Amazon Resource Names (ARNs) and AWS Service Namespaces
Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.
ARN Format
Here are some example ARNs:
<!-- Elastic Beanstalk application version -->
arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment
<!-- IAM user name -->
arn:aws:iam::123456789012:user/David
<!-- Amazon RDS instance used for tagging -->
arn:aws:rds:eu-west-1:123456789012:db:mysql-db
<!-- Object in an Amazon S3 bucket -->
arn:aws:s3:::my_corporate_bucket/exampleobject.png
The following are the general formats for ARNs; the specific components and values used depend on the AWS service.
arn:partition
:service
:region
:account-id
:resource
arn:partition
:service
:region
:account-id
:resourcetype
/resource
arn:partition
:service
:region
:account-id
:resourcetype
:resource
partition
The partition that the resource is in. For standard AWS regions, the partition is
aws
. If you have resources in other partitions, the partition isaws-
. For example, the partition for resources in the China (Beijing) region ispartitionname
aws-cn
.service
The service namespace that identifies the AWS product (for example, Amazon S3, IAM, or Amazon RDS). For a list of namespaces, see AWS Service Namespaces.
region
The region the resource resides in. Note that the ARNs for some resources do not require a region, so this component might be omitted.
account
The ID of the AWS account that owns the resource, without the hyphens. For example, 123456789012. Note that the ARNs for some resources don't require an account number, so this component might be omitted.
resource
,resourcetype
:resource
, orresourcetype
/resource
The content of this part of the ARN varies by service. It often includes an indicator of the type of resource—for example, an IAM user or Amazon RDS database —followed by a slash (
/
) or a colon (:
), followed by the resource name itself. Some services allows paths for resource names, as described in Paths in ARNs.
Example ARNs
The following sections provide syntax and examples of the ARNs for different services. For more information about using ARNs in a specific AWS service, see the documentation for that service.
Some services support IAM resource-level permissions. For more information, see AWS Services That Work with IAM.
Topics
- Amazon API Gateway
- AWS Artifact
- Auto Scaling
- AWS Certificate Manager
- AWS CloudFormation
- Amazon CloudSearch
- AWS CloudTrail
- Amazon CloudWatch Events
- Amazon CloudWatch Logs
- AWS CodeBuild
- AWS CodeCommit
- AWS CodeDeploy
- AWS Config
- AWS CodePipeline
- AWS Direct Connect
- Amazon DynamoDB
- Amazon EC2 Container Registry (Amazon ECR)
- Amazon EC2 Container Service (Amazon ECS)
- Amazon Elastic Compute Cloud (Amazon EC2)
- AWS Elastic Beanstalk
- Amazon Elastic File System
- Elastic Load Balancing (Application Load Balancer)
- Elastic Load Balancing (Classic Load Balancer)
- Amazon Elastic Transcoder
- Amazon ElastiCache
- Amazon Elasticsearch Service
- Amazon Glacier
- AWS Health / Personal Health Dashboard
- AWS Identity and Access Management (IAM)
- AWS IoT
- AWS Key Management Service (AWS KMS)
- Amazon Kinesis Firehose (Firehose)
- Amazon Kinesis Streams (Streams)
- AWS Lambda (Lambda)
- Amazon Machine Learning (Amazon ML)
- Amazon Polly
- Amazon Redshift
- Amazon Relational Database Service (Amazon RDS)
- Amazon Route 53
- Amazon EC2 Simple Systems Manager (SSM)
- Amazon Simple Notification Service (Amazon SNS)
- Amazon Simple Queue Service (Amazon SQS)
- Amazon Simple Storage Service (Amazon S3)
- Amazon Simple Workflow Service (Amazon SWF)
- AWS Step Functions
- AWS Storage Gateway
- AWS Trusted Advisor
- AWS WAF
Amazon API Gateway
Syntax:
arn:aws:apigateway:region
::resource-path
arn:aws:execute-api:region
:account-id
:api-id
/stage-name
/HTTP-VERB
/resource-path
