EC2 Instance ARN — Virtual Server Identification
Parse an Amazon EC2 instance ARN to understand the instance ID format and how EC2 resource types work. Covers other EC2 resource types like volumes and security groups.
Detailed Explanation
EC2 Instance ARN Structure
EC2 instances use the slash-separated resource format with an instance/ prefix followed by the instance ID.
Example ARN
arn:aws:ec2:us-west-2:123456789012:instance/i-0abcdef1234567890
Parsed Components
| Component | Value |
|---|---|
| Partition | aws |
| Service | ec2 |
| Region | us-west-2 |
| Account ID | 123456789012 |
| Resource Type | instance |
| Resource ID | i-0abcdef1234567890 |
Instance ID Format
EC2 instance IDs always start with i- followed by a hexadecimal string. Older instances have 8-character IDs (i-abcd1234), while newer instances have 17-character IDs (i-0abcdef1234567890). The 0 after i- in the longer format indicates the newer ID scheme.
Other EC2 Resource Types
The EC2 service namespace covers many resource types beyond instances:
| Resource | ARN Pattern |
|---|---|
| Volume | arn:aws:ec2:region:account:volume/vol-xxx |
| Security Group | arn:aws:ec2:region:account:security-group/sg-xxx |
| Subnet | arn:aws:ec2:region:account:subnet/subnet-xxx |
| VPC | arn:aws:ec2:region:account:vpc/vpc-xxx |
| AMI | arn:aws:ec2:region::image/ami-xxx |
Notice that AMI ARNs can have an empty account ID when referencing public AMIs shared by AWS or other accounts.
Tag-Based Access Control
EC2 ARNs are frequently used in IAM policies with condition keys to implement tag-based access control (ABAC), where permissions are granted based on resource tags rather than explicit ARN matching.
Use Case
Writing IAM policies that restrict EC2 actions to specific instances, commonly used in environments where developers can manage their own instances but must not touch production servers. Also used in Systems Manager automation documents and CloudWatch alarm configurations.