AAWS

AWS ARN Explained: Amazon Resource Name Guide

aws arn explained

In this blog, I discuss concepts, tips, and tricks related to AWS ARNs. I will also explain how to create ARN URLs for specific AWS resources.

I have also added all the important links to AWS resources to quickly build the ARNs you need.

Table of Contents
  1. What is ARN in AWS?
  2. Why are ARNs Important?
  3. AWS ARN format
  4. How to get the ARNs of AWS resources?
  5. ARN Wildcards
  6. Getting ARN from AWS CLI
  7. Getting ARN from AWS Console
  8. Getting ARN as Output in Cloudformation
  9. Getting ARNs of Principal
  10. Wrapping Up

What is ARN in AWS?

Amazon Resource Names (ARNs) are unique identifiers assigned to individual AWS resources. It can be an ec2 instance, EBS Volumes, S3 bucket, load balancers, VPCs, route tables, etc.

An ARN looks like the following for an ec2 instance.

arn:aws:ec2:us-east-1:4575734578134:instance/i-054dsfg34gdsfg38

Why are ARNs Important?

ARNs play a crucial role in IAM policies. You will end up using ARNs if you follow the standard security best practices for IAM roles and policies.

ARNs have the following key use cases.

  1. They are used in IAM policies for granting restricted granular access to resources. One example is to allow a specific IAM user to access only specific ec2 instances.
  2. It can be used in Infrastructure as Code scripts and API calls to refer to other resources. You can see a practical example in the Terraform IAM role creation blog.

If you did not understand the above points, don’t worry, we will look at those with practical examples in the following topics.

AWS ARN format

In most cases, you can build the ARN URL yourself following the below format.

arn:aws:service:region:account-id:resource-id
arn:aws:service:region:account-id:resource-type/resource-id
arn:aws:service:region:account-id:resource-type:resource-id

In the above formats, towards the end, you can see the difference in the formats which changes as per the resource types.

Here are the arn examples for all three formats.

S3 ARN Example: S3 has a flat hierarchy of buckets and associated objects. Here is what an S3 ARN would look like

arn:aws:s3:::devopscube-bucket

EC2 ARN Example: ec2 service has sub resource-types like image, security groups etc. The following example uses the instance resource-type.

arn:aws:ec2:us-east-1:4575734578134:instance/i-054dsfg34gdsfg38

Lambda ARN Example: Lambda functions can have multiple versions. Here the version is the qualifier. To have arn of the specific Lambda version, you need to mention the version number at the last as shown below

arn:aws:lambda:us-east-1:4575734578134:function:api-fucntion:1

How to get the ARNs of AWS resources?

If you are getting started with AWS, you may find it difficult to put together the correct arn URL for a resource.

You can find the syntax for ARNs for all the AWS services here.

For example, in that AWS document, if you go ec2 resource from the list, and scroll down to the “Resource Types Defined by Amazon EC2” section, you will find the reference for all the sub rsource types for ec2 as shown below.

aws arn reference document

Another way is to use the aws policy generator.

In the policy generator, when you select the policy resource, it will automatically show the arn suggestion as shown below. You just need to add resource information.

ARN Wildcards

ARN definition supports wildcards. You will need a wildcard in many use cases.

Let’s say you want an IAM policy that allows access to all objects in a single bucket. For this, you can have a wildcard arn like below.

arn:aws:s3:::my-data-bucket/*

Here is an example of using wildcard arn in an IAM policy. This policy allows all actions for dcubebucket S3 bucket.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Sid": "Stmt1596173683332",
		"Action": "s3:*",
		"Effect": "Allow",
		"Resource": [
			"arn:aws:s3:::dcubebucket",
			"arn:aws:s3:::dcubebucket/*"
		]
	}]
}

Here is another example policy that allows limited access to all emr clusters.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1596174145144",
      "Action": [
        "elasticmapreduce:AddInstanceFleet",
        "elasticmapreduce:AddTags",
        "elasticmapreduce:DescribeCluster",
        "elasticmapreduce:DescribeEditor",
        "elasticmapreduce:DescribeJobFlows",
        "elasticmapreduce:DescribeSecurityConfiguration"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:elasticmapreduce:*:*:cluster/*"
    }
  ]
}

Getting ARN from AWS CLI

You can get the ARNs of specific resources from the CLI.

For all IAM roles, policies, and users, you can get the ARN from the CLI by describing it.

Here is an example of getting arn of a role.

aws iam get-role --role-name EMR_DefaultRole

Here is the output with the arn.

Like this, you can try describing the resource and see if it outputs the arn.

Getting ARN from AWS Console

You can get the arn of IAM resources directly from the AWS console.

Just browse to the specific resource and you will find the related arn at the top as shown below.

Getting ARN as Output in Cloudformation

If you are using Cloudformation, you can get the resource arn in the output with the function Fn::GetAtt

Here is an example syntax of getting the arn of a Lambda function.

resources:
  Outputs:
    LamdaFunctionArn:
      Export:
        Name: MyFucntionARN
      Value:
        Fn::GetAtt: MyLambdaFunction.Arn

Getting ARNs of Principal

When you create an S3 bucket policy, SNS topic, VPC endpoint, and SQS policy, you need to specify a principal parameter.

Principal Is the trusted source specified as an ARN in the policy to allow or deny access to the resource

For example, if you want an S3 bucket to be accessed only by a specific user, you will specify the user arn as Principal in the policy.

If you use a Policy generator to create these policies, you will see the principal option as shown below.

Primarily you specify the user, account, and role arn as the principal. There are other Principal sources as well. Please see this AWS document to learn more.

Getting the User arn

If you browse the user page in the AWS console, you will get the user arn as shown below.

AWS Account arn

AWS account arn has the following syntax. Replace account-id with your account id.

arn:aws:iam::<account-id>:root

Getting an AWS Role arn

You can get the arn of the IAM role from the cli as explained in the above section.

If you go to IAM –> Role –> Your role from the web console, you can view the arn as shown below.

Note: If you are working with an ec2 instance, you might need the instance profile arn with the IAM policies.

Wrapping Up

I have added some of the resources and tricks I use for aws arn.

I would like to hear from you.

Please let me some scenarios you have come across in the comments section.

You might also like AWS Load Balancer Concepts.

Bibin Wilson is a cloud and DevOps consultant with over 10 years of IT experience. He has extensive hands-on experience with public cloud platforms, cloud hosting, Kubernetes and OpenShift deployments in production. He has authored over 300 tech tutorials, providing valuable insights to the DevOps community. His courses on techiescamp.com offer practical guidance and real-world examples for professionals aiming to excel in cloud, DevOps, and infrastructure automation.

10 comments

  1. Amazon vendor new EDI to API. I am not a technical person, and we’re looking to update our IAM ARN to get business and sales reports for our API. Anyone able to help with that?

    Reply

  2. I have a question about this topic I can’t find an answer for. Most the wildcard in resource examples are very basic. I have a fairly deep complex heirarchy of “folders” and in each section there is one folder that somewhere in its name, has the word “private”. I am making a GROUP ACL in IAM, and trying to figure out how to use a wildcard a folder name — it could be anywhere in a ‘path’ from ./onelevel/here to ./1/2/3/4/5/6/here — to basically say, “for this whole group, don’t allow a list/get/anything for any folder which contains the string ‘private’. Is it even possible to do this, do you know??

    Reply
Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like