Examples:
arn:aws:apigateway:us-east-1::/restapis/a123456789012bc3de45678901f23a45/*
arn:aws:apigateway:us-east-1::a123456789012bc3de45678901f23a45:/test/mydemoresource/*
arn:aws:apigateway:*::a123456789012bc3de45678901f23a45:/*/petstorewalkthrough/pets
arn:aws:execute-api:us-east-1:123456789012:qsxrty/test/GET/mydemoresource/*
AWS Artifact
Syntax:
arn:aws:artifact:::report-package/document-type
/report-type
Examples:
arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*
arn:aws:artifact:::report-package/Certifications and Attestations/ISO/*
arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*
Auto Scaling
Syntax:
arn:aws:autoscaling:region
:account-id
:scalingPolicy:policyid
:autoScalingGroupName/groupfriendlyname
:policyname/policyfriendlyname
arn:aws:autoscaling:region
:account-id
:autoScalingGroup:groupid
:autoScalingGroupName/groupfriendlyname
Example:
arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:c7a27f55-d35e-4153-b044-8ca9155fc467:autoScalingGroupName/my-test-asg1:policyName/my-scaleout-policy
AWS Certificate Manager
Syntax:
arn:aws:acm:region
:account-id
:certificate/certificate-id
Example:
arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
AWS CloudFormation
Syntax:
arn:aws:cloudformation:region
:account-id
:stack/stackname
/additionalidentifier
arn:aws:cloudformation:region
:account-id
:changeSet/changesetname
/additionalidentifier
Examples:
arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c
arn:aws:cloudformation:us-east-1:123456789012:changeSet/MyProductionChangeSet/abc9dbf0-43c2-11e3-a6e8-50fa526be49c
Amazon CloudSearch
Syntax:
arn:aws:cloudsearch:region
:account-id
:domain/domainname
Example:
arn:aws:cloudsearch:us-east-1:123456789012:domain/imdb-movies
AWS CloudTrail
Syntax:
arn:aws:cloudtrail:region
:account-id
:trail/trailname
Example:
arn:aws:cloudtrail:us-east-1:123456789012:trail/mytrailname
Amazon CloudWatch Events
Syntax:
arn:aws:events:region
:*:*
Examples:
arn:aws:events:us-east-1:*:*
arn:aws:events:us-east-1:account-id:*
arn:aws:events:us-east-1:account-id:rule/rule_name
Amazon CloudWatch Logs
Syntax:
arn:aws:logs:region
:*:*
Examples:
arn:aws:logs:us-east-1:*:*
arn:aws:logs:us-east-1:account-id:*
arn:aws:logs:us-east-1:account-id:log-group:log_group_name
arn:aws:logs:us-east-1:account-id:log-group:log_group_name:*
arn:aws:logs:us-east-1:account-id:log-group:log_group_name_prefix*
arn:aws:logs:us-east-1:account-id:log-group:log_group_name:log-stream:log_stream_name
arn:aws:logs:us-east-1:account-id:log-group:log_group_name:log-stream:log_stream_name_prefix*
arn:aws:logs:us-east-1:account-id:log-group:log_group_name_prefix*:log-stream:log_stream_name_prefix*
AWS CodeBuild
Syntax:
arn:aws:codebuild:region
:account-id
:resourcetype
/resource
Examples:
arn:aws:codebuild:us-east-1:123456789012:project/my-demo-project
arn:aws:codebuild:us-east-1:123456789012:build/my-demo-project:7b7416ae-89b4-46cc-8236-61129df660ad
AWS CodeCommit
Syntax:
arn:aws:codecommit:region
:account-id
:resource-specifier
Example:
arn:aws:codecommit:us-east-1:123456789012:MyDemoRepo
AWS CodeDeploy
Syntax:
arn:aws:codedeploy:region
:account-id
:resource-type
:resource-specifier
arn:aws:codedeploy:region
:account-id
:resource-type
/resource-specifier
Example:
arn:aws:codedeploy:us-east-1:123456789012:application:WordPress_App
arn:aws:codedeploy:us-east-1:123456789012:instance/AssetTag*
AWS Config
Syntax:
arn:aws:config:region
:account-id
:config-rule/config-rule-name
Example:
arn:aws:config:us-east-1:123456789012:config-rule/MyConfigRule
AWS CodePipeline
Syntax:
arn:aws:codepipeline:region
:account-id
:resource-specifier
Example:
arn:aws:codepipeline:us-east-1:123456789012:MyDemoPipeline
AWS Direct Connect
Syntax:
arn:aws:directconnect:region
:account-id
:dxcon/connection-id
arn:aws:directconnect:region
