445e-869f-a6a7cf153fd3 arn:aws:waf::123456789012:ipset/3f74bd8c-f046-4970-a1a7-41aa52e05480 arn:aws:waf::123456789012:bytematchset/d131bc0b-57be-4536-af1d-4894fd28acc4 arn:aws:waf-regional:us-east-1:123456789012:rule/41b5b052-1e4a-426b-8149-3595be6342c2 arn:aws:waf-regional:us-east-1:123456789012:webacl/3bffd3ed-fa2e-445e-869f-a6a7cf153fd3 arn:aws:waf-regional:us-east-1:123456789012:ipset/3f74bd8c-f046-4970-a1a7-41aa52e05480 arn:aws:waf-regional:us-east-1:123456789012:bytematchset/d131bc0b-57be-4536-af1d-4894fd28acc4
Amazon WorkLink
Syntax:
arn:aws:worklink::account-id:fleet/fleet-name
Example:
arn:aws:worklink::123456789012:fleet/FleetName
Paths in ARNs
Some services let you specify a path for the resource name. For example, in Amazon
S3, the
resource identifier is an object name that can include slashes (/) to form a
path. Similarly, IAM user names and group names can include paths.
In some circumstances, paths can include a wildcard character, namely an asterisk
(*). For example, if you are writing an IAM policy and in the
Resource element you want to specify all IAM users that have the path
product_1234, you can use a wildcard like this:
arn:aws:iam::123456789012:user/Development/product_1234/*
Similarly, in the Resource element of an IAM policy, at the end of the ARN
you can specify user/* to mean all users or group/* to mean all
groups, as in the following examples:
"Resource":"arn:aws:iam::123456789012:user/*" "Resource":"arn:aws:iam::123456789012:group/*"
You cannot use a wildcard to specify all users in the Principal element in a
resource-based policy or a role trust policy. Groups are not supported as principals
in any
policy.
The following example shows ARNs for an Amazon S3 bucket in which the resource name includes a path:
arn:aws:s3:::my_corporate_bucket/* arn:aws:s3:::my_corporate_bucket/Development/*
You cannot use a wildcard in the portion of the ARN that specifies the resource type,
such
as the term user in an IAM ARN.
The following is not allowed:
arn:aws:iam::123456789012:u* |
AWS Service Namespaces
When you create IAM policies or work with Amazon Resource Names (ARNs), you identify
an
AWS service using a namespace. For example, the namespace for Amazon S3 is
s3, and the namespace for Amazon EC2 is ec2. You use namespaces when
identifying actions and resources.
The following example shows an IAM policy where the value of the Action
elements and the values in the Resource and Condition elements use
namespaces to identify the services for the actions and resources.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": [ "arn:aws:ec2:us-west-2:123456789012:customer-gateway/*", "arn:aws:ec2:us-west-2:123456789012:dhcp-options/*", "arn:aws:ec2:us-west-2::image/*", "arn:aws:ec2:us-west-2:123456789012:instance/*", "arn:aws:iam::123456789012:instance-profile/*", "arn:aws:ec2:us-west-2:123456789012:internet-gateway/*", "arn:aws:ec2:us-west-2:123456789012:key-pair/*", "arn:aws:ec2:us-west-2:123456789012:network-acl/*", "arn:aws:ec2:us-west-2:123456789012:network-interface/*", "arn:aws:ec2:us-west-2:123456789012:placement-group/*", "arn:aws:ec2:us-west-2:123456789012:route-table/*", "arn:aws:ec2:us-west-2:123456789012:security-group/*", "arn:aws:ec2:us-west-2::snapshot/*", "arn:aws:ec2:us-west-2:123456789012:subnet/*", "arn:aws:ec2:us-west-2:123456789012:volume/*", "arn:aws:ec2:us-west-2:123456789012:vpc/*", "arn:aws:ec2:us-west-2:123456789012:vpc-peering-connection/*" ] }, { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::example_bucket/marketing/*" }, { "Effect": "Allow", "Action": "s3:ListBucket*", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"StringLike": {"s3:prefix": "marketing/*"}} } ] }
The following table contains the namespace for each AWS service.
