Amazon Web Services
General Reference (Version 1.0)
AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

Amazon Resource Names (ARNs) and AWS Service Namespaces

Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.

ARN Format

Here are some example ARNs:

Copy
<!-- Elastic Beanstalk application version --> arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment <!-- IAM user name --> arn:aws:iam::123456789012:user/David <!-- Amazon RDS instance used for tagging --> arn:aws:rds:eu-west-1:123456789012:db:mysql-db <!-- Object in an Amazon S3 bucket --> arn:aws:s3:::my_corporate_bucket/exampleobject.png

The following are the general formats for ARNs; the specific components and values used depend on the AWS service.

Copy
arn:partition:service:region:account-id:resource arn:partition:service:region:account-id:resourcetype/resource arn:partition:service:region:account-id:resourcetype:resource
partition

The partition that the resource is in. For standard AWS regions, the partition is aws. If you have resources in other partitions, the partition is aws-partitionname. For example, the partition for resources in the China (Beijing) region is aws-cn.

service

The service namespace that identifies the AWS product (for example, Amazon S3, IAM, or Amazon RDS). For a list of namespaces, see AWS Service Namespaces.

region

The region the resource resides in. Note that the ARNs for some resources do not require a region, so this component might be omitted.

account

The ID of the AWS account that owns the resource, without the hyphens. For example, 123456789012. Note that the ARNs for some resources don't require an account number, so this component might be omitted.

resource, resourcetype:resource, or resourcetype/resource

The content of this part of the ARN varies by service. It often includes an indicator of the type of resource—for example, an IAM user or Amazon RDS database —followed by a slash (/) or a colon (:), followed by the resource name itself. Some services allows paths for resource names, as described in Paths in ARNs.

Example ARNs

The following sections provide syntax and examples of the ARNs for different services. For more information about using ARNs in a specific AWS service, see the documentation for that service.

Some services support IAM resource-level permissions. For more information, see AWS Services That Work with IAM.

Amazon API Gateway

Syntax:

Copy
arn:aws:apigateway:region::resource-path arn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-path

Examples:

Copy
arn:aws:apigateway:us-east-1::/restapis/a123456789012bc3de45678901f23a45/* arn:aws:apigateway:us-east-1::a123456789012bc3de45678901f23a45:/test/mydemoresource/* arn:aws:apigateway:*::a123456789012bc3de45678901f23a45:/*/petstorewalkthrough/pets arn:aws:execute-api:us-east-1:123456789012:qsxrty/test/GET/mydemoresource/*

AWS Artifact

Syntax:

Copy
arn:aws:artifact:::report-package/document-type/report-type

Examples:

Copy
arn:aws:artifact:::report-package/Certifications and Attestations/SOC/* arn:aws:artifact:::report-package/Certifications and Attestations/ISO/* arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*

Auto Scaling

Syntax:

Copy
arn:aws:autoscaling:region:account-id:scalingPolicy:policyid:autoScalingGroupName/groupfriendlyname:policyname/policyfriendlyname arn:aws:autoscaling:region:account-id:autoScalingGroup:groupid:autoScalingGroupName/groupfriendlyname

Example:

Copy
arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:c7a27f55-d35e-4153-b044-8ca9155fc467:autoScalingGroupName/my-test-asg1:policyName/my-scaleout-policy

AWS Certificate Manager

Syntax:

Copy
arn:aws:acm:region:account-id:certificate/certificate-id

Example:

Copy
arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012

AWS CloudFormation

Syntax:

Copy
arn:aws:cloudformation:region:account-id:stack/stackname/additionalidentifier
Copy
arn:aws:cloudformation:region:account-id:changeSet/changesetname/additionalidentifier

Examples:

Copy
arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c
Copy
arn:aws:cloudformation:us-east-1:123456789012:changeSet/MyProductionChangeSet/abc9dbf0-43c2-11e3-a6e8-50fa526be49c

Amazon CloudSearch

Syntax:

Copy
arn:aws:cloudsearch:region:account-id:domain/domainname

Example:

Copy
arn:aws:cloudsearch:us-east-1:123456789012:domain/imdb-movies

AWS CloudTrail

Syntax:

Copy
arn:aws:cloudtrail:region:account-id:trail/trailname

Example:

Copy
arn:aws:cloudtrail:us-east-1:123456789012:trail/mytrailname

Amazon CloudWatch Events

Syntax:

Copy
arn:aws:events:region:*:*

Examples:

Copy
arn:aws:events:us-east-1:*:* arn:aws:events:us-east-1:123456789012:* arn:aws:events:us-east-1:123456789012:rule/my-rule

Amazon CloudWatch Logs

Syntax:

Copy
arn:aws:logs:region:*:*

Examples:

