While testing our open-source S3 security tool: YES3 Scanner and inspired by a conversation in the Cloud Security Forum Slack, we conducted deep research on AWS ARN Formats to determine all of the possible AWS resources and their corresponding AWS ARN formats. Part of what drives IAM least privilege in AWS IAM and security research of resources in AWS are tied to the Amazon Resource Identifiers: ARNs.
This can help answer questions such as:
- Which AWS resources are global resources and don't have Region in the ARN (This was in the Cloud Security Forum Slack)?
- Which AWS resources have unique ARNs without Account IDs needed such as S3 Buckets?
- What ARN do I need to write a specific IAM policy?
- How do I scope down and write an ARN for least privilege in IAM?
From our research on AWS ARN formats, we've published the following resources as free and open-source listings:
- Searchable Listing of all ARNs
- GitHub: JSON file of All ARN Formats
- GitHub: JSON file of AWS service prefixes
Our findings as of May 29th, 2025:
- We found 1,929 different ARNs supported by AWS IAM.
- AWS's own Policy Generator (released in 2011) only supports 397 ARNs (20.58% of the ARNs we found).
- 152 ARNs without Account ID specified in the ARN. Example: S3 Buckets, which follows the format
arn:${Partition}:s3:::${BucketName}
- 171 ARNs do not have Region (${Region}) in the ARN Format.
If you have feedback or requests, reach out to us at info@fogsecurity.io! We'd love to hear how you use this research, your projects, and insights you get from all the ARNs. We're continuing to build in this space and if you have feedback or thoughts, we want to chat with you!
Amazon Resource Identifiers (ARNs)
ARNs can look like:
- S3 Buckets:
arn:${Partition}:s3:::${BucketName} - IAM Roles:
arn:${Partition}:iam::${Account}:role/${RoleNameWithPath} - KMS Encryption Keys:
arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}
ARNs in AWS typically follow this general format as provided here by AWS:
arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resource-type/resource-id
arn:partition:service:region:account-id:resource-type:resource-idHowever, these can differ between AWS services and resources. Differences we found include:
- Resources without Account ID.
- Some resources are provided by AWS and don't have account IDs in the ARN. They may not need to be "unique." Examples are AWS Managed IAM Policies, AWS Managed Organization Policies (RCPFullAWSAccess RCP, FullAWSAccess SCP)
- arn:${Partition}:organizations::aws:policy/${PolicyType}/p-${PolicyId}
- Other resources need to have unique namespaces but do not include AccountId. Examples include S3 buckets (Bucket names must be globally unique), API Gateway resources such as APIs, and Identity Center Instances.
- arn:${Partition}:s3:::${BucketName}
- arn:${Partition}:apigateway:${Region}::/apis/${ApiId}
- arn:${Partition}:sso:::instance/${InstanceId}
- Some resources are provided by AWS and don't have account IDs in the ARN. They may not need to be "unique." Examples are AWS Managed IAM Policies, AWS Managed Organization Policies (RCPFullAWSAccess RCP, FullAWSAccess SCP)
Note: This may not be a complete listing as we found exceptions to the resource ARN format. One example resource is the AWS IAM Policy.
The ARN format follows arn:${Partition}:iam::${Account}:policy/${PolicyNameWithPath} and while customer managed polices will follow that format, AWS Managed policies don't follow that format as they don't have ${Account} in the ARN.
- AWS Managed PowerUserAccess Policy:
arn:aws:iam::aws:policy/PowerUserAccess - AWS Managed AdministratorAccess Policy:
arn:aws:iam::aws:policy/AdministratorAccess
Resources Across Other Services
While coding, we added a function to remove duplicate ARNs. Certain AWS resources are used across other services and can be used in IAM policies and resource blocks for actions from a different service.
Examples include:
- S3 buckets are also listed in AWS Systems Manager
- IAM roles are also listed in EC2, STS.
- KMS keys are also listed in Amazon EC2 Image Builder, Kinesis Data Streams, and EventBridge. However, they're also listed as a condition for Elasticache and EC2 (
elasticache:KmsKeyIdandec2:KmsKeyId).
Inconsistent ARN Formats
We found inconsistencies across ARN formats for AWS Account IDs. In some ARN formats, the placeholder was ${Account} and other ARN formats had a ${AccountId} placeholder.
Examples:
- EC2 Instance: arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}
- Identity Center Application: arn:${Partition}:sso::${AccountId}:application/${InstanceId}/${ApplicationId}
Comparison to Other Sources
We've seen the following and somewhat creative methods to determine all the resources and available ARN formats in AWS:
- Listing of all the example ARNs from AWS ARNs and namespaces documentation
- Listing of supported ARNs in the AWS Policy Generator
AWS Policy Generator
In the Cloud Security Slack, someone recommended this repository that scans the AWS Policy Generator for ARNs. There's an open-source GitHub repository that pulls available ARNs from the AWS Policy Generator.
Other
We found other resources that focused on IAM actions that had similar coverage. However, these resources:
- Focused on IAM actions and permissions, not resources first.
- In our research, we found some listings were missing ARNs and had incomplete listing of ARN formats.
Try it out!
An example of the json file reference is as follows:
{
"service": "AWS Key Management Service",
"resource": "alias",
"prefix": "kms",
"arn": "arn:${Partition}:kms:${Region}:${Account}:alias/${Alias}"
},
{
"service": "AWS Key Management Service",
"resource": "key",
"prefix": "kms",
"arn": "arn:${Partition}:kms:${Region}:${Account}:key/${KeyId}"
},
If you have feedback or requests, reach out to us at info@fogsecurity.io! We'd love to hear how you use this research, your projects, and insights you get from all the ARNs.
Resources
YES3 Scanner: Open Source S3 Security Scanner
GitHub: AWS IAM Reference - ARNs
AWS Blog: AWS Policy Generator Announcement
