Parse and break down Amazon Resource Names into their components.
Last verified: April 2026
Output will appear here...Amazon Resource Names (ARNs) uniquely identify every resource across all AWS services and accounts. An ARN follows the format arn:partition:service:region:account-id:resource, but the resource segment varies significantly between services — some use slashes, others use colons, and some include qualifiers like version numbers or aliases. This tool parses any valid ARN into its individual components so you can quickly identify the partition, service namespace, region, account, and resource path without manually counting colons.
AWS uses three primary ARN formats: arn:partition:service:region:account:resource-id, arn:partition:service:region:account:resource-type/resource-id, and arn:partition:service:region:account:resource-type:resource-id. Some services like S3 omit the region and account (arn:aws:s3:::my-bucket), while IAM omits only the region (arn:aws:iam::123456789012:user/admin). The parser handles all variations automatically.
Empty fields indicate that a component is either globally unique or not applicable for that service. S3 bucket ARNs omit both region and account because bucket names are globally unique across all of AWS. IAM ARNs omit the region because IAM is a global service, though the account ID is still required since IAM resources are account-scoped.
Yes, but only in IAM policy documents — not as actual resource identifiers. In policies, you can use * to match any character sequence and ? to match a single character within the resource segment. For example, arn:aws:s3:::my-bucket/* matches all objects in a bucket. The parser will identify wildcard segments so you can verify your policy scope.
It's 2am and PagerDuty fires. Your Lambda function can't read from an S3 bucket. The error says 'Access Denied' with an ARN you've never seen before. You paste it into the parser and immediately see the ARN points to us-west-2 but your bucket is in us-east-1. The IAM policy has a hardcoded region. Fix deployed in 3 minutes, back to sleep.
The parser uses a regex-based tokenizer that splits the ARN string on colons to extract the partition, service, region, and account fields. For the resource segment, it detects whether the service uses slash-based or colon-based resource paths by checking the service namespace against a known mapping, then splits accordingly. This handles edge cases like S3 object keys that contain colons and Lambda function ARNs with version qualifiers.
When debugging access denied errors, paste the ARN from the error message here first. The most common cause is a region or account mismatch between the resource and the policy, which becomes obvious once the ARN is broken down.
GovCloud ARNs use the partition 'aws-us-gov' and China region ARNs use 'aws-cn'. If your policy works in commercial but fails in GovCloud, the partition is almost always the culprit.
Some services like S3 use path-style ARNs (with slashes) for objects but colon-style for bucket-level operations. The parser handles both, but be aware of this when writing wildcard policies.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.