Copy
arn:aws:logs:us-east-1:*:* arn:aws:logs:us-east-1:123456789012:* arn:aws:logs:us-east-1:123456789012:log-group:my-log-group arn:aws:logs:us-east-1:123456789012:log-group:my-log-group:* arn:aws:logs:us-east-1:123456789012:log-group:my-log-group* arn:aws:logs:us-east-1:123456789012:log-group:my-log-group:log-stream:my-log-stream arn:aws:logs:us-east-1:123456789012:log-group:my-log-group:log-stream:my-log-stream* arn:aws:logs:us-east-1:123456789012:log-group:my-log-group*:log-stream:my-log-stream*

AWS CodeBuild

Syntax:

Copy
arn:aws:codebuild:region:account-id:resourcetype/resource

Examples:

Copy
arn:aws:codebuild:us-east-1:123456789012:project/my-demo-project arn:aws:codebuild:us-east-1:123456789012:build/my-demo-project:7b7416ae-89b4-46cc-8236-61129df660ad

AWS CodeCommit

Syntax:

Copy
arn:aws:codecommit:region:account-id:resource-specifier

Example:

Copy
arn:aws:codecommit:us-east-1:123456789012:MyDemoRepo

AWS CodeDeploy

Syntax:

Copy
arn:aws:codedeploy:region:account-id:resource-type:resource-specifier arn:aws:codedeploy:region:account-id:resource-type/resource-specifier

Example:

Copy
arn:aws:codedeploy:us-east-1:123456789012:application:WordPress_App arn:aws:codedeploy:us-east-1:123456789012:instance/AssetTag*

Amazon Cognito Your User Pools

Syntax:

Copy
arn:aws:cognito-idp:region:account-id:userpool/user-pool-id

Example:

Copy
arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1:1a1a1a1a-ffff-1111-9999-12345678

Amazon Cognito Federated Identities

Syntax:

Copy
arn:aws:cognito-identity:region:account-id:identitypool/identity-pool-id

Example:

Copy
arn:aws:cognito-identity:us-east-1:123456789012:/identitypool/us-east-1:1a1a1a1a-ffff-1111-9999-12345678

Amazon Cognito Sync

Syntax:

Copy
arn:aws:cognito-sync:region:account-id:identitypool/identity-pool-id
Copy
arn:aws:cognito-sync:region:account-id:identitypool/identity-pool-id/identity/identity-id
Copy
arn:aws:cognito-sync:region:account-id:identitypool/identity-pool-id/identity/identity-id/dataset/dataset-name

Example:

Copy
arn:aws:cognito-sync:us-east-1:123456789012:identitypool/us-east-1:1a1a1a1a-ffff-1111-9999-12345678

AWS Config

Syntax:

Copy
arn:aws:config:region:account-id:config-rule/config-rule-name

Example:

Copy
arn:aws:config:us-east-1:123456789012:config-rule/MyConfigRule

AWS CodePipeline

Syntax:

Copy
arn:aws:codepipeline:region:account-id:resource-specifier

Example:

Copy
arn:aws:codepipeline:us-east-1:123456789012:MyDemoPipeline

AWS CodeStar

Syntax:

Copy
arn:aws:codestar:region:account-id:resource-specifier

Example:

Copy
arn:aws:codestar:us-east-1:123456789012:my-first-projec

AWS Direct Connect

Syntax:

Copy
arn:aws:directconnect:region:account-id:dxcon/connection-id arn:aws:directconnect:region:account-id:dxlag/lag-id arn:aws:directconnect:region:account-id:dxvif/virtual-interface-id

Examples:

Copy
arn:aws:directconnect:us-east-1:123456789012:dxcon/dxcon-fgase048 arn:aws:directconnect:us-east-1:123456789012:dxlag/dxlag-ffy7zraq arn:aws:directconnect:us-east-1:123456789012:dxvif/dxvif-fgrb110x

Amazon DynamoDB

Syntax:

Copy
arn:aws:dynamodb:region:account-id:table/tablename

Example:

Copy
arn:aws:dynamodb:us-east-1:123456789012:table/books_table

Amazon EC2 Container Registry (Amazon ECR)

Syntax:

Copy
arn:aws:ecr:region:account-id:repository/repository-name

Example:

Copy
arn:aws:ecr:us-east-1:123456789012:repository/my-repository

Amazon EC2 Container Service (Amazon ECS)

Syntax:

Copy
arn:aws:ecs:region:account-id:cluster/cluster-name arn:aws:ecs:region:account-id:container-instance/container-instance-id arn:aws:ecs:region:account-id:task-definition/task-definition-family-name:task-definition-revision-number arn:aws:ecs:region:account-id:service/service-name arn:aws:ecs:region:account-id:task/task-id arn:aws:ecs:region:account-id:container/container-id

