Parse an S3 ARN (Amazon Resource Name)

S3 ARN: The IAM Policy Format

Amazon Resource Names (ARNs) uniquely identify AWS resources. S3 ARNs are primarily used in IAM policies, bucket policies, and CloudFormation/Terraform resource definitions — not for data access.

ARN Structure

arn:aws:s3:::BUCKET/KEY

Note the three colons (:::) — the region and account-id fields are empty for S3 because S3 bucket names are globally unique.

Example

arn:aws:s3:::production-data/backups/database/*

Parsed Components

Component	Value
Partition	aws
Service	s3
Region	(empty — S3 buckets are global)
Account ID	(empty — S3 bucket names are globally unique)
Bucket	production-data
Key Pattern	backups/database/*

ARN Variations

ARN	Scope
arn:aws:s3:::bucket	The bucket itself (for bucket-level actions)
arn:aws:s3:::bucket/*	All objects in the bucket
arn:aws:s3:::bucket/prefix/*	All objects under a specific prefix
arn:aws:s3:::bucket/specific-key.txt	A single specific object

IAM Policy Example

{
  "Effect": "Allow",
  "Action": ["s3:GetObject", "s3:PutObject"],
  "Resource": [
    "arn:aws:s3:::production-data/backups/database/*"
  ]
}

S3 Access Point ARNs

S3 Access Points have a different ARN format that includes the account ID and region:

arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point

Common Mistakes

1. Missing bucket-level ARN — Forgetting that bucket-level operations (like s3:ListBucket) require arn:aws:s3:::bucket while object-level operations require arn:aws:s3:::bucket/*.
2. Including region/account — S3 bucket ARNs should have empty region and account fields.
3. Wildcard scope — Using arn:aws:s3:::* grants access to ALL S3 buckets, which is a security risk.