An ARN looks like the following for an ec2 instance.<\/p>
arn:aws:ec2:us-east-1:4575734578134:instance\/i-054dsfg34gdsfg38<\/code><\/pre>Why are ARN Important?<\/h2>
ARN play a crucial role in IAM policies. You will end up using ARN if you follow the standard security best practices for IAM<\/a> roles and policies.<\/p>ARN have the following key use cases.<\/p>
- They are used in IAM policies for granting restricted granular access to resources. One example is to allow a specific IAM user to access only specific ec2 instances.<\/li>
- It can be used in Infrastructure as Code<\/a> scripts and API calls to refer to other resources. You can see a practical example in the Terraform IAM role creation<\/a> blog.<\/li><\/ol>
If you did not understand the above points, don’t worry, we will look at those with practical examples in the following topics.<\/p>
AWS ARN format<\/h2>
In most cases, you can build the ARN URL yourself following the below format.<\/p>
arn:aws:service:region:account-id:resource-id\narn:aws:service:region:account-id:resource-type\/resource-id\narn:aws:service:region:account-id:resource-type:resource-id<\/code><\/pre>In the above formats, towards the end, you can see the difference in the formats which changes as per the resource types.<\/p>
Here are the arn examples for all three formats.<\/p>
S3 ARN Example:<\/strong> S3 has a flat hierarchy of buckets and associated objects. Here is what an S3 ARN would look like<\/p>arn:aws:s3:::devopscube-bucket<\/code><\/pre>EC2 ARN Example: <\/strong>ec2 service has sub resource-types like image, security groups<\/code> etc. The following example uses the instance resource-type<\/code>.<\/p>arn:aws:ec2:us-east-1:4575734578134:instance\/i-054dsfg34gdsfg38<\/code><\/pre>Lambda ARN Example:<\/strong> Lambda functions can have multiple versions. Here the version is the qualifier. To have arn of the specific Lambda version, you need to mention the version number at the last as shown below<\/p>arn:aws:lambda:us-east-1:4575734578134:function:api-fucntion:1<\/code><\/pre>Components of an ARN<\/h2>
ARN structure consists of several components and the arn structures used in AWS are given below<\/p>
arn:partition:service:region:account-id:resource-id\narn:partition:service:region:account-id:resource-type\/resource-id\narn:partition:service:region:account-id:resource-type:resource-id<\/code><\/pre>The components are listed below in detail<\/p>\n\n
\n- ARN<\/strong> – Every arn begins with this prefix.<\/li>\n\n\n
- Partition<\/strong> – This specifies the region in which the AWS account is in, AWS<\/strong> is the partion for most resources.
There are also other particion, aws-us-gov<\/strong> for US government resources and aws-cn<\/strong> for resources in China.<\/li>\n\n\n- Service<\/strong> – The service specifies the AWS service to which the resource is belong to. For example it will be arn:aws:ec2:<\/strong> for EC2 and arn:aws:s3: for S3<\/strong>.<\/li>\n\n\n
- Region<\/strong> – This component specifies the region in which the resource is located.
It is only available for regional resources like EC2<\/strong> and will not be available for global resources like IAM<\/strong>.<\/li>\n\n\n- Account ID<\/strong> – Specifies the account ID of the AWS account in which the resource is in.<\/span><\/li>\n\n\n
- Resource Type<\/strong> – This component is not available for all resources, it is only available for resources which are inside a service with multiple resources.
For example, EC2 has multiple resources like Instance, AMI, etc,.. Resource Type is used for these resources.<\/li>\n\n\n- Resource ID<\/strong> – This is a unique identity for resources within the AWS account.<\/span><\/li>\n<\/ol>\n\n
How to get the ARN of AWS resources?<\/h2>
If you are getting started with AWS, you may find it difficult to put together the correct arn URL for a resource.<\/p>
You can find the syntax for ARN for all the AWS services here<\/a>.<\/p>For example, in that AWS document, if you go ec2 resource<\/a> from the list, and scroll down to the “Resource Types Defined by Amazon EC2” section, you will find the reference for all the sub rsource types for ec2 as shown below.<\/p>![\"aws](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/resource-type-min-1.png\")
Click to view in HD<\/span><\/figcaption><\/figure>Another way is to use the aws policy generator.<\/a><\/p>In the policy generator, when you select the policy resource, it will automatically show the arn suggestion as shown below. You just need to add resource information.<\/p>![\"\"](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/arn-policy-generator-min-1.png\")
Click to view in HD<\/span><\/figcaption><\/figure>ARN Wildcards<\/h2>
ARN definition supports wildcards. You will need a wildcard in many use cases.<\/p>
Let’s say you want an IAM policy that allows access to all objects in a single bucket. For this, you can have a wildcard arn like below.<\/p>
arn:aws:s3:::my-data-bucket\/*<\/code><\/pre>Here is an example of using wildcard arn in an IAM policy. This policy allows all actions for dcubebucket<\/code> S3 bucket.<\/p>{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": [{\n\t\t\"Sid\": \"Stmt1596173683332\",\n\t\t\"Action\": \"s3:*\",\n\t\t\"Effect\": \"Allow\",\n\t\t\"Resource\": [\n\t\t\t\"arn:aws:s3:::dcubebucket\",\n\t\t\t\"arn:aws:s3:::dcubebucket\/*\"\n\t\t]\n\t}]\n}<\/code><\/pre>Here is another example policy that allows limited access to all emr clusters.<\/p>