:account-id
:dxvif/virtual-interface-id
Examples:
arn:aws:directconnect:us-east-1:123456789012:dxcon/dxcon-fgase048
arn:aws:directconnect:us-east-1:123456789012:dxvif/dxvif-fgrb110x
Amazon DynamoDB
Syntax:
arn:aws:dynamodb:region
:account-id
:table/tablename
Example:
arn:aws:dynamodb:us-east-1:123456789012:table/books_table
Amazon EC2 Container Registry (Amazon ECR)
Syntax:
arn:aws:ecr:region
:account-id
:repository/repository-name
Example:
arn:aws:ecr:us-east-1:123456789012:repository/my-repository
Amazon EC2 Container Service (Amazon ECS)
Syntax:
arn:aws:ecs:region
:account-id
:cluster/cluster-name
arn:aws:ecs:region
:account-id
:container-instance/container-instance-id
arn:aws:ecs:region
:account-id
:task-definition/task-definition-family-name
:task-definition-revision-number
arn:aws:ecs:region
:account-id
:service/service-name
arn:aws:ecs:region
:account-id
:task/task-id
arn:aws:ecs:region
:account-id
:container/container-id
Examples:
arn:aws:ecs:us-east-1:123456789012:cluster/my-cluster
arn:aws:ecs:us-east-1:123456789012:container-instance/403125b0-555c-4473-86b5-65982db28a6d
arn:aws:ecs:us-east-1:123456789012:task-definition/hello_world:8
arn:aws:ecs:us-east-1:123456789012:service/sample-webapp
arn:aws:ecs:us-east-1:123456789012:task/1abf0f6d-a411-4033-b8eb-a4eed3ad252a
arn:aws:ecs:us-east-1:123456789012:container/476e7c41-17f2-4c17-9d14-412566202c8a
Amazon Elastic Compute Cloud (Amazon EC2)
Syntax:
arn:aws:ec2:region
:account-id
:customer-gateway/cgw-id
arn:aws:ec2:region
:account_id
:dedicated-host/host_id
arn:aws:ec2:region
:account-id
:dhcp-options/dhcp-options-id
arn:aws:ec2:region
::image/image-id
arn:aws:ec2:region
:account-id
:instance/instance-id
arn:aws:iam::account
:instance-profile/instance-profile-name
arn:aws:ec2:region
:account-id
:internet-gateway/igw-id
arn:aws:ec2:region
:account-id
:key-pair/key-pair-name
arn:aws:ec2:region
:account-id
:network-acl/nacl-id
arn:aws:ec2:region
:account-id
:network-interface/eni-id
arn:aws:ec2:region
:account-id
:placement-group/placement-group-name
arn:aws:ec2:region
:account-id
:route-table/route-table-id
arn:aws:ec2:region
:account-id
:security-group/security-group-id
arn:aws:ec2:region
::snapshot/snapshot-id
arn:aws:ec2:region
:account-id
:subnet/subnet-id
arn:aws:ec2:region
:account-id
:volume/volume-id
arn:aws:ec2:region
:account-id
:vpc/vpc-id
arn:aws:ec2:region
:account-id
:vpc-peering-connection/vpc-peering-connection-id
arn:aws:ec2:region
:account-id
:vpn-connection/vpn-id
arn:aws:ec2:region
:account-id
:vpn-gateway/vgw-id
Examples:
arn:aws:ec2:us-east-1:123456789012:dedicated-host/h-12345678
arn:aws:ec2:us-east-1::image/ami-1a2b3c4d
arn:aws:ec2:us-east-1:123456789012:instance/*
arn:aws:ec2:us-east-1:123456789012:volume/*
arn:aws:ec2:us-east-1:123456789012:volume/vol-1a2b3c4d
AWS Elastic Beanstalk
Syntax:
arn:aws:elasticbeanstalk:region
:account-id
:application/applicationname
arn:aws:elasticbeanstalk:region
:account-id
:applicationversion/applicationname
/versionlabel
arn:aws:elasticbeanstalk:region
:account-id
:environment/applicationname
/environmentname
arn:aws:elasticbeanstalk:region
::solutionstack/solutionstackname
arn:aws:elasticbeanstalk:region
:account-id
:configurationtemplate/applicationname
/templatename
Examples:
arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App
arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version
arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment
arn:aws:elasticbeanstalk:us-east-1::solutionstack/32bit Amazon Linux running Tomcat 7
arn:aws:elasticbeanstalk:us-east-1:123456789012:configurationtemplate/My App/My Template
Amazon Elastic File System
Syntax:
arn:aws:elasticfilesystem:region
:account-id
:file-system/file-system-id
Example:
arn:aws:elasticfilesystem:us-east-1:123456789012:file-system-id/fs12345678