Examples:

Copy
arn:aws:ecs:us-east-1:123456789012:cluster/my-cluster arn:aws:ecs:us-east-1:123456789012:container-instance/403125b0-555c-4473-86b5-65982db28a6d arn:aws:ecs:us-east-1:123456789012:task-definition/hello_world:8 arn:aws:ecs:us-east-1:123456789012:service/sample-webapp arn:aws:ecs:us-east-1:123456789012:task/1abf0f6d-a411-4033-b8eb-a4eed3ad252a arn:aws:ecs:us-east-1:123456789012:container/476e7c41-17f2-4c17-9d14-412566202c8a

Amazon Elastic Compute Cloud (Amazon EC2)

Syntax:

Copy
arn:aws:ec2:region:account-id:customer-gateway/cgw-id arn:aws:ec2:region:account_id:dedicated-host/host_id arn:aws:ec2:region:account-id:dhcp-options/dhcp-options-id arn:aws:ec2:region::image/image-id arn:aws:ec2:region:account-id:instance/instance-id arn:aws:iam::account:instance-profile/instance-profile-name arn:aws:ec2:region:account-id:internet-gateway/igw-id arn:aws:ec2:region:account-id:key-pair/key-pair-name arn:aws:ec2:region:account-id:network-acl/nacl-id arn:aws:ec2:region:account-id:network-interface/eni-id arn:aws:ec2:region:account-id:placement-group/placement-group-name arn:aws:ec2:region:account-id:route-table/route-table-id arn:aws:ec2:region:account-id:security-group/security-group-id arn:aws:ec2:region:account-id:snapshot/snapshot-id arn:aws:ec2:region:account-id:subnet/subnet-id arn:aws:ec2:region:account-id:volume/volume-id arn:aws:ec2:region:account-id:vpc/vpc-id arn:aws:ec2:region:account-id:vpc-peering-connection/vpc-peering-connection-id arn:aws:ec2:region:account-id:vpn-connection/vpn-id arn:aws:ec2:region:account-id:vpn-gateway/vgw-id

Examples:

Copy
arn:aws:ec2:us-east-1:123456789012:dedicated-host/h-12345678 arn:aws:ec2:us-east-1::image/ami-1a2b3c4d arn:aws:ec2:us-east-1:123456789012:instance/* arn:aws:ec2:us-east-1:123456789012:volume/* arn:aws:ec2:us-east-1:123456789012:volume/vol-1a2b3c4d

AWS Elastic Beanstalk

Syntax:

Copy
arn:aws:elasticbeanstalk:region:account-id:application/applicationname arn:aws:elasticbeanstalk:region:account-id:applicationversion/applicationname/versionlabel arn:aws:elasticbeanstalk:region:account-id:environment/applicationname/environmentname arn:aws:elasticbeanstalk:region::solutionstack/solutionstackname arn:aws:elasticbeanstalk:region:account-id:configurationtemplate/applicationname/templatename

Examples:

Copy
arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment arn:aws:elasticbeanstalk:us-east-1::solutionstack/32bit Amazon Linux running Tomcat 7 arn:aws:elasticbeanstalk:us-east-1:123456789012:configurationtemplate/My App/My Template

Amazon Elastic File System

Syntax:

Copy
arn:aws:elasticfilesystem:region:account-id:file-system/file-system-id

Example:

Copy
arn:aws:elasticfilesystem:us-east-1:123456789012:file-system-id/fs12345678

Elastic Load Balancing (Application Load Balancer)

Syntax:

Copy
arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id arn:aws:elasticloadbalancing:region:account-id:listener/app/load-balancer-name/load-balancer-id/listener-id arn:aws:elasticloadbalancing:region:account-id:listener-rule/app/load-balancer-name/load-balancer-id/listener-id/rule-id arn:aws:elasticloadbalancing:region:account-id:targetgroup/target-group-name/target-group-id

Examples:

Copy
arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2 arn:aws:elasticloadbalancing:us-east-1:123456789012:listener-rule/app/my-load-balancer/50dc6c495c0c9188/f2f7dc8efc522ab2/9683b2d02a6cabee arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/my-targets/73e2d6bc24d8a067

Elastic Load Balancing (Classic Load Balancer)

Syntax:

Copy
arn:aws:elasticloadbalancing:region:account-id:loadbalancer/name

Example:

Copy
arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/my-load-balancer

Amazon Elastic Transcoder

Syntax:

Copy
arn:aws:elastictranscoder:region:account-id:resource/id

Example:

Copy
arn:aws:elastictranscoder:us-east-1:123456789012:preset/*

Amazon ElastiCache

Syntax:

Copy
arn:aws:elasticache:region:account-id:resourcetype:resourcename

Examples:

Copy
arn:aws:elasticache:us-west-2:123456789012:cluster:myCluster arn:aws:elasticache:us-west-2:123456789012:snapshot:mySnapshot

Amazon Elasticsearch Service

Syntax:

Copy
arn:aws:es:region:account-id:domain/domain-name

Example:

Copy
arn:aws:es:us-east-1:123456789012:domain/streaming-logs

Amazon Glacier

Syntax:

Copy
arn:aws:glacier:region:account-id:vaults/vaultname

Examples:

Copy
arn:aws:glacier:us-east-1:123456789012:vaults/examplevault arn:aws:glacier:us-east-1:123456789012:vaults/example* arn:aws:glacier:us-east-1:123456789012:vaults/*

AWS Health / Personal Health Dashboard

Syntax:

Copy
arn:aws:health:region::event/event-id arn:aws:health:region:account-id:entity/entity-id

Examples:

Copy
arn:aws:health:us-east-1::event/AWS_EC2_EXAMPLE_ID arn:aws:health:us-east-1:123456789012:entity/AVh5GGT7ul1arKr1sE1K

AWS Identity and Access Management (IAM)

Syntax:

Copy
arn:aws:iam::account-id:root arn:aws:iam::account-id:user/user-name arn:aws:iam::account-id:group/group-name arn:aws:iam::account-id:role/role-name arn:aws:iam::account-id:policy/policy-name arn:aws:iam::account-id:instance-profile/instance-profile-name arn:aws:sts::account-id:federated-user/user-name arn:aws:sts::account-id:assumed-role/role-name/role-session-name arn:aws:iam::account-id:mfa/virtual-device-name arn:aws:iam::account-id:server-certificate/certificate-name arn:aws:iam::account-id:saml-provider/provider-name arn:aws:iam::account-id:oidc-provider/provider-name

Examples:

Copy
arn:aws:iam::123456789012:root arn:aws:iam::123456789012:user/Bob arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob arn:aws:iam::123456789012:group/Developers arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developers arn:aws:iam::123456789012:role/S3Access arn:aws:iam::123456789012:role/application_abc/component_xyz/S3Access arn:aws:iam::123456789012:policy/UsersManageOwnCredentials arn:aws:iam::123456789012:policy/division_abc/subdivision_xyz/UsersManageOwnCredentials arn:aws:iam::123456789012:instance-profile/Webserver arn:aws:sts::123456789012:federated-user/Bob arn:aws:sts::123456789012:assumed-role/Accounting-Role/Mary arn:aws:iam::123456789012:mfa/BobJonesMFA arn:aws:iam::123456789012:server-certificate/ProdServerCert arn:aws:iam::123456789012:server-certificate/division_abc/subdivision_xyz/ProdServerCert arn:aws:iam::123456789012:saml-provider/ADFSProvider arn:aws:iam::123456789012:oidc-provider/GoogleProvider

For more information about IAM ARNs, see IAM ARNs in IAM User Guide.

AWS IoT

Syntax:

Copy
arn:aws:iot:your-region:account-id:cert/cert-ID arn:aws:iot:your-region:account-id:policy/policy-name arn:aws:iot:your-region:account-id:rule/rule-name arn:aws:iot:your-region:account-id:client/client-id/rule-name

Examples:

Copy
arn:aws:iot:your-region:123456789012:cert/123a456b789c123d456e789f123a456b789c123d456e789f123a456b789c123c456d7 arn:aws:iot:123456789012:policy/MyIoTPolicy arn:aws:iot:your-region:123456789012:rule/MyIoTRule arn:aws:iot:your-region:123456789012:client/client101

AWS Key Management Service (AWS KMS)

Syntax:

Copy
arn:aws:kms:region:account-id:key/key-id arn:aws:kms:region:account-id:alias/alias

Examples:

Copy
arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 arn:aws:kms:us-east-1:123456789012:alias/example-alias

Amazon Kinesis Firehose (Kinesis Firehose)

Syntax:

Copy
arn:aws:firehose:region:account-id:deliverystream/delivery-stream-name

Example:

Copy
arn:aws:firehose:us-east-1:123456789012:deliverystream/example-stream-name

Amazon Kinesis Streams (Kinesis Streams)

Syntax:

Copy
arn:aws:kinesis:region:account-id:stream/stream-name

Example:

Copy
arn:aws:kinesis:us-east-1:123456789012:stream/example-stream-name

AWS Lambda (Lambda)

Syntax:

Copy
arn:aws:lambda:region:account-id:function:function-name arn:aws:lambda:region:account-id:function:function-name:alias-name arn:aws:lambda:region:account-id:function:function-name:version arn:aws:lambda:region:account-id:event-source-mappings:event-source-mapping-id