{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"Stmt1596174145144\",\n \"Action\": [\n \"elasticmapreduce:AddInstanceFleet\",\n \"elasticmapreduce:AddTags\",\n \"elasticmapreduce:DescribeCluster\",\n \"elasticmapreduce:DescribeEditor\",\n \"elasticmapreduce:DescribeJobFlows\",\n \"elasticmapreduce:DescribeSecurityConfiguration\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"arn:aws:elasticmapreduce:*:*:cluster\/*\"\n }\n ]\n}<\/code><\/pre>ARN Paths<\/h2>
In some cases using wildecard is not recommend monstly in IAM policies which can give access to evey resiurces comes under the wildcard, this is where path comes in handy.<\/p>
Paths are used to identify specific resources inside a resource type and it is a way to structure resources within AWS services that support hierarchical resource naming.<\/p>
Paths are specified at the end of the arn, and each path is separated by ( \/ ) based on its path structure.<\/p>
For example, if you want to give access to a group of users to a specific folder inside the bucket while restricting access to all other folders on a bucket, you can use arn paths to give access only to a specific folder<\/p>
arn:aws:s3:::example-bucket\/folder<\/code><\/pre>Here is an example of using arn path in an IAM policy. This policy allows the user to access only the folder dev inside the dcubebucke<\/code>t S3 bucket.<\/p>{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"s3:ListBucket\",\n \"Resource\": \"arn:aws:s3:::dcubebucket\/dev\/*\",\n \"Condition\": {\n \"StringLike\": {\n \"aws:userid\": \"12345678910\/development\/*\"\n }\n }\n }\n ]\n}\n<\/code><\/pre>This policy gives access to users who come under development on the folder dev inside the S3 bucket dcubebucket.<\/p>
Getting ARN from AWS CLI<\/h2>
You can get the ARN of specific resources from the CLI.<\/p>
For all IAM roles<\/a>, policies, and users, you can get the ARN from the CLI by describing it.<\/p>Here is an example of getting arn of a role.<\/p>
aws iam get-role --role-name EMR_DefaultRole<\/code><\/pre>Here is the output with the arn.<\/p>![\"\"](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/aws-arn-cli-min-1.png\")
<\/figure>Like this, you can try describing the resource and see if it outputs the arn.<\/p>
Getting ARN from AWS Console<\/h2>
You can get the arn of IAM resources directly from the AWS console.<\/p>
Just browse to the specific resource and you will find the related arn at the top as shown below.<\/p>![\"\"](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/iam-arm-console-min-1.png\")
Click to view in HD<\/span><\/figcaption><\/figure>Getting ARN as Output in Cloudformation<\/h2>
If you are using Cloudformation, you can get the resource arn in the output with the function Fn::GetAtt<\/code><\/p>Here is an example syntax of getting the arn of a Lambda function.<\/p>
resources:\n Outputs:\n LamdaFunctionArn:\n Export:\n Name: MyFucntionARN\n Value:\n Fn::GetAtt: MyLambdaFunction.Arn<\/code><\/pre>Getting ARN of Principal<\/h2>
When you create an S3 bucket policy, SNS topic, VPC endpoint, and SQS policy, you need to specify a principal parameter.<\/p>
Principal<\/code> Is the trusted source specified as an ARN in the policy to allow or deny access to the resource<\/p>For example, if you want an S3 bucket to be accessed only by a specific user, you will specify the user arn as Principal<\/code> in the policy.<\/p>If you use a Policy generator<\/a> to create these policies, you will see the principal option as shown below.<\/p>![\"\"](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/arn-principal-min-1.png\")
Click to view in HD<\/span><\/figcaption><\/figure>Primarily you specify the user, account, and role arn as the principal. There are other Principal sources as well. Please see this AWS document to learn more.<\/p>
Getting the User arn<\/h4>
If you browse the user page in the AWS console, you will get the user arn as shown below.<\/p>![\"\"](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/user-arn-min-1.png\")
Click to view in HD<\/span><\/figcaption><\/figure>AWS Account arn<\/h4>
AWS account arn has the following syntax. Replace account-id<\/code> with your account id.<\/p>arn:aws:iam::<account-id>:root<\/code><\/pre>Getting an AWS Role arn<\/h4>
You can get the arn of the IAM role from the cli as explained in the above section.<\/p>
If you go to IAM –> Role –> Your role<\/strong> from the web console, you can view the arn as shown below.<\/p>Note: <\/strong><\/b>If you are working with an ec2 instance, you might need the instance profile arn with the IAM policies.<\/div><\/div>![\"\"](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/role-min-1.png\")
Click to view in HD<\/span><\/figcaption><\/figure>Wrapping Up<\/h2>
I have added some of the resources and tricks I use for aws arn.<\/p>
I would like to hear from you.<\/p>
Please let me some scenarios you have come across in the comments section.<\/p>
You might also like AWS Load Balancer Concepts<\/a>.<\/p>\n