AWS ARN Parser & Builder

Parse any Amazon Resource Name (ARN) into its individual components instantly. Decode partition, service, region, account ID, and resource details with color-coded visualization. Build ARNs from scratch with our interactive builder. Supports bulk parsing of multiple ARNs.

Try examples:
The partition the resource is in.
The AWS service namespace (e.g., s3, iam, ec2).
Leave empty for global services like S3, IAM.
12-digit AWS account ID. Leave empty for S3.
Optional resource type qualifier.
The resource identifier or name.
arn:aws:s3:::my-bucket

How It Works

Instant Parsing

Paste any AWS ARN and get an instant breakdown of every component -- partition, service, region, account ID, and resource -- with color-coded visualization for easy reading.

📚

Bulk Support

Parse multiple ARNs at once by pasting them one per line. Each ARN gets its own result card with full component breakdown, making it easy to compare and analyze ARNs across services.

🔧

ARN Builder

Construct valid ARNs from individual parts using the interactive builder. Select a partition, enter a service, region, account ID, and resource -- and watch the ARN update in real time.

70+ Services

Comprehensive AWS service recognition database covering compute, storage, database, networking, security, analytics, machine learning, containers, and more -- with category badges for each service.

Understanding AWS ARNs

Amazon Resource Names (ARNs) are the universal identifier format used across all AWS services to uniquely identify resources. Every resource you create in AWS -- from S3 buckets and EC2 instances to IAM users and Lambda functions -- is assigned an ARN. Understanding the structure and components of ARNs is essential for working with IAM policies, CloudFormation templates, CLI commands, and AWS APIs.

ARN Format and Structure

Every ARN follows a standard format composed of colon-separated fields:

arn:partition:service:region:account-id:resource

The partition identifies the AWS partition (aws, aws-cn for China, or aws-us-gov for GovCloud). The service namespace identifies the AWS product, such as s3, iam, or ec2. The region field specifies the AWS Region (e.g., us-east-1) and is empty for global services. The account ID is the 12-digit AWS account number, and the resource portion identifies the specific resource and can use either colons or slashes as separators depending on the service.

How to Use This Tool

In Parse mode, paste one or more ARNs into the text area and click any example button to see how different services structure their ARNs. Each parsed ARN is displayed with color-coded components and a field grid showing every piece of information. In Build mode, fill in the individual fields and the tool constructs a valid ARN in real time that you can copy to your clipboard.