Elastic Load Balancing (Application Load Balancer)
Syntax:
arn:aws:elasticloadbalancing:region
:account-id
:loadbalancer/app/load-balancer-name
/load-balancer-id
arn:aws:elasticloadbalancing:region
:account-id
:listener/app/load-balancer-name
/load-balancer-id
/listener-id
arn:aws:elasticloadbalancing:region
:account-id
:listener-rule/app/load-balancer-name
/load-balancer-id
/listener-id
/rule-id
arn:aws:elasticloadbalancing:region
:account-id
:targetgroup/target-group-name
/target-group-id
Examples:
arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188
arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2
arn:aws:elasticloadbalancing:us-east-1:123456789012:listener-rule/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2/9683b2d02a6cabee
arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/my-targets/73e2d6bc24d8a067
Elastic Load Balancing (Classic Load Balancer)
Syntax:
arn:aws:elasticloadbalancing:region
:account-id
:loadbalancer/name
Example:
arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/my-load-balancer
Amazon Elastic Transcoder
Syntax:
arn:aws:elastictranscoder:region
:account-id
:resource
/id
Example:
arn:aws:elastictranscoder:us-east-1:123456789012:preset/*
Amazon ElastiCache
Syntax:
arn:aws:elasticache:region
:account-id
:resourcetype
:resourcename
Examples:
arn:aws:elasticache:us-west-2:123456789012:cluster:myCluster
arn:aws:elasticache:us-west-2:123456789012:snapshot:mySnapshot
Amazon Elasticsearch Service
Syntax:
arn:aws:es:region
:account-id
:domain/domain-name
Example:
arn:aws:es:us-east-1:123456789012:domain/streaming-logs
Amazon Glacier
Syntax:
arn:aws:glacier:region
:account-id
:vaults/vaultname
Examples:
arn:aws:glacier:us-east-1:123456789012:vaults/examplevault
arn:aws:glacier:us-east-1:123456789012:vaults/example*
arn:aws:glacier:us-east-1:123456789012:vaults/*
AWS Health / Personal Health Dashboard
Syntax:
arn:aws:health:region
::event/event-id
arn:aws:health:region
:account-id
:entity/entity-id
Examples:
arn:aws:health:us-east-1::event/AWS_EC2_EXAMPLE_ID
arn:aws:health:us-east-1:123456789012:entity/AVh5GGT7ul1arKr1sE1K
AWS Identity and Access Management (IAM)
Syntax:
arn:aws:iam::account-id
:root
arn:aws:iam::account-id
:user/user-name
arn:aws:iam::account-id
:group/group-name
arn:aws:iam::account-id
:role/role-name
arn:aws:iam::account-id
:policy/policy-name
arn:aws:iam::account-id
:instance-profile/instance-profile-name
arn:aws:sts::account-id
:federated-user/user-name
arn:aws:sts::account-id
:assumed-role/role-name
/role-session-name
arn:aws:iam::account-id
:mfa/virtual-device-name
arn:aws:iam::account-id
:server-certificate/certificate-name
arn:aws:iam::account-id
:saml-provider/provider-name
arn:aws:iam::account-id
:oidc-provider/provider-name
Examples:
arn:aws:iam::123456789012:root
arn:aws:iam::123456789012:user/Bob
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob
arn:aws:iam::123456789012:group/Developers
arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developers
arn:aws:iam::123456789012:role/S3Access
arn:aws:iam::123456789012:role/application_abc/component_xyz/S3Access
arn:aws:iam::123456789012:policy/UsersManageOwnCredentials
arn:aws:iam::123456789012:policy/division_abc/subdivision_xyz/UsersManageOwnCredentials
arn:aws:iam::123456789012:instance-profile/Webserver
arn:aws:sts::123456789012:federated-user/Bob
arn:aws:sts::123456789012:assumed-role/Accounting-Role/Mary
arn:aws:iam::123456789012:mfa/BobJonesMFA
arn:aws:iam::123456789012:server-certificate/ProdServerCert
arn:aws:iam::123456789012:server-certificate/division_abc/subdivision_xyz/ProdServerCert
arn:aws:iam::123456789012:saml-provider/ADFSProvider
arn:aws:iam::123456789012:oidc-provider/GoogleProvider
For more information about IAM ARNs, see IAM ARNs in IAM User Guide.