Examples:

Copy
arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords:your alias arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords:1.0 arn:aws:lambda:us-east-1:123456789012:event-source-mappings:kinesis-stream-arn

Amazon Machine Learning (Amazon ML)

Syntax:

Copy
arn:aws:machinelearning:region:account-id:datasource/datasourceID arn:aws:machinelearning:region:account-id:mlmodel/mlmodelID arn:aws:machinelearning:region:account-id:batchprediction/batchpredictionlID arn:aws:machinelearning:region:account-id:evaluation/evaluationID

Examples:

Copy
arn:aws:machinelearning:us-east-1:123456789012:datasource/my-datasource-1 arn:aws:machinelearning:us-east-1:123456789012:mlmodel/my-mlmodel arn:aws:machinelearning:us-east-1:123456789012:batchprediction/my-batchprediction arn:aws:machinelearning:us-east-1:123456789012:evaluation/my-evaluation

AWS Organizations

Syntax:

Copy
arn:aws:organizations:region:master-account-id:organization/o-organization-id arn:aws:organizations:region:master-account-id:root/o-organization-id/r-root-id arn:aws:organizations:region:master-account-id:account/o-organization-id/account-id arn:aws:organizations:region:master-account-id:ou/o-organization-id/r-root-id/ou-organizational-unit-id arn:aws:organizations:region:master-account-id:policy/o-organization-id/policy-type/p-policy-id arn:aws:organizations:region:master-account-id:handshake/o-organization-id/handshake-type/h-handshake-id

Example:

Copy
arn:aws:organizations:us-east-1:123456789012:organization/o-a1b2c3d4e5example arn:aws:organizations:us-east-1:123456789012:root/o-a1b2c3d4e5/r-f6g7h8i9j0example arn:aws:organizations:us-east-1:123456789012:account/o-a1b2c3d4e5/123456789012 arn:aws:organizations:us-east-1:123456789012:ou/o-a1b2c3d4e5/ou-1a2b3c-k9l8m7n6o5example arn:aws:organizations:us-east-1:123456789012:policy/o-a1b2c3d4e5/service_control_policy/p-p4q3r2s1t0example arn:aws:organizations:us-east-1:123456789012:handshake/o-a1b2c3d4e5/h-u2v4w5x8y0example

AWS Mobile Hub

Syntax:

Copy
arn:aws:mobilehub:region:account-id:project/projectID

Examples:

Copy
arn:aws:mobilehub:us-east-1:123456789012:project/a01234567-b012345678-123c-d013456789abc

Amazon Polly

Syntax:

Copy
arn:aws:polly:region:account-id:lexicon/LexiconName

Example:

Copy
arn:aws:polly:us-east-1:123456789012:lexicon/myLexicon

Amazon Redshift

Syntax:

Copy
arn:aws:redshift:region:account-id:cluster:clustername arn:aws:redshift:region:account-id:dbuser:clustername/dbusername arn:aws:redshift:region:account-id:parametergroup:parametergroupname arn:aws:redshift:region:account-id:securitygroup:securitygroupname arn:aws:redshift:region:account-id:snapshot:clustername/snapshotname arn:aws:redshift:region:account-id:subnetgroup:subnetgroupname

Examples:

Copy
arn:aws:redshift:us-east-1:123456789012:cluster:my-cluster arn:aws:redshift:us-east-1:123456789012:my-cluster/my-dbuser-name arn:aws:redshift:us-east-1:123456789012:parametergroup:my-parameter-group arn:aws:redshift:us-east-1:123456789012:securitygroup:my-public-group arn:aws:redshift:us-east-1:123456789012:snapshot:my-cluster/my-snapshot20130807 arn:aws:redshift:us-east-1:123456789012:subnetgroup:my-subnet-10

Amazon Relational Database Service (Amazon RDS)

ARNs are used in Amazon RDS only with tags for DB instances. For more information, see Tagging a DB Instance in the Amazon Relational Database Service User Guide.

