What is AWS ARN? Amazon Resource Name Guide Explained

Table of Contents Hide
  1. What is AWS ARN?
  2. Importance of AWS ARN
  3. Getting ARNs for your AWS resources
  4. Using ARN paths
  5. How to access ARNs
  6. Creating an ARN in IAM policies
  7. Important Points about ARNs
  8. Conclusion

Amazon provides several computing, storage, and database services, which are collectively called Amazon Web Services (AWS). Software developers can use these cloud services during the development of software applications. For identifying and referencing AWS resources across different AWS services, Amazon Resource Names (ARNs) are used. This article provides the details of AWS ARN, including its importance, ARN format, ARN examples, and how to access them.

Table of Contents Show
  1. What is AWS ARN?
  2. Importance of AWS ARN
  3. Getting ARNs for your AWS resources
    1. ARN Examples
  4. Using ARN paths
  5. How to access ARNs
  6. Creating an ARN in IAM policies
  7. Important Points about ARNs
  8. Conclusion

What is AWS ARN?

Amazon Resource Name (ARN) is a string of characters used to identify an AWS resource such as a user, EC2 service, S3 bucket, or a lambda function. ARN not only uniquely identifies a resource within the Amazon ecosystem, but also allows other AWS services and tools to refer to this resource. Whenever you create a specific AWS resource, an ARN is assigned to it.

They are commonly used when you are using AWS Command-Line Interface (CLI) or SDK. For example, ARN is used along with the prefix name of an AWS service during assigning IAM permissions on an AWS resource. In addition, developers can use an ARN to refer to a resource in the documentation.

Similarly, when you are facing some problem and you require assistance from the AWS support team, you can refer to your resource by specifying its ARN. Then the cloud support engineer can easily help you.

Most administrators use ARNs to utilize and keep track of AWS policies and resources, whenever a request to AWS services and API is made.

ARNs are also useful when you want to link or connect resources in AWS. Suppose you want to subscribe an SNS topic to a Lambda function. In this case, you have to provide the ARN of the Lambda function you want to link to the SNS topic.

Importance of AWS ARN

  1. AWS ARN provides a standard and consistent way of identifying individual AWS resources. This makes the management and security of these resources easy, regardless of which AWS service or tool they are referred from.
  2. Using ARNs is crucially important in setting up IAM policies. For instance, ARN can be used in IAM policies for restricting granular access to a resource, just as allowing a specific IAM user to access a specific EC2 instance.
  3. ARN allows you to keep track of the usage and cost of AWS resources. You can use ARNs in AWS Cost Explorer to find out the cost of each resource and what services or accounts are responsible for this cost.
  4. ARNs can also be used for the automation of scripts and API calls to other resources. APIs are used when two applications communicate with each other. Using ARNs allow the user to quickly find and use a resource, thus increasing overall efficiency.
  5. As ARNs provide better security, any long-term credentials are not needed to access AWS resources. Instead, temporary credentials are generated for AWS users who want to use various servers for the short term.

Getting ARNs for your AWS resources

There are two ways to get ARN for your AWS resource:

  • Creating ARN URL manually
  • Using policy generator
  1. Creating ARN URL manually

To build an ARN manually, you have to understand its general format. You can use the following ARN formats.

The difference at the end of these formats is due to the types of resources created. Let’s understand the meanings of different parts of the AWS ARN format.

  • ARN: Every ARN URL starts with the ARN keyword.
  • Partition: The second part is the partition, which represents the AWS region where the resource exists. The partition can be Public (aws), GovCloud (aws-us-gov), and China (aws-cn). Most of the time, you will be using a Public partition, the value of which is “aws”. This is shown in the above example.
  • Service: Here the name of the service this ARN is referring to will be written. Some examples of services are S3, lambda, DynamoDB, apigateway, etc.
  • Region: This part represents the region where the service exists. There are several AWS regions throughout the world. A service created in a particular region would only exist in that region. Whenever you login into the AWS console you select a region. Some examples of popular regions are us-east-1, eu-west-1, and us-west-2. This part can be left blank for certain services which are global such as S3.
  • Account ID: This is the AWS account ID of the user that owns the resource. Every AWS user has a 12-digit unique account identifier. Some global resources do not need an account ID so this part can be omitted.
  • Resource ID: This ID uniquely identifies different resources from the same AWS resource. However, this ID can vary for different services. For example. it can be the object’s ID for S3, but the resource type and ID for other services. The Resource ID is an optional part and may not be present in all ARNs.
  • Resource Type: This specifies the resource type of the AWS service used. For example, VPC is a resource type of EC2. The syntax of Resource Type also varies from service to service. It usually includes a slash or a colon.

ARN Examples

Let’s see an example of the ARN format.

