AWS uses Amazon Resource Names (ARNs) for many things, including the IAM permissions system, where they are used to whitelist access to specific AWS resources rather than giving service-wide access. In general, they’re a unique account-wide identifier for any service.
What Makes an ARN?
ARNs have a predefined format, so even if the console doesn’t list the ARN for a specific resource, you can probably construct it manually. The general format for them is
arn:partition:service:region:account-id:resource-id arn:partition:service:region:account-id:resource-type/resource-id arn:partition:service:region:account-id:resource-type:resource-id
partition: AWS is split into three physically separated regions: Public (
aws), GovCloud (
aws-us-gov), and China (
aws-cn). You’re almost certainly using the public partition, so this value will always be “
service: The name of the service the resource belongs to (
region: The region the resource is located in (
us-west-2, etc.). Note, this is not the availability zone, and for certain resources can be left blank
account-id: Your personal account ID
resource: Varies by service. For services like S3, this can simply by the ID of the object (for example, the name of the S3 bucket). For other services, this can be split by resource type and ID (for example,
Each service can have a different format for the last part. Luckily, AWS documents this extensively, and you can find the exact format for the resource you’re looking for in their docs. Usually, this is the name of the type of resource (
snapshot), followed by the general ID of the resource, which is usually visible in the description for that resource.
How to Find Your ARN
For some services, the ARN is readily available from the resource’s info page. Look for something that starts with
arn:aws:. For S3, the ARN is easily available and copyable from the info sidebar:
For other services (EC2 in particular), the ARN isn’t displayed at all. For an EC2 instance, the format is:
If you’re working from the command line, the ARN must be constructed manually in this fashion. You can consult the docs for the exact format.
If you have access to the console though, wizard can help you out. In the IAM Management Console, go to the “Policies” tab, and click “Create Policy.” Select the AWS service the resource belongs to, then select “All Actions” under the actions tab:
Under the resources tab, you’ll see a list of all possible resources with ARNs. For example, if you wanted to construct the ARN of a particular network interface, select “Add ARN” under
Now you must select the region and general ID of the resource, which is usually much more readily available. In this case, the network interface ID is viewable under the “Network Interfaces” tab in the EC2 console.
Enter in the info, and the ARN should be constructed for you. You can exit out of the wizard once you’re done, as you don’t actually want to save the policy.
- › 10 Hidden Android 13 Features You Might Have Missed
- › 7 Features Android Should Steal From iPhone
- › 10 Awesome iPad Features You Should Be Using
- › Lenovo ThinkPad Z13 Gen 1 Review: A Vegan Leather Laptop That Means Business
- › Keychron Q8 Mechanical Keyboard Review: An Advanced Keyboard for All Uses
- › Shift+Enter Is a Secret Shortcut Everyone Should Know