Syntax:

Copy
arn:aws:rds:region:account-id:db:db-instance-name arn:aws:rds:region:account-id:snapshot:snapshot-name arn:aws:rds:region:account-id:cluster:db-cluster-name arn:aws:rds:region:account-id:cluster-snapshot:cluster-snapshot-name arn:aws:rds:region:account-id:og:option-group-name arn:aws:rds:region:account-id:pg:parameter-group-name arn:aws:rds:region:account-id:cluster-pg:cluster-parameter-group-name arn:aws:rds:region:account-id:secgrp:security-group-name arn:aws:rds:region:account-id:subgrp:subnet-group-name arn:aws:rds:region:account-id:es:subscription-name

Examples:

Copy
arn:aws:rds:us-east-1:123456789012:db:mysql-db-instance1 arn:aws:rds:us-east-1:123456789012:snapshot:my-snapshot2 arn:aws:rds:us-east-1:123456789012:cluster:my-cluster1 arn:aws:rds:us-east-1:123456789012:cluster-snapshot:cluster1-snapshot7 arn:aws:rds:us-east-1:123456789012:og:mysql-option-group1 arn:aws:rds:us-east-1:123456789012:pg:mysql-repl-pg1 arn:aws:rds:us-east-1:123456789012:cluster-pg:aurora-pg3 arn:aws:rds:us-east-1:123456789012:secgrp:dev-secgrp2 arn:aws:rds:us-east-1:123456789012:subgrp:prod-subgrp1 arn:aws:rds:us-east-1:123456789012:es:monitor-events2

Amazon Route 53

Syntax:

Copy
arn:aws:route53:::hostedzone/zoneid arn:aws:route53:::change/changeid

Note that Amazon Route 53 does not require an account number or region in ARNs.

Examples:

Copy
arn:aws:route53:::hostedzone/Z148QEXAMPLE8V arn:aws:route53:::change/C2RDJ5EXAMPLE2 arn:aws:route53:::change/*

Amazon EC2 Systems Manager (SSM)

Syntax:

Copy
arn:aws:ssm:region:account-id:document/document_name arn:aws:ssm:region:account-id:parameter/parameter_name arn:aws:ssm:region:account-id:patchbaseline/baseline_id arn:aws:ssm:region:account-id:maintenancewindow/window_id arn:aws:ssm:region:account-id:automation-execution/execution_id arn:aws:ssm:region:account-id:automation-Activity/activity_name arn:aws:ssm:region:account-id:automation-definition/definitionName:version arn:aws:ssm:region:account-id:managed-instance/instance_id arn:aws:ssm:region:account-id:managed-instance-inventory/instance_id

Examples:

Copy
arn:aws:ssm:us-east-1:123456789012:document/highAvailabilityServerSetup arn:aws:ssm:us-east-1:123456789012:parameter/myParameterName arn:aws:ssm:us-east-1:123456789012:patchbaseline/pb-12345678901234567 arn:aws:ssm:us-east-1:123456789012:maintenancewindow/mw-12345678901234567 arn:aws:ssm:us-east-1:123456789012:automation-execution/123456-6789-1a2b3-c4d5-e1a2b3c4d arn:aws:ssm:us-east-1:123456789012:automation-activity/myActivityName arn:aws:ssm:us-east-1:123456789012:automation-definition/myDefinitionName:1 arn:aws:ssm:us-east-1:123456789012:managed-instance/mi-12345678901234567 arn:aws:ssm:us-east-1:123456789012:managed-instance-inventory/i-12345661

Amazon Simple Notification Service (Amazon SNS)

Syntax:

Copy
arn:aws:sns:region:account-id:topicname arn:aws:sns:region:account-id:topicname:subscriptionid

Examples:

Copy
arn:aws:sns:*:123456789012:my_corporate_topic arn:aws:sns:us-east-1:123456789012:my_corporate_topic:02034b43-fefa-4e07-a5eb-3be56f8c54ce

Amazon Simple Queue Service (Amazon SQS)

Syntax:

Copy
arn:aws:sqs:region:account-id:queuename

Example:

Copy
arn:aws:sqs:us-east-1:123456789012:queue1

Amazon Simple Storage Service (Amazon S3)

Syntax:

Copy
arn:aws:s3:::bucket_name arn:aws:s3:::bucket_name/key_name

Note

Amazon S3 does not require an account number or region in ARNs. If you specify an ARN for a policy, you can also use a wildcard "*" character in the relative-ID part of the ARN.

Examples:

Copy
arn:aws:s3:::my_corporate_bucket arn:aws:s3:::my_corporate_bucket/exampleobject.png arn:aws:s3:::my_corporate_bucket/* arn:aws:s3:::my_corporate_bucket/Development/*

For more information, see Specifying Resources in a Policy in the Amazon Simple Storage Service Developer Guide.