| Service | Namespace |
|---|---|
| Alexa for Business | a4b |
| API Gateway | apigateway |
| Application Auto Scaling | application-autoscaling |
| AWS Application Discovery Service | discovery |
| Amazon AppStream | appstream |
| AWS AppSync | appsync |
| AWS Artifact | artifact |
| Amazon Athena | athena |
| Auto Scaling Plans | autoscaling-plans |
| AWS Batch | batch |
| AWS Billing and Cost Management | aws-portal |
| AWS Budgets | budgets |
| AWS Certificate Manager (ACM) | acm |
| AWS Certificate Manager Private Certificate Authority | acm-pca |
| Amazon Chime | chime |
| AWS Cloud9 | cloud9 |
| Amazon Cloud Directory | clouddirectory |
| AWS CloudFormation | cloudformation |
| Amazon CloudFront | cloudfront |
| AWS CloudHSM | cloudhsm |
| AWS Cloud Map | servicediscovery |
| Amazon CloudSearch | cloudsearch |
| AWS CloudTrail | cloudtrail |
| Amazon CloudWatch | cloudwatch |
| Amazon CloudWatch Events | events |
| Amazon CloudWatch Logs | logs |
| CodeBuild | codebuild |
| AWS CodeCommit | codecommit |
| AWS CodeDeploy | codedeploy |
| AWS CodePipeline | codepipeline |
| AWS Code Signing for Amazon FreeRTOS | signer |
| AWS CodeStar | codestar |
| Amazon Cognito Your User Pools | cognito-idp |
| Amazon Cognito Federated Identities | cognito-identity |
| Amazon Cognito Sync | cognito-sync |
| Amazon Comprehend | comprehend |
| AWS Config | config |
| Amazon Connect | connect |
| AWS Cost and Usage Report | cur |
| AWS Cost Explorer Service | ce |
| AWS Data Pipeline | datapipeline |
| AWS Database Migration Service (AWS DMS) | dms |
| AWS Device Farm | devicefarm |
| AWS Direct Connect | directconnect |
| AWS Directory Service | ds |
| Amazon DynamoDB | dynamodb |
| Amazon DynamoDB Accelerator (DAX) | dax |
| Amazon EC2 Auto Scaling | autoscaling |
| Amazon Elastic Compute Cloud (Amazon EC2) | ec2 |
| Amazon Elastic Container Registry (Amazon ECR) | ecr |
| Amazon Elastic Container Service (Amazon ECS) | ecs |
| Amazon Elastic Container Service for Kubernetes (Amazon EKS) | eks |
| AWS Elastic Beanstalk | elasticbeanstalk |
| Amazon Elastic File System (Amazon EFS) | elasticfilesystem |
| Elastic Load Balancing | elasticloadbalancing |
| Amazon EMR | elasticmapreduce |
| Amazon Elastic Transcoder | elastictranscoder |
| Amazon ElastiCache | elasticache |
| Amazon Elasticsearch Service (Amazon ES) | es |
| AWS Firewall Manager | fms |
| Amazon FreeRTOS | freertos |
| Amazon GameLift | gamelift |
| Amazon S3 Glacier | glacier |
| AWS Global Accelerator | globalaccelerator |
| AWS Glue | glue |
| AWS IoT Greengrass | greengrass |
| Amazon GuardDuty | guardduty |
| AWS Health / Personal Health Dashboard | health |
| AWS Identity and Access Management (IAM) | iam |
| AWS Import/Export | importexport |
| Amazon Inspector | inspector |
| AWS IoT | iot |
| AWS IoT Analytics | iotanalytics |
| AWS IoT 1-Click | iot1click |
| AWS Key Management Service (AWS KMS) | kms |
| Amazon Kinesis Data Analytics | kinesisanalytics |
| Amazon Kinesis Data Firehose | firehose |
| Amazon Kinesis Data Streams | kinesis |
| Amazon Kinesis Video Streams | kinesisvideo |
| AWS Lambda | lambda |
| Amazon Lex | lex |
| Amazon Lightsail | lightsail |
| Amazon Macie | macie |
| Amazon Machine Learning | machinelearning |
| AWS Marketplace | aws-marketplace |
| AWS Marketplace Management Portal | aws-marketplace-management |
| Amazon Mechanical Turk | mechanicalturk |
| Amazon Mechanical Turk Crowd | crowd |
| AWS Elemental MediaConnect | mediaconnect |
| AWS Elemental MediaConvert | mediaconvert |
| AWS Elemental MediaLive | medialive |
| AWS Elemental MediaPackage | mediapackage |
| AWS Elemental MediaStore | mediastore |
| AWS Elemental MediaTailor | mediatailor |
| Amazon Message Delivery Service | ec2message |
| AWS Migration Hub | mgh |
| Amazon Mobile Analytics | mobileanalytics |
| AWS Mobile Hub | mobilehub |
| Amazon MQ | mq |
| AWS OpsWorks | opsworks |
| AWS OpsWorks for Chef Automate or AWS OpsWorks for Puppet Enterprise | opsworks-cm |
| AWS Organizations | organizations |
| Amazon Personalize | personalize |
| Amazon Pinpoint | mobiletargeting |
| Amazon Polly | polly |
| AWS Price List | pricing |
| Amazon QuickSight | quicksight |
| Amazon Redshift | redshift |
| Amazon Rekognition | rekognition |
| Amazon Relational Database Service (Amazon RDS) | rds |
| AWS Resource Groups | resource-groups |
| Amazon Resource Group Tagging API | tag |
| Amazon Route 53 | route53 |
| Amazon Route 53 Domains | route53domains |
| Amazon Route 53 Resolver | route53resolver |
| Amazon SageMaker | sagemaker |
| AWS Secrets Manager | secretsmanager |
| AWS Security Token Service (AWS STS) | sts |
| AWS Serverless Application Repository | serverlessrepo |
| AWS Service Catalog | servicecatalog |
| AWS Shield | shield |
| AWS Shield Advanced | shield |
| AWS SFTP | transfer |
| Amazon Simple Email Service (Amazon SES) | ses |
| Amazon Simple Notification Service (Amazon SNS) | sns |
| Amazon Simple Queue Service (Amazon SQS) | sqs |
| Amazon Simple Storage Service (Amazon S3) | s3 |
| Amazon Simple Workflow Service (Amazon SWF) | swf |
| Amazon SimpleDB | sdb |
| AWS Single Sign-On | sso |
| AWS Snowball | snowball |
| AWS Step Functions | states |
| AWS Storage Gateway | storagegateway |
| Amazon Sumerian | sumerian |
| AWS Support | support |
| AWS Systems Manager | ssm |
| Amazon Textract | textract |
| Amazon Transcribe | transcribe |
| Amazon Translate | translate |
| AWS Trusted Advisor | trustedadvisor |
| Amazon Virtual Private Cloud (Amazon VPC) | ec2 |
| AWS WAF | waf |
| AWS WAF Regional | waf-regional |
| Amazon WorkDocs | workdocs |
| Amazon WorkLink | worklink |
| Amazon WorkMail | workmail |
| Amazon WorkSpaces | workspaces |
| Amazon WorkSpaces Application Manager | wam |
| AWS X-Ray | xray |
