What are the different ARN formats used by AWS services?

AWS uses three primary ARN formats: arn:partition:service:region:account:resource-id, arn:partition:service:region:account:resource-type/resource-id, and arn:partition:service:region:account:resource-type:resource-id. Some services like S3 omit the region and account (arn:aws:s3:::my-bucket), while IAM omits only the region (arn:aws:iam::123456789012:user/admin). The parser handles all variations automatically.

Why do some ARNs have empty fields between colons?

Empty fields indicate that a component is either globally unique or not applicable for that service. S3 bucket ARNs omit both region and account because bucket names are globally unique across all of AWS. IAM ARNs omit the region because IAM is a global service, though the account ID is still required since IAM resources are account-scoped.

Can ARNs contain wildcards?

Yes, but only in IAM policy documents — not as actual resource identifiers. In policies, you can use * to match any character sequence and ? to match a single character within the resource segment. For example, arn:aws:s3:::my-bucket/* matches all objects in a bucket. The parser will identify wildcard segments so you can verify your policy scope.

AWS ARN Parser

IAM & SecurityAWS

Parse and break down Amazon Resource Names into their components.

ARN Input

Parsed Output

Output will appear here...

About This Tool

Amazon Resource Names (ARNs) uniquely identify every resource across all AWS services and accounts. An ARN follows the format arn:partition:service:region:account-id:resource, but the resource segment varies significantly between services — some use slashes, others use colons, and some include qualifiers like version numbers or aliases. This tool parses any valid ARN into its individual components so you can quickly identify the partition, service namespace, region, account, and resource path without manually counting colons.

When to Use This Tool

•Debugging IAM policy statements that deny access by isolating which ARN component (account, region, or resource path) is mismatched
•Extracting account IDs and regions from ARNs found in CloudTrail logs or error messages during incident response
•Validating that ARNs embedded in CloudFormation templates or Terraform configs reference the correct partition (aws, aws-cn, aws-us-gov)
•Quickly identifying the service namespace and resource type when triaging cross-account access issues

Frequently Asked Questions

What are the different ARN formats used by AWS services?: AWS uses three primary ARN formats: arn:partition:service:region:account:resource-id, arn:partition:service:region:account:resource-type/resource-id, and arn:partition:service:region:account:resource-type:resource-id. Some services like S3 omit the region and account (arn:aws:s3:::my-bucket), while IAM omits only the region (arn:aws:iam::123456789012:user/admin). The parser handles all variations automatically.
Why do some ARNs have empty fields between colons?: Empty fields indicate that a component is either globally unique or not applicable for that service. S3 bucket ARNs omit both region and account because bucket names are globally unique across all of AWS. IAM ARNs omit the region because IAM is a global service, though the account ID is still required since IAM resources are account-scoped.
Can ARNs contain wildcards?: Yes, but only in IAM policy documents — not as actual resource identifiers. In policies, you can use * to match any character sequence and ? to match a single character within the resource segment. For example, arn:aws:s3:::my-bucket/* matches all objects in a bucket. The parser will identify wildcard segments so you can verify your policy scope.

Related Learning Guides

AWS IAM Best Practices25 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.