Skip to content

Amazon Resource Name (ARN)#

These are globally unique identifiers of your AWS resources. They're used to reference a specific resource in your account, and they're required when you're doing a whole host of tasks. These tasks include:

  • Writing IAM policies that reference a particular resource (or range of)
  • Calling the AWS API to perform some action against a resource
  • Amazon Relational Database Service (Amazon RDS) tags

And more.

Here's what an ARN looks can like:

1
2
3
arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resource-type/resource-id
arn:partition:service:region:account-id:resource-type:resource-id

But they can look a bit differently depending on the service. You'll have to be mindful when working a service that the ARN's format is what you expect. If you're referencing a resource for a particular service, you'll have to use the ARN format for that service. You'll find this mostly trips you up when writing IAM Policies.

Broken down, an ARN is made up of:

  1. partition is essentially refers to the higher level "region" of AWS the resource is for, and will be aws, aws-cn or aws-us-gov; essentially this tell us if the resource is in public, none China AWS (aws), China specific AWS (aws-cn), or US Government specific AWS (aws-us-gov)?
  2. serviceis the literal name of the AWS service this resource relates to, such as ec2 or s3
  3. region is the more specific region, and relates directly to a set of availability zones that form a single region, such as ap-southeast-2 for Sydney, Australia
  4. account-id is the literal AWS account ID this resource belongs to
  5. resource-id can be a simple word or a more complex path/like structure depending on the service, but it identifiers that resource directly

Official documentation: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html.