AWS IoT
Syntax:
arn:aws:iot:your-region
:account-id
:cert/cert-ID
arn:aws:iot:your-region
:account-id
:policy/policy-name
arn:aws:iot:your-region
:account-id
:rule/rule-name
arn:aws:iot:your-region
:account-id
:client/client-id
/rule-name
Examples:
arn:aws:iot:your-region
:123456789012:cert/123a456b789c123d456e789f123a456b789c123d456e789f123a456b789c123c456d7
arn:aws:iot:123456789012:policy/MyIoTPolicy
arn:aws:iot:your-region
:123456789012:rule/MyIoTRule
arn:aws:iot:your-region
:123456789012
:client/client101
AWS Key Management Service (AWS KMS)
Syntax:
arn:aws:kms:region
:account-id
:key/key-id
arn:aws:kms:region
:account-id
:alias/alias
Examples:
arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
arn:aws:kms:us-east-1:123456789012:alias/example-alias
Amazon Kinesis Firehose (Firehose)
Syntax:
arn:aws:firehose:region
:account-id
:deliverystream/delivery-stream-name
Example:
arn:aws:firehose:us-east-1:123456789012:deliverystream/example-stream-name
Amazon Kinesis Streams (Streams)
Syntax:
arn:aws:kinesis:region
:account-id
:stream/stream-name
Example:
arn:aws:kinesis:us-east-1:123456789012:stream/example-stream-name
AWS Lambda (Lambda)
Syntax:
arn:aws:lambda:region
:account-id
:function:function-name
arn:aws:lambda:region
:account-id
:function:function-name
:alias-name
arn:aws:lambda:region
:account-id
:function:function-name
:version
arn:aws:lambda:region
:account-id
:event-source-mappings:event-source-mapping-id
Examples:
arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords
arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords:your alias
arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords:1.0
arn:aws:lambda:us-east-1:123456789012:event-source-mappings:kinesis-stream-arn
Amazon Machine Learning (Amazon ML)
Syntax:
arn:aws:machinelearning:region
:account-id
:datasource/datasourceID
arn:aws:machinelearning:region
:account-id
:mlmodel/mlmodelID
arn:aws:machinelearning:region
:account-id
:batchprediction/batchpredictionlID
arn:aws:machinelearning:region
:account-id
:evaluation/evaluationID
Examples:
arn:aws:machinelearning:us-east-1:123456789012:datasource/my-datasource-1
arn:aws:machinelearning:us-east-1:123456789012:mlmodel/my-mlmodel
arn:aws:machinelearning:us-east-1:123456789012:batchprediction/my-batchprediction
arn:aws:machinelearning:us-east-1:123456789012:evaluation/my-evaluation
Amazon Polly
Syntax:
arn:aws:polly:region
:account-id
:lexicon/LexiconName
Example:
arn:aws:polly:us-east-1:123456789012:lexicon/myLexicon
Amazon Redshift
Syntax:
arn:aws:redshift:region
:account-id
:cluster:clustername
arn:aws:redshift:region
:account-id
:dbuser:clustername/dbusername
arn:aws:redshift:region
:account-id
:parametergroup:parametergroupname
arn:aws:redshift:region
:account-id
:securitygroup:securitygroupname
arn:aws:redshift:region
:account-id
:snapshot:clustername
/snapshotname
arn:aws:redshift:region
:account-id
:subnetgroup:subnetgroupname
Examples:
arn:aws:redshift:us-east-1:123456789012:cluster:my-cluster
arn:aws:redshift:us-east-1:123456789012:my-cluster/my-dbuser-name
arn:aws:redshift:us-east-1:123456789012:parametergroup:my-parameter-group
arn:aws:redshift:us-east-1:123456789012:securitygroup:my-public-group
arn:aws:redshift:us-east-1:123456789012:snapshot:my-cluster/my-snapshot20130807
arn:aws:redshift:us-east-1:123456789012:subnetgroup:my-subnet-10
Amazon Relational Database Service (Amazon RDS)
ARNs are used in Amazon RDS only with tags for DB instances. For more information, see Tagging a DB Instance in the Amazon Relational Database Service User Guide.