In the above example, aws represents that you are using a Public partition; the name of the service is DynamoDB; and the service was created in the geographical region us-east-1. This is followed by a 12-digit account ID of the user. The resource type is a DynamoDB table whose name is Countries.

Note that you can use three formats in the last part of the ARN syntax. They change according to the type of resource. You can specify a resource ID only, as shown below.

arn : aws : s3: : : Bucket_name

As S3 is a global service, the region and account ID parts are left blank in the above example. Moreover, due to the flat hierarchical structure of S3, only the bucket name is mentioned.

However, to specify sub-resources types you have to use a forward slash (/) between the ID and the type. For example, the ARN of an object in an S3 bucket will look like

arn : aws : s3: : : Bucket_name/abc.png

Similarly, the ARN of an EC2 service would look like

arn : aws : ec2: us-east-1: 123456789012: instance/i-023dsfg78gdsfg45

Alternatively, you have to use a colon (:) to separate a resource ID and type. For example, to specify a particular version of the lambda function, you can write

arn : aws : lambda: us-east-1: 123456789012: function: api-function:1

Here, 1 is the version number of the lambda function. Similarly, you can use a colon (:) for databases.

arn : aws : rds: eu-west-1: 123456789012: db: mysql-db

This is an example of an ARN of a database (db) named mysql-db belonging to the user 1234560789012. The service type is (rds) which is present in the region eu-west-1.

  1. Using Policy Generator

For beginners, it may be difficult to use the correct ARN format. Instead, they can use the AWS Policy Generator, which is a tool to create access control policies for AWS resources. When you select a policy and the AWS service, and provide the resource information, the policy generator will display the resource ARN suggestions.

Using ARN paths

A group of AWS resources can also be identified using ARN by specifying a path. For instance, to assign IAM permissions to a particular user to read access files in a specific S3 bucket, you can write an ARN as shown in the following example.

arn : aws : S3: : : Bucket_name/*

In the above example, all the objects (indicated by the *) within Bucket_name will be available to the user. Also, note that both Region and Account ID fields are empty. Similarly, to give access to all tables in a DynamoDB table resource, you can write

arn : aws : dynamodb: xxx : : table/*

Let’s see another example of an IAM ARN, which is referring to all users.

arn : aws : iam: : 123456789012: user/*

Thus, you can use paths and wild cards (*) to mention all objects within a resource. This makes it easy to assign permissions on objects as you don’t have to create multiple policies for each of them.

How to access ARNs

Most of the ARNs can be accessed via AWS Management Console. For Instance, you can find the ARN of a user on the user page, as shown below.

The ARN of an S3 bucket can be found on the “Properties” tab, as shown below. There could be many cases where you will need this ARN, so you can click the button next to the ARN to copy and use it where required.

The ARN of an RDS resource can be found using either the AWS management console, RDS API, or AWS CLI. However, for the EC2 service, the ARN is not shown and you have to manually create it using the CLI.

You can also get the ARN from AWS CLI. For that, you have to describe the IAM policies, users, or roles (you want to get the ARN) in the CLI. Likewise, you can obtain an ARN as an output of cloudformation by using the Fn::GetAtt function.

Creating an ARN in IAM policies

Suppose you want to create an IAM policy for a specific resource (say a file in an S3 bucket). You want to assign certain permission (such as read) to a user.

After clicking on the “Create policy” button, you will be asked to choose a service. You can search for the required service name (S3 in this case).

Next, select the required permission (read in our example).

Then, from the “Resources” section, click on the “Add ARN” option next to the resource name. You will be prompted with the following screen.

Here, you have to provide the resource name. As a result, its ARN will be generated as highlighted in the following figures.

If the ARN is previously created (as we have already created for S3), you can use the “List ARNs manually” option to directly paste the ARN here.

You can now click on the JSON tab to get the code.

Note: In this example, the user, resource, and policy all are assigned ARNs. In other words, whenever you create something in AWS, a unique identifier (ARN) is assigned to it.

Important Points about ARNs

Following are some important points to remember about ARNs.

  • ARNs are immutable, which means that they cannot be renamed, changed, or updated.
  • There is no centralized place, where all AWS ARNs are stored.
  • You can find the ARN of a resource on its home page. In case it is not visible there (for example, in the case of DynamoDB Table) search it under Additional Settings pages or Additional Info options.

Conclusion

Amazon resource names (ARNs) are commonly used to reference objects present in the AWS cloud. An ARN is a unique identifier that is used to identify a specific resource or a group of resources (by specifying a path).

As they are widely used and due to the important features they provide, it is important to understand what ARN is, and how to create and use them.

Total
0
Shares
Share 0
Tweet 0
Pin it 0

Dr. Muhammad Aziz is a Ph.D., and Professor of Computer Science, who has more than 20 years of rich experience in academia and research. He has published more than 35 research articles in indexed journals and conferences.

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *