Dev
Mock AWS ARN Generator
Amazon Resource Names follow the format arn:partition:service:region:account-id:resource — and every segment must be correct for cfn-lint, aws iam simulate-policy, and Terraform to accept them. Copying real ARNs from a live environment exposes your 12-digit account ID, giving attackers a foothold for reconnaissance. This generator produces structurally correct fake ARNs for eight services: S3, Lambda, IAM, DynamoDB, SNS, SQS, EC2, and RDS. It applies the correct pattern for each — S3 ARNs omit region and account ID entirely, Lambda and RDS ARNs include both, IAM ARNs add a path segment, and EC2 ARNs use the instance/ prefix. Account IDs in the output are 12-digit random numbers corresponding to no real AWS account. Select a service, set your count (1–20), and get a correctly formatted batch instantly.
How to use
- Choose your options above
- Click Generate
- Copy your result
Detailed instructions
- Select the AWS service you need ARNs for using the Service dropdown (e.g., S3, Lambda, DynamoDB).
- Set the count field to the number of ARNs you want generated in one batch.
- Click Generate to produce a list of correctly formatted fake ARNs for that service.
- Copy individual ARNs or the full list and paste them into your policy JSON, Terraform variable file, or test fixture.
- Re-run with a different service selected to generate ARNs for a second service without mixing formats.
Use Cases
- •Populating IAM policy JSON with S3 bucket ARNs before the buckets are provisioned in AWS
- •Seeding Jest or Pytest fixtures with Lambda execution role ARNs to test permission-branching logic
- •Filling Terraform variable files with placeholder RDS and DynamoDB ARNs during module scaffolding
- •Writing CloudFormation templates that reference SNS topic or SQS queue ARNs in a local dev stack
- •Generating safe ARN examples for public GitHub READMEs and internal AWS onboarding runbooks
Tips
- →Generate S3 ARNs separately from other services — S3 omits region and account-id, so mixing them in a policy array will look inconsistent.
- →When writing IAM resource arrays, generate one ARN per logical resource type to make your policy examples more realistic and easier to teach from.
- →Paste generated ARNs into cfn-lint or a JSON schema validator for your policy format before sharing — confirms structural correctness quickly.
- →For unit tests, store generated ARNs in a dedicated fixtures file and import them, rather than inlining them in each test, so swapping them out later is trivial.
- →Combine this generator with a mock account-ID list to simulate cross-account trust policies where the principal ARN must be from a different account than the resource ARN.
- →Avoid reusing the same fake ARN across multiple unrelated documents — regenerate fresh ones each time to prevent readers assuming a specific value is canonical.
FAQ
will fake ARNs pass aws iam simulate-policy or cfn-lint without errors
Yes, for both. The simulate-policy API checks permission logic against ARN structure, not whether the resource actually exists — so a correctly formatted fake ARN produces accurate Allow/Deny results. cfn-lint and terraform validate perform structural checks only, so fake ARNs pass lint-time cleanly.
is it safe to paste generated ARNs into public repos or blog posts
Yes. The account IDs and resource names are randomly generated and correspond to no real AWS account. Real ARNs copied from a live environment expose your 12-digit account ID, which gives attackers a starting point for reconnaissance. These fake ARNs carry none of that risk.
do different AWS services use different ARN formats
Yes, sometimes significantly. S3 bucket ARNs omit both region and account-id — arn:aws:s3:::my-bucket — while Lambda and RDS ARNs include both fields. IAM ARNs add a path segment before the resource name, and EC2 ARNs use resource-type prefixes like instance/. This generator applies the correct structural pattern for whichever service you select.
which services does the generator support
The generator supports S3, Lambda, IAM, DynamoDB, SNS, SQS, EC2, and RDS. Each service produces the ARN format AWS actually uses for that resource type. Services not in this list — such as EKS, CloudFront, or Kinesis — are not supported.
You might also like
Popular tools from other categories that share themes with this one.
Try these next
More free tools from other corners of the catalog, picked by shared themes.