S3 Bucket ARN — Understanding Object Storage ARNs
Parse an Amazon S3 bucket ARN to understand its unique structure with empty region and account ID fields. Learn why S3 ARNs differ from most other AWS services.
Detailed Explanation
S3 Bucket ARNs Are Special
Amazon S3 bucket ARNs have a distinctive structure that sets them apart from nearly every other AWS service. The region and account ID fields are left empty because S3 bucket names are globally unique across all AWS accounts and regions.
Example ARN
arn:aws:s3:::my-application-bucket
Parsed Components
| Component | Value | Notes |
|---|---|---|
| Partition | aws |
Standard commercial AWS |
| Service | s3 |
Amazon Simple Storage Service |
| Region | (empty) | S3 buckets are global |
| Account ID | (empty) | Not needed — bucket names are globally unique |
| Resource Type | (none) | S3 uses the resource field directly |
| Resource ID | my-application-bucket |
The bucket name |
Why No Region or Account?
When AWS designed S3, they chose to make bucket names globally unique. This means no two AWS accounts anywhere in the world can have a bucket with the same name. Because of this uniqueness constraint, there is no need to include the region or account ID in the ARN — the bucket name alone is sufficient to identify the resource.
This stands in contrast to services like EC2 or Lambda, where a resource name is only unique within a specific region and account combination.
S3 Object ARNs
To reference a specific object inside a bucket, append the object key after the bucket name:
arn:aws:s3:::my-application-bucket/uploads/photo.jpg
Here, my-application-bucket is the implicit resource type (bucket), and uploads/photo.jpg is the full object key including any prefix "folders."
Use Case
Writing IAM policies that grant access to specific S3 buckets. S3 ARNs are among the most commonly referenced ARNs in IAM policy documents, used in both Resource and Condition blocks.