What is an AWS ARN and Why is it Important?

Trying to understand what an ARN is and why its important in the context of AWS? This is the article for you.

When using AWS, you’ll often stumble upon obscure strings that start with arn . You may be wondering what these strings are and what role they play in AWS. In this article, you’ll learn exactly that.

So let’s get into it.

What is an AWS ARN?

An ARN stands for Amazon Resource Name. It is a unique identifier of a resource that you create in AWS. In other words, anything that you create in AWS typically has an ARN associated with it.

Keep in mind that there are some exceptions to this. For example, when you create a DynamoDB table, it will have an ARN associated with it. However if you insert an item/record into DynamoDB, no ARN will be created.

A general rule of thumb is that if you ever go into the AWS console and click the “create” button, there will be an ARN identifier associated with it.

What Does an ARN Look Like?

An ARN takes the following form:

Lets look at each of these items independently.

• partition – a partition is a group of AWS regions. There are three possible values for this component, either aws, aws-cn or aws-us-gov. 99% of you will only ever see/use ARNs that use the aws value.
• service – the service represents which service this ARN is with reference to. For example, if you create a DynamoDB table, your service identifier will be dynamodb. For S3, it would be s3, and for Lambda it would be lambda – I think you get the idea.
• region – the region is the geographic region that the resource was created in. There are many regions across AWS all across the world. Some popular ones include us-east-1, eu-west-1, and us-west-2. Remember that resources you create are scoped to a particular region. In other words, a DynamoDB table created in us-east-1 exist only in that region and not others. The resource itself is hosted in the associated data center of that region.
• account id – every AWS user has an account id. An account id is simply a 12 digit number that uniquely identifies your account.
• resource type – the resource type is an optional field. Depending on the resource you create, it may or may not be present. In the above example, you can see it is the value table for our DynamoDB table. This is because the ARN is for a service subresource (a table). This only makes sense in some contexts and is not present in all ARNs.
• resource id – the resource id represents the lowest level resource. In the above example it represents the name of our DynamoDB table – Countries.

More ARN Examples

It’s important to remember that ARNs take a similar form, but look slightly different depending on the AWS service. Here are some examples of what ARNs look like across a multitude of AWS services.

• Lambda Function – arn:aws:lambda:us-east-1:755314965794:function:Disconnect
• S3 Bucket – arn:aws:s3:::beabetterdev-demo-bucket
• SNS Topic – arn:aws:sns:us-east-1:755314965794:DemoTopic
• SNS Topic Subscription – arn:aws:sns:us-east-1:755314965794:DemoTopic:01b9251e-e8c4-4ece-9e6a-6c20492d768e
• Cloudwatch Alarm – arn:aws:cloudwatch:us-east-1:755314965794:alarm:5min_3of5_TicktockFunction
• IAM User – arn:aws:iam::755314965794:user/amplify-XzaOi

These are all real AWS ARNs from my personal AWS account. Hopefully you get the picture of what they look like.

ARN Paths

ARNs can also have paths associated with them to capture multiple AWS resources. For example, if we were working with an S3 bucket and wanting to give IAM permissions to a user to read access files only in a specific S3 bucket, we could use this form:

This is a handy feature that makes assigning permissions much easier. Instead of having to create many many policies for each objects, we can simply use paths and wildcards (the * in this case) to indicate all. The same principle applies for other AWS resources such as DynamoDB tables (we can say arn::xxx:table/*) to give access to ALL tables.

Why are ARNs Useful?

Often times we need to connect AWS resources together. For example, if we were to try and subscribe a SNS topic to a Lambda function, we would need to provide our ARN to tell AWS which Lambda function we would like subscribed to our SNS topic.

Since all ARNs are unique, this allows AWS to distinguish which resource to link to the topic. You can see an example in the AWS console of us trying to subscribe one of our Lambda functions to our SNS.

As you can imagine, there are many different ways to link resources together in AWS. This is just one example, but the principle remains the same. You must provide the specific ARN of the resource you would like to link.

Where Do I Find A Resource’s ARN?

Unfortunately each AWS service is different, and there is no one centralized place that ARNs are located. However, there are some general patterns that AWS follows to display your ARN.

Typically, you will find your ARN on the home page of a resource. If you can’t find it there, you’ll probably find it under the under the “Additional Info” (or some phrase similar) of the AWS console. For example, below is the location of the ARN of a Lambda function in my AWS account.

In other cases such as a DynamoDB table, the ARN can be a bit more challenging to find. In this case, we need to first click on the DynamoDB Table, followed by clicking Additional info before we can find the ARN. An image of this can be seen below.

Can You Update an ARN?

To put it simply, No. ARNs are immutable and cannot be changed. In order to rename a resource, you need to delete the resource and re-create it. A bit cumbersome, but that’s how it works.

Wrap Up

ARNs or Amazon Resource Names are unique strings that identify an AWS resource or group of AWS resources via a path. You’ll see them all over AWS and its important to understand what they are and how they work. ARNs can not be modified after creation. They are typically located in the home page of the AWS resource or under “Additional Settings” pages.

To learn more about ARNs, you can read this article by AWS.