An Amazon Resource Name (ARN) is a unique identifier for an Amazon Web Services (AWS) instance, service, or resource. You can use ARNs to identify your AWS resources in the AWS Management Console, the AWS Command Line Interface (CLI), and other tools. For example, you might create an ARN for an Amazon S3 bucket that you created in the AWS Management Console. You can use the ARN to identify the bucket in the CLI and other tools. You can also use ARNs to identify your AWS resources when you create requests to the AWS API. For example, you can use ARNs to create requests to list all of your buckets or objects in a specific region. ..
What Makes an ARN?
ARNs have a predefined format, so even if the console doesn’t list the ARN for a specific resource, you can probably construct it manually. The general format for them is
partition: AWS is split into three physically separated regions: Public (aws), GovCloud (aws-us-gov), and China (aws-cn). You’re almost certainly using the public partition, so this value will always be “aws. ” service: The name of the service the resource belongs to (s3, ec2, etc. ) region: The region the resource is located in (us-east-1, us-west-2, etc. ). Note, this is not the availability zone, and for certain resources can be left blank account-id: Your personal account ID resource: Varies by service. For services like S3, this can simply by the ID of the object (for example, the name of the S3 bucket). For other services, this can be split by resource type and ID (for example, instance/i-12345678).
Each service can have a different format for the last part. Luckily, AWS documents this extensively, and you can find the exact format for the resource you’re looking for in their docs. Usually, this is the name of the type of resource (instance, security-group, snapshot), followed by the general ID of the resource, which is usually visible in the description for that resource.
How to Find Your ARN
For some services, the ARN is readily available from the resource’s info page. Look for something that starts with arn:aws:. For S3, the ARN is easily available and copyable from the info sidebar:
For other services (EC2 in particular), the ARN isn’t displayed at all. For an EC2 instance, the format is:
If you’re working from the command line, the ARN must be constructed manually in this fashion. You can consult the docs for the exact format.
If you have access to the console though, wizard can help you out. In the IAM Management Console, go to the “Policies” tab, and click “Create Policy.” Select the AWS service the resource belongs to, then select “All Actions” under the actions tab:
Under the resources tab, you’ll see a list of all possible resources with ARNs. For example, if you wanted to construct the ARN of a particular network interface, select “Add ARN” under network-interface:
Now you must select the region and general ID of the resource, which is usually much more readily available. In this case, the network interface ID is viewable under the “Network Interfaces” tab in the EC2 console.
Enter in the info, and the ARN should be constructed for you. You can exit out of the wizard once you’re done, as you don’t actually want to save the policy.