Try it now and let us know what you think. Switch to the new look >>
You can return to the original look by selecting English in the language selector above.
Amazon Resource Names (ARNs)
Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.
Contents
ARN Format
The following are the general formats for ARNs; the specific components and values
used depend on the AWS service. To use an ARN, replace the red
italicized text in the example with your own information.
arn:partition:service:region:account-id:resource-idarn:partition:service:region:account-id:resource-type/resource-idarn:partition:service:region:account-id:resource-type:resource-id
partition-
The partition that the resource is in. For standard AWS Regions, the partition is
aws. If you have resources in other partitions, the partition isaws-. For example, the partition for resources in the China (Beijing) Region ispartitionnameaws-cn. service-
The service namespace that identifies the AWS product (for example, Amazon S3, IAM, or Amazon RDS).
region-
The Region that the resource resides in. The ARNs for some resources do not require a Region, so this component might be omitted.
account-id-
The ID of the AWS account that owns the resource, without the hyphens. For example, 123456789012. The ARNs for some resources don't require an account number, so this component might be omitted.
resourceorresource-type-
The content of this part of the ARN varies by service. A resource identifier can be the name or ID of the resource (for example, user/Bob or instance/i-1234567890abcdef0) or a resource path. For example, some resource identifiers include a parent resource (sub-resource-type/parent-resource/sub-resource) or a qualifier such as a version (resource-type:resource-name:qualifier).
Paths in ARNs
Some resource ARNs can include a path. For example, in Amazon S3, the resource
identifier is an object name that can include slashes (/) to form a
path. Similarly, IAM user names and group names can include paths.
In some circumstances, paths can include a wildcard character, namely an asterisk
(*). For example, if you are writing an IAM policy, you can
specify all IAM users that have the path product_1234 using a
wildcard like this:
arn:aws:iam::123456789012:user/Development/product_1234/*
Similarly, you can specify user/* to mean all users or
group/* to mean all groups, as in the following examples:
"Resource":"arn:aws:iam::123456789012:user/*" "Resource":"arn:aws:iam::123456789012:group/*"
You cannot use a wildcard to specify all users in the Principal element
in a resource-based policy or a role trust policy. Groups are not supported as
principals in any policy.
The following example shows ARNs for an Amazon S3 bucket in which the resource name includes a path:
arn:aws:s3:::my_corporate_bucket/* arn:aws:s3:::my_corporate_bucket/Development/*
You cannot use a wildcard in the portion of the ARN that specifies the resource type,
such as the term user in an IAM ARN.
The following is not allowed:
arn:aws:iam::123456789012:u* |
Resource ARNs
The documentation for AWS Identity and Access Management (IAM) lists the ARNs supported by each service, as well as whether the API actions support resource-level permissions. For more information, see Actions, Resources, and Condition Keys for AWS Services in the IAM User Guide.
The following resources are defined by AWS services, as documented in the IAM User Guide.