Syntax:
arn:aws:rds:region
:account-id
:db:db-instance-name
arn:aws:rds:region
:account-id
:snapshot:snapshot-name
arn:aws:rds:region
:account-id
:cluster:db-cluster-name
arn:aws:rds:region
:account-id
:cluster-snapshot:cluster-snapshot-name
arn:aws:rds:region
:account-id
:og:option-group-name
arn:aws:rds:region
:account-id
:pg:parameter-group-name
arn:aws:rds:region
:account-id
:cluster-pg:cluster-parameter-group-name
arn:aws:rds:region
:account-id
:secgrp:security-group-name
arn:aws:rds:region
:account-id
:subgrp:subnet-group-name
arn:aws:rds:region
:account-id
:es:subscription-name
Examples:
arn:aws:rds:us-east-1:123456789012:db:mysql-db-instance1
arn:aws:rds:us-east-1:123456789012:snapshot:my-snapshot2
arn:aws:rds:us-east-1:123456789012:cluster:my-cluster1
arn:aws:rds:us-east-1:123456789012:cluster-snapshot:cluster1-snapshot7
arn:aws:rds:us-east-1:123456789012:og:mysql-option-group1
arn:aws:rds:us-east-1:123456789012:pg:mysql-repl-pg1
arn:aws:rds:us-east-1:123456789012:cluster-pg:aurora-pg3
arn:aws:rds:us-east-1:123456789012:secgrp:dev-secgrp2
arn:aws:rds:us-east-1:123456789012:subgrp:prod-subgrp1
arn:aws:rds:us-east-1:123456789012:es:monitor-events2
Amazon Route 53
Syntax:
arn:aws:route53:::hostedzone/zoneid
arn:aws:route53:::change/changeid
Note that Amazon Route 53 does not require an account number or region in ARNs.
Examples:
arn:aws:route53:::hostedzone/Z148QEXAMPLE8V
arn:aws:route53:::change/C2RDJ5EXAMPLE2
arn:aws:route53:::change/*
Amazon EC2 Simple Systems Manager (SSM)
Syntax:
arn:aws:ssm:region
:account-id
:document/document_name
Example:
arn:aws:ssm:us-east-1:123456789012:document/highAvailabilityServerSetup
Amazon Simple Notification Service (Amazon SNS)
Syntax:
arn:aws:sns:region
:account-id
:topicname
arn:aws:sns:region
:account-id
:topicname
:subscriptionid
Examples:
arn:aws:sns:*:123456789012:my_corporate_topic
arn:aws:sns:us-east-1:123456789012:my_corporate_topic:02034b43-fefa-4e07-a5eb-3be56f8c54ce
Amazon Simple Queue Service (Amazon SQS)
Syntax:
arn:aws:sqs:region
:account-id
:queuename
Example:
arn:aws:sqs:us-east-1:123456789012:queue1
Amazon Simple Storage Service (Amazon S3)
Syntax:
arn:aws:s3:::bucket_name
arn:aws:s3:::bucket_name
/key_name
Note
Amazon S3 does not require an account number or region in ARNs. If you specify an ARN for a policy, you can also use a wildcard "*" character in the relative-ID part of the ARN.
Examples:
arn:aws:s3:::my_corporate_bucket
arn:aws:s3:::my_corporate_bucket/exampleobject.png
arn:aws:s3:::my_corporate_bucket/*
arn:aws:s3:::my_corporate_bucket/Development/*
For more information, see Specifying Resources in a Policy in the Amazon Simple Storage Service Developer Guide.
Amazon Simple Workflow Service (Amazon SWF)
Syntax:
arn:aws:swf:region
:account-id
:/domain/domain_name
Examples:
arn:aws:swf:us-east-1:123456789012:/domain/department1
arn:aws:swf:*:123456789012:/domain/*
AWS Step Functions
Syntax:
arn:aws:states:region
:account-id
:activity:activityName
arn:aws:states:region
:account-id
:stateMachine:stateMachineName
arn:aws:states:region
:account-id
:execution:stateMachineName
:executionName
Examples:
arn:aws:states:us-east-1:123456789012:activity:HelloActivity
arn:aws:states:us-east-1:123456789012:stateMachine:HelloStateMachine
arn:aws:states:us-east-1:123456789012:execution:HelloStateMachine:HelloStateMachineExecution
AWS Storage Gateway
Syntax:
arn:aws:storagegateway:region
:account-id
:gateway/gateway-id
arn:aws:storagegateway:region
:account-id
:gateway/gateway-id
/volume/volume-id
arn:aws:storagegateway:region
:account-id
:tape/tapebarcode
arn:aws:storagegateway:region
:account-id
:gateway/gateway-id
/target/iSCSItarget
arn:aws:storagegateway:region
:account-id
:gateway/gateway-id
/device/vtldevice
Examples:
arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B
arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/volume/vol-1122AABB
arn:aws:storagegateway:us-east-1:123456789012:tape/AMZNC8A26D
arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/target/iqn.1997-05.com.amazon:vol-1122AABB
arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/device/AMZN_SGW-FF22CCDD_TAPEDRIVE_00010
Note
For each AWS Storage Gateway resource, you can specify a wild card (*).
