An AWS ARN is a unique identifier assigned to resources within the AWS ecosystem. It enables users to unambiguously reference and manage resources across various AWS services. ARNs are essential for specifying resources when creating IAM policies, defining CloudFormation templates, or using AWS CLI commands and SDKs.

Structure of an AWS ARN

The general structure of an ARN is as follows:

arn:partition:service:region:account-id:resource-type/resource-id
  • arn: The literal string arn to indicate that it’s an Amazon Resource Name.
  • partition: The partition that the resource is in. This is aws in all cases except for the China (Beijing) and China (Ningxia) regions, where it’s aws-cn.
  • service: The AWS service, e.g., s3 for Amazon S3 or iam for AWS Identity and Access Management.
  • region: The AWS region where the resource is located (e.g., us-west-2). Some resources, like IAM, are global and do not have a specific region.
  • account-id: The 12-digit AWS account number that owns the resource.
  • resource-type: The type of resource, for example user or vpc.
  • resource-id: The unique identifier of the resource itself.

ARN variants

Not all ARNs follow the same structure. In many cases some parts of the ARN are omitted, depending on the resource type. For example, the ARN of an IAM user is as follows:

arn:aws:iam::123456789012:user/MyUserName

In this case, the region has been omitted, as IAM is a global service. The ARN of an S3 bucket, on the other hand, is as follows:

arn:aws:s3:::my_bucket

In this case, the region and account ID have been omitted, as S3 buckets are global resources. You can also see that this ARN does not use the resource-type part of the ARN. This is probably part of some legacy behavior as S3 is one of the oldest AWS services. On the other hand, the ARN of an S3 object is as follows:

arn:aws:s3:::my_bucket/path/to/my_object

Using AWS ARNs

ARNs are used throughout the AWS ecosystem to reference resources. Here are some common scenarios where you’ll encounter ARNs:

  • IAM policies: To grant or deny access to resources, you need to specify their ARNs in the policy statements.
  • AWS CLI / SDKs: When executing commands or making API calls, you often need to provide the ARN of the resource you want to interact with.
  • CloudFormation templates or Terraform configurations: ARNs are used to reference resources in CloudFormation templates and output values.

IAM policies play a crucial role in defining access control rules for your AWS resources. By appropriately referencing resources by ARNs in your IAM policies, you can achieve fine-grained access control. Wildcards, represented by the asterisk (*) symbol, allow for greater flexibility when defining access permissions.

Wildcards can be used in ARNs to represent any character or sequence of characters. They are useful when you want to grant or deny access to multiple resources without specifying each ARN individually.

Here are some examples of how wildcards can be used with ARNs in IAM policies:

Granting read access to all objects within a specific S3 bucket:

{
  "Effect": "Allow",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::mybucket/*"
}

Allowing access to all DynamoDB tables within a specific region:

{
  "Effect": "Allow",
  "Action": "dynamodb:*",
  "Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/*"
}

Granting access to all Amazon RDS instances:

{
  "Effect": "Allow",
  "Action": "rds:*",
  "Resource": "arn:aws:rds:*:123456789012:db:*"
}