Common Use Cases

Frequently Asked Questions

What is an AWS ARN?
An AWS ARN (Amazon Resource Name) is a unique identifier assigned to every resource in Amazon Web Services. ARNs provide a standardized way to reference resources across all AWS services, and they are used extensively in IAM policies, API calls, CloudFormation templates, and CLI commands. Every ARN follows a structured format that encodes the partition, service, region, account, and resource information, making it possible to unambiguously identify any resource in any AWS account across any region. For example, an S3 bucket ARN like arn:aws:s3:::my-bucket uniquely identifies that specific bucket across the entire AWS ecosystem.
What is the format of an ARN?
The general format of an ARN is arn:partition:service:region:account-id:resource. The ARN always begins with the literal string "arn", followed by a colon and the partition (typically "aws" for standard regions, "aws-cn" for China regions, or "aws-us-gov" for GovCloud). Next comes the service namespace (like "s3", "ec2", "iam", or "lambda"), followed by the region (such as "us-east-1" or "eu-west-1"), then the 12-digit account ID, and finally the resource identifier. The resource portion can take several forms: resource-type/resource-id, resource-type:resource-id, or simply resource-id depending on the service. Some services also support nested resources using additional slashes, such as arn:aws:s3:::my-bucket/my-folder/my-file.txt.
Which AWS services use ARNs?
Virtually every AWS service uses ARNs to identify its resources. This includes compute services like EC2, Lambda, and ECS; storage services like S3, EBS, and EFS; database services like RDS, DynamoDB, and ElastiCache; networking services like VPC, CloudFront, and Route 53; security services like IAM, KMS, and Secrets Manager; analytics services like Athena, Glue, and Kinesis; integration services like SNS, SQS, and EventBridge; developer tools like CodeBuild, CodePipeline, and CodeDeploy; and machine learning services like SageMaker and Rekognition. Each service defines its own resource types and ARN patterns, but they all follow the same foundational ARN format with the arn:partition:service:region:account:resource structure.
Why do some ARNs have empty fields?
Some ARN fields are left empty (represented by consecutive colons with nothing between them) because certain AWS services operate globally rather than within a specific region or account. For example, S3 bucket ARNs like arn:aws:s3:::my-bucket have empty region and account fields because S3 bucket names are globally unique and do not belong to a specific region. Similarly, IAM resources such as users and roles have an empty region field (arn:aws:iam::123456789012:user/johndoe) because IAM is a global service. The empty fields are still required as placeholders to maintain the consistent colon-separated structure of the ARN format, which ensures that parsing tools and AWS APIs can correctly interpret each component by its position.
How do I find the ARN for an AWS resource?
There are several ways to find the ARN for an AWS resource. In the AWS Management Console, most resource detail pages display the ARN -- look for an "ARN" field or a copy button in the resource summary section. Using the AWS CLI, you can retrieve ARNs through describe or list commands; for example, aws ec2 describe-instances returns instance ARNs in the response, and aws iam list-users returns user ARNs. You can also construct ARNs manually if you know the service, region, account ID, and resource identifier by following the documented ARN format for that service. AWS CloudFormation and Terraform both expose resource ARNs as outputs after resource creation. Additionally, AWS CloudTrail logs include ARNs for resources involved in API calls, which can be useful for auditing and debugging.
Can I use wildcards in ARNs?
Yes, wildcards are commonly used in ARNs within IAM policies to match multiple resources. The asterisk (*) character can be used in the resource portion of an ARN to match any combination of characters. For example, arn:aws:s3:::my-bucket/* matches all objects within the "my-bucket" S3 bucket, while arn:aws:s3:::my-bucket/logs/* matches only objects under the "logs/" prefix. You can also use wildcards in other ARN fields: arn:aws:ec2:*:123456789012:instance/* matches all EC2 instances in any region for a specific account. However, it is an IAM best practice to use the most specific ARNs possible in your policies to follow the principle of least privilege. Using overly broad wildcards like arn:aws:*:*:*:* can create security risks by granting unintended access to resources.
What is the difference between ARN separators (: vs /)?
AWS ARNs use two different separators in the resource portion: colons (:) and forward slashes (/). The choice of separator depends on the specific AWS service. Some services use a colon to separate the resource type from the resource ID, like arn:aws:rds:us-east-1:123456789012:db:my-database, while others use a forward slash, like arn:aws:ec2:us-east-1:123456789012:instance/i-0abcdef1234567890. Certain services, particularly S3, use slashes to represent hierarchical paths within a resource, such as arn:aws:s3:::my-bucket/folder/subfolder/file.txt. When writing IAM policies, it is important to use the correct separator for the service you are targeting. The AWS documentation for each service specifies the exact ARN format and which separator to use. Our parser handles both separator styles automatically and correctly identifies the resource type and resource ID regardless of the format used.
How are ARNs used in IAM policies?
ARNs are a fundamental component of AWS IAM (Identity and Access Management) policies. In IAM policy documents, the Resource element uses ARNs to specify exactly which AWS resources the policy statement applies to. For example, a policy that grants read access to a specific S3 bucket would include "Resource": "arn:aws:s3:::my-bucket/*" in its statement. ARNs are also used in the Principal element to specify which IAM users, roles, or accounts are allowed or denied access, such as "Principal": {"AWS": "arn:aws:iam::123456789012:role/my-role"}. Condition keys in IAM policies can also reference ARNs using operators like ArnEquals and ArnLike. Getting the ARN format correct is critical for IAM policies to work as intended -- an incorrectly formatted ARN can result in either overly permissive access or completely denied access. Our parser helps you verify ARN formats before using them in your policies.

Explore More Developer Tools

Check out our other free developer tools. Build Kubernetes manifests, encode and decode data, and more -- all from your browser with no sign-up required.

Kubernetes YAML Generator →