AWS Trusted Advisor
Syntax:
arn:aws:trustedadvisor:*:account-id
:checks/categorycode
/checkid
Example:
arn:aws:trustedadvisor:*:123456789012:checks/fault_tolerance/BueAdJ7NrP
AWS WAF
Syntax:
arn:aws:waf::account-id
:resource-type
/resource-id
Examples:
arn:aws:waf::123456789012:rule/41b5b052-1e4a-426b-8149-3595be6342c2
arn:aws:waf::123456789012:webacl/3bffd3ed-fa2e-445e-869f-a6a7cf153fd3
arn:aws:waf::123456789012:ipset/3f74bd8c-f046-4970-a1a7-41aa52e05480
arn:aws:waf::123456789012:bytematchset/d131bc0b-57be-4536-af1d-4894fd28acc4
arn:aws:waf::123456789012:sqlinjectionset/2be79d6f-2f41-4c9b-8192-d719676873f0
arn:aws:waf::123456789012:changetoken/03ba2197-fc98-4ac0-a67d-5b839762b16b
Paths in ARNs
Some services let you specify a path for the resource name. For example, in Amazon S3, the
resource identifier is an object name that can include slashes (/
) to form a
path. Similarly, IAM user names and group names can include paths.
In some circumstances, paths can include a wildcard character, namely an asterisk
(*
). For example, if you are writing an IAM policy and in the
Resource
element you want to specify all IAM users that have the path
product_1234
, you can use a wildcard like this:
arn:aws:iam::123456789012:user/Development/product_1234/*
Similarly, in the Resource
element of an IAM policy, at the end of the ARN
you can specify user/*
to mean all users or group/*
to mean all
groups, as in the following examples:
"Resource":"arn:aws:iam::123456789012:user/*"
"Resource":"arn:aws:iam::123456789012:group/*"
You cannot use a wildcard to specify all users in the Principal
element in
a resource-based policy or a role trust policy. Groups are not supported as principals in
any policy.
The following example shows ARNs for an Amazon S3 bucket in which the resource name includes a path:
arn:aws:s3:::my_corporate_bucket/*
arn:aws:s3:::my_corporate_bucket/Development/*
You cannot use a wildcard in the portion of the ARN that specifies the resource type, such as
the term user
in an IAM ARN.
The following is not allowed:
arn:aws:iam::123456789012:u* |
AWS Service Namespaces
When you create AWS IAM policies or work with Amazon Resource Names (ARNs), you identify
an AWS service using a namespace. For example, the namespace for Amazon S3 is
s3
, and the namespace for Amazon EC2 is ec2
. You use namespaces when
identifying actions and resources.
The following example shows an IAM policy where the value of the
Action
elements and the values in the Resource
and
Condition
elements use namespaces to identify the services for the
actions and resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": [
"arn:aws:ec2:us-west-2:123456789012:customer-gateway/*",
"arn:aws:ec2:us-west-2:123456789012:dhcp-options/*",
"arn:aws:ec2:us-west-2::image/*",
"arn:aws:ec2:us-west-2:123456789012:instance/*",
"arn:aws:iam::123456789012:instance-profile/*",
"arn:aws:ec2:us-west-2:123456789012:internet-gateway/*",
"arn:aws:ec2:us-west-2:123456789012:key-pair/*",
"arn:aws:ec2:us-west-2:123456789012:network-acl/*",
"arn:aws:ec2:us-west-2:123456789012:network-interface/*",
"arn:aws:ec2:us-west-2:123456789012:placement-group/*",
"arn:aws:ec2:us-west-2:123456789012:route-table/*",
"arn:aws:ec2:us-west-2:123456789012:security-group/*",
"arn:aws:ec2:us-west-2::snapshot/*",
"arn:aws:ec2:us-west-2:123456789012:subnet/*",
"arn:aws:ec2:us-west-2:123456789012:volume/*",
"arn:aws:ec2:us-west-2:123456789012:vpc/*",
"arn:aws:ec2:us-west-2:123456789012:vpc-peering-connection/*"
]
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::example_bucket/marketing/*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket*",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"StringLike": {"s3:prefix": "marketing/*"}}
}
]
}
The following table contains the namespace for each AWS service.