Amazon Simple Workflow Service (Amazon SWF)

Syntax:

Copy
arn:aws:swf:region:account-id:/domain/domain_name

Examples:

Copy
arn:aws:swf:us-east-1:123456789012:/domain/department1 arn:aws:swf:*:123456789012:/domain/*

AWS Step Functions

Syntax:

Copy
arn:aws:states:region:account-id:activity:activityName arn:aws:states:region:account-id:stateMachine:stateMachineName arn:aws:states:region:account-id:execution:stateMachineName:executionName

Examples:

Copy
arn:aws:states:us-east-1:123456789012:activity:HelloActivity arn:aws:states:us-east-1:123456789012:stateMachine:HelloStateMachine arn:aws:states:us-east-1:123456789012:execution:HelloStateMachine:HelloStateMachineExecution

AWS Storage Gateway

Syntax:

Copy
arn:aws:storagegateway:region:account-id:gateway/gateway-id arn:aws:storagegateway:region:account-id:share/share-id arn:aws:storagegateway:region:account-id:gateway/gateway-id/volume/volume-id arn:aws:storagegateway:region:account-id:tape/tapebarcode arn:aws:storagegateway:region:account-id:gateway/gateway-id/target/iSCSItarget arn:aws:storagegateway:region:account-id:gateway/gateway-id/device/vtldevice

Examples:

Copy
arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B arn:aws:storagegateway:us-east-1:123456789012:share/share-17A34572 arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/volume/vol-1122AABB arn:aws:storagegateway:us-east-1:123456789012:tape/AMZNC8A26D arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/target/iqn.1997-05.com.amazon:vol-1122AABB arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/device/AMZN_SGW-FF22CCDD_TAPEDRIVE_00010

Note

For each AWS Storage Gateway resource, you can specify a wild card (*).

AWS Trusted Advisor

Syntax:

Copy
arn:aws:trustedadvisor:*:account-id:checks/categorycode/checkid

Example:

Copy
arn:aws:trustedadvisor:*:123456789012:checks/fault_tolerance/BueAdJ7NrP

AWS WAF

Syntax, WAF Global (Used for CloudFront):

Copy
arn:aws:waf::account-id:resource-type/resource-id

Syntax, WAF Regional (Used for Application Load Balancers):

Copy
arn:aws:waf-regional::account-id:resource-type/resource-id

Examples:

Copy
arn:aws:waf::123456789012:rule/41b5b052-1e4a-426b-8149-3595be6342c2 arn:aws:waf-regional:us-east-1:123456789012:rule/41b5b052-1e4a-426b-8149-3595be6342c2 arn:aws:waf::123456789012:webacl/3bffd3ed-fa2e-445e-869f-a6a7cf153fd3 arn:aws:waf-regional:us-east-1:123456789012:webacl/3bffd3ed-fa2e-445e-869f-a6a7cf153fd3 arn:aws:waf::123456789012:ipset/3f74bd8c-f046-4970-a1a7-41aa52e05480 arn:aws:waf-regional:us-east-1:123456789012:ipset/3f74bd8c-f046-4970-a1a7-41aa52e05480 arn:aws:waf::123456789012:bytematchset/d131bc0b-57be-4536-af1d-4894fd28acc4 arn:aws:waf-regional:us-east-1:123456789012:bytematchset/d131bc0b-57be-4536-af1d-4894fd28acc4

Paths in ARNs

Some services let you specify a path for the resource name. For example, in Amazon S3, the resource identifier is an object name that can include slashes (/) to form a path. Similarly, IAM user names and group names can include paths.

In some circumstances, paths can include a wildcard character, namely an asterisk (*). For example, if you are writing an IAM policy and in the Resource element you want to specify all IAM users that have the path product_1234, you can use a wildcard like this:

Copy
arn:aws:iam::123456789012:user/Development/product_1234/*

Similarly, in the Resource element of an IAM policy, at the end of the ARN you can specify user/* to mean all users or group/* to mean all groups, as in the following examples:

Copy
"Resource":"arn:aws:iam::123456789012:user/*" "Resource":"arn:aws:iam::123456789012:group/*"

You cannot use a wildcard to specify all users in the Principal element in a resource-based policy or a role trust policy. Groups are not supported as principals in any policy.

The following example shows ARNs for an Amazon S3 bucket in which the resource name includes a path:

Copy
arn:aws:s3:::my_corporate_bucket/* arn:aws:s3:::my_corporate_bucket/Development/*

You cannot use a wildcard in the portion of the ARN that specifies the resource type, such as the term user in an IAM ARN.

The following is not allowed:

arn:aws:iam::123456789012:u*

AWS Service Namespaces

When you create AWS IAM policies or work with Amazon Resource Names (ARNs), you identify an AWS service using a namespace. For example, the namespace for Amazon S3 is s3, and the namespace for Amazon EC2 is ec2. You use namespaces when identifying actions and resources.

