Quick Links

AWS uses Amazon Resource Names (ARNs) for many things, including the IAM permissions system, where they are used to whitelist access to specific AWS resources rather than giving service-wide access. In general, they're a unique account-wide identifier for any service.

What Makes an ARN?

ARNs have a predefined format, so even if the console doesn't list the ARN for a specific resource, you can probably construct it manually. The general format for them is

arn:partition:service:region:account-id:resource-id

arn:partition:service:region:account-id:resource-type/resource-id

arn:partition:service:region:account-id:resource-type:resource-id

  • partition: AWS is split into three physically separated regions: Public (aws), GovCloud (aws-us-gov), and China (aws-cn). You're almost certainly using the public partition, so this value will always be "aws."
  • service: The name of the service the resource belongs to (s3, ec2, etc.)
  • region: The region the resource is located in (us-east-1, us-west-2, etc.). Note, this is not the availability zone, and for certain resources can be left blank
  • account-id: Your personal account ID
  • resource: Varies by service. For services like S3, this can simply by the ID of the object (for example, the name of the S3 bucket). For other services, this can be split by resource type and ID (for example, instance/i-12345678).

Each service can have a different format for the last part. Luckily, AWS documents this extensively, and you can find the exact format for the resource you're looking for in their docs. Usually, this is the name of the type of resource (instance, security-group, snapshot), followed by the general ID of the resource, which is usually visible in the description for that resource.

How to Find Your ARN

For some services, the ARN is readily available from the resource's info page. Look for something that starts with arn:aws:. For S3, the ARN is easily available and copyable from the info sidebar:

 The ARN iavailable and copyable from the info sidebar for S3.

For other services (EC2 in particular), the ARN isn't displayed at all. For an EC2 instance, the format is:

arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}

If you're working from the command line, the ARN must be constructed manually in this fashion. You can consult the docs for the exact format.

If you have access to the console though, wizard can help you out. In the IAM Management Console, go to the "Policies" tab, and click "Create Policy." Select the AWS service the resource belongs to, then select "All Actions" under the actions tab:

Select the ASW the service belongs to, then select "All EC2 actions" under the Actions tab.

Under the resources tab, you'll see a list of all possible resources with ARNs. For example, if you wanted to construct the ARN of a particular network interface, select "Add ARN" under network-interface:

 Select "Add ARN" under network-interface to construct the ARN.

Now you must select the region and general ID of the resource, which is usually much more readily available. In this case, the network interface ID is viewable under the "Network Interfaces" tab in the EC2 console.

Select the region and general ID, which is viewable under is viewable under the "Network Interfaces" tab in the EC2 console.

Enter in the info, and the ARN should be constructed for you. You can exit out of the wizard once you're done, as you don't actually want to save the policy.