Service | Namespace |
---|---|
API Gateway | apigateway |
Amazon AppStream | appstream |
AWS Artifact | artifact |
Auto Scaling | autoscaling |
AWS Billing and Cost Management | aws-portal |
AWS Certificate Manager (ACM) | acm |
AWS CloudFormation | cloudformation |
Amazon CloudFront | cloudfront |
AWS CloudHSM | cloudhsm |
Amazon CloudSearch | cloudsearch |
AWS CloudTrail | cloudtrail |
Amazon CloudWatch | cloudwatch |
Amazon CloudWatch Events | events |
Amazon CloudWatch Logs | logs |
AWS CodeBuild | codebuild |
AWS CodeCommit | codecommit |
AWS CodeDeploy | codedeploy |
AWS CodePipeline | codepipeline |
Amazon Cognito Identity | cognito-identity |
Amazon Cognito Sync | cognito-sync |
AWS Config | config |
AWS Data Pipeline | datapipeline |
AWS Database Migration Service (AWS DMS) | dms |
AWS Device Farm | devicefarm |
AWS Direct Connect | directconnect |
AWS Directory Service | ds |
Amazon DynamoDB | dynamodb |
Amazon Elastic Compute Cloud (Amazon EC2) | ec2 |
Amazon EC2 Container Registry (Amazon ECR) | ecr |
Amazon EC2 Container Service (Amazon ECS) | ecs |
Amazon EC2 Simple Systems Manager (SSM) | ssm |
AWS Elastic Beanstalk | elasticbeanstalk |
Amazon Elastic File System (Amazon EFS) | elasticfilesystem |
Elastic Load Balancing | elasticloadbalancing |
Amazon EMR | elasticmapreduce |
Amazon Elastic Transcoder | elastictranscoder |
Amazon ElastiCache | elasticache |
Amazon Elasticsearch Service (Amazon ES) | es |
Amazon GameLift | gamelift |
Amazon Glacier | glacier |
AWS Health / Personal Health Dashboard | health |
AWS Identity and Access Management (IAM) | iam |
AWS Import/Export | importexport |
Amazon Inspector | inspector |
AWS IoT | iot |
AWS Key Management Service (AWS KMS) | kms |
Amazon Kinesis Analytics | kinesisanalytics |
Amazon Kinesis Firehose | firehose |
Amazon Kinesis Streams | kinesis |
AWS Lambda | lambda |
Amazon Lightsail | lightsail |
Amazon Machine Learning | machinelearning |
AWS Marketplace | aws-marketplace |
AWS Marketplace Management Portal | aws-marketplace-management |
Amazon Mobile Analytics | mobileanalytics |
AWS OpsWorks | opsworks |
AWS OpsWorks for Chef Automate | opsworks-cm |
Amazon Polly | polly |
Amazon Redshift | redshift |
Amazon Relational Database Service (Amazon RDS) | rds |
Amazon Route 53 | route53 |
Amazon Route 53 Domains | route53domains |
AWS Security Token Service (AWS STS) | sts |
AWS Service Catalog | servicecatalog |
Amazon Simple Email Service (Amazon SES) | ses |
Amazon Simple Notification Service (Amazon SNS) | sns |
Amazon Simple Queue Service (Amazon SQS) | sqs |
Amazon Simple Storage Service (Amazon S3) | s3 |
Amazon Simple Workflow Service (Amazon SWF) | swf |
Amazon SimpleDB | sdb |
AWS Step Functions | states |
AWS Storage Gateway | storagegateway |
AWS Support | support |
AWS Trusted Advisor | trustedadvisor |
Amazon Virtual Private Cloud (Amazon VPC) | ec2 |
AWS WAF | waf |
Amazon WorkMail | workmail |
Amazon WorkSpaces | workspaces |