The following example shows an IAM policy where the value of the Action elements and the values in the Resource and Condition elements use namespaces to identify the services for the actions and resources.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": [ "arn:aws:ec2:us-west-2:123456789012:customer-gateway/*", "arn:aws:ec2:us-west-2:123456789012:dhcp-options/*", "arn:aws:ec2:us-west-2::image/*", "arn:aws:ec2:us-west-2:123456789012:instance/*", "arn:aws:iam::123456789012:instance-profile/*", "arn:aws:ec2:us-west-2:123456789012:internet-gateway/*", "arn:aws:ec2:us-west-2:123456789012:key-pair/*", "arn:aws:ec2:us-west-2:123456789012:network-acl/*", "arn:aws:ec2:us-west-2:123456789012:network-interface/*", "arn:aws:ec2:us-west-2:123456789012:placement-group/*", "arn:aws:ec2:us-west-2:123456789012:route-table/*", "arn:aws:ec2:us-west-2:123456789012:security-group/*", "arn:aws:ec2:us-west-2::snapshot/*", "arn:aws:ec2:us-west-2:123456789012:subnet/*", "arn:aws:ec2:us-west-2:123456789012:volume/*", "arn:aws:ec2:us-west-2:123456789012:vpc/*", "arn:aws:ec2:us-west-2:123456789012:vpc-peering-connection/*" ] }, { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::example_bucket/marketing/*" }, { "Effect": "Allow", "Action": "s3:ListBucket*", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"StringLike": {"s3:prefix": "marketing/*"}} } ] }

The following table contains the namespace for each AWS service.

Service Namespace
API Gateway apigateway
Amazon AppStream appstream
AWS Artifact artifact
Auto Scaling autoscaling
AWS Billing and Cost Management aws-portal
AWS Certificate Manager (ACM) acm
AWS CloudFormation cloudformation
Amazon CloudFront cloudfront
AWS CloudHSM cloudhsm
Amazon CloudSearch cloudsearch
AWS CloudTrail cloudtrail
Amazon CloudWatch cloudwatch
Amazon CloudWatch Events events
Amazon CloudWatch Logs logs
AWS CodeBuild codebuild
AWS CodeCommit codecommit
AWS CodeDeploy codedeploy
AWS CodePipeline codepipeline
AWS CodeStar codestar
Amazon Cognito Your User Pools cognito-idp
Amazon Cognito Federated Identities cognito-identity
Amazon Cognito Sync cognito-sync
AWS Config config
AWS Data Pipeline datapipeline
AWS Database Migration Service (AWS DMS) dms
AWS Device Farm devicefarm
AWS Direct Connect directconnect
AWS Directory Service ds
Amazon DynamoDB dynamodb
Amazon Elastic Compute Cloud (Amazon EC2) ec2
Amazon EC2 Container Registry (Amazon ECR) ecr
Amazon EC2 Container Service (Amazon ECS) ecs
Amazon EC2 Systems Manager (SSM) ssm
AWS Elastic Beanstalk elasticbeanstalk
Amazon Elastic File System (Amazon EFS) elasticfilesystem
Elastic Load Balancing elasticloadbalancing
Amazon EMR elasticmapreduce
Amazon Elastic Transcoder elastictranscoder
Amazon ElastiCache elasticache
Amazon Elasticsearch Service (Amazon ES) es
Amazon GameLift gamelift
Amazon Glacier glacier
AWS Health / Personal Health Dashboard health
AWS Identity and Access Management (IAM) iam
AWS Import/Export importexport
Amazon Inspector inspector
AWS IoT iot
AWS Key Management Service (AWS KMS) kms
Amazon Kinesis Analytics kinesisanalytics
Amazon Kinesis Firehose firehose
Amazon Kinesis Streams kinesis
AWS Lambda lambda
Amazon Lightsail lightsail
Amazon Machine Learning machinelearning
AWS Marketplace aws-marketplace
AWS Marketplace Management Portal aws-marketplace-management
Amazon Mobile Analytics mobileanalytics
AWS Mobile Hub mobilehub
AWS OpsWorks opsworks
AWS OpsWorks for Chef Automate opsworks-cm
AWS Organizations organizations
Amazon Polly polly
Amazon Redshift redshift
Amazon Relational Database Service (Amazon RDS) rds
Amazon Route 53 route53
Amazon Route 53 Domains route53domains
AWS Security Token Service (AWS STS) sts
AWS Service Catalog servicecatalog
Amazon Simple Email Service (Amazon SES) ses
Amazon Simple Notification Service (Amazon SNS) sns
Amazon Simple Queue Service (Amazon SQS) sqs
Amazon Simple Storage Service (Amazon S3) s3
Amazon Simple Workflow Service (Amazon SWF) swf
Amazon SimpleDB sdb
AWS Step Functions states
AWS Storage Gateway storagegateway
AWS Support support
AWS Trusted Advisor trustedadvisor
Amazon Virtual Private Cloud (Amazon VPC) ec2
AWS WAF waf
Amazon WorkDocs workdocs
Amazon WorkMail workmail
Amazon WorkSpaces workspaces