How do I know which resource type separator to use — slash or colon?

The separator depends on the service. IAM uses slashes (arn:aws:iam::123456789012:user/admin), while some services like SNS use colons (arn:aws:sns:us-east-1:123456789012:my-topic). The builder automatically applies the correct separator for each service and resource type, so you do not need to memorize these differences.

Do I need to include region and account for every ARN?

No. Global services like IAM and S3 omit certain fields. IAM ARNs always have an empty region field, and S3 ARNs omit both region and account. The builder knows which fields are required, optional, or must be empty for each service, preventing you from including data that would make the ARN invalid.

AWS ARN Builder

IAM & SecurityAWS

Build valid ARNs from component parts with guided dropdowns.

Last verified: April 2026

ARN Components

Partition

Service

Region

Account ID

Resource Type

Resource ID

Generated ARN

arn:aws:s3:::

Output

arn:aws:s3:::

What This Tool Does

Constructing ARNs by hand is error-prone because each AWS service uses slightly different resource-type separators, optional qualifiers, and region/account requirements. The AWS ARN Builder provides guided dropdowns for partition, service, and resource type so you produce syntactically correct ARNs on the first attempt. It is especially useful when writing IAM policies, resource-based policies, or infrastructure-as-code templates where a single misplaced colon can cause silent permission failures.

Technical Details

The builder maintains a curated database of AWS service namespaces and their ARN format rules (which fields are required, which use slashes vs colons, and which fields must be empty). When you select a service and resource type, it generates the ARN template and validates each component against the service-specific rules before outputting the final ARN string.

Common Use Cases

1Building resource ARNs for IAM policy Condition blocks or Resource arrays without consulting service-specific documentation
2Generating ARNs for cross-account resource references in CloudFormation StackSets or Terraform modules
3Creating properly formatted ARNs for AWS Config rules, EventBridge targets, or SNS topic policies
4Constructing GovCloud or China partition ARNs (aws-us-gov, aws-cn) that are easy to get wrong from memory

Common Questions

How do I know which resource type separator to use — slash or colon?: The separator depends on the service. IAM uses slashes (arn:aws:iam::123456789012:user/admin), while some services like SNS use colons (arn:aws:sns:us-east-1:123456789012:my-topic). The builder automatically applies the correct separator for each service and resource type, so you do not need to memorize these differences.
Do I need to include region and account for every ARN?: No. Global services like IAM and S3 omit certain fields. IAM ARNs always have an empty region field, and S3 ARNs omit both region and account. The builder knows which fields are required, optional, or must be empty for each service, preventing you from including data that would make the ARN invalid.

Expert Tips

TIP

Always double-check the partition field when working across commercial and GovCloud accounts. A common CI/CD mistake is hardcoding 'aws' in ARNs that need to work in 'aws-us-gov'.

TIP

When building ARNs for S3 objects, remember that the key can contain slashes. The ARN arn:aws:s3:::my-bucket/path/to/object.json is valid and the entire 'path/to/object.json' is the resource.

Related Learning Guides

AWS IAM Best Practices25 min read

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.