What does the AWS ARN (Amazon Resource Name) regex match?

Matches an AWS ARN with all standard components: partition, service, region, account, and resource.

Is the AWS ARN (Amazon Resource Name) regex ReDoS-safe?

Yes. Manually audited and tested against ReDoS attack strings. Anchors and possessive-style constraints prevent runaway backtracking paths.

Dev & Systems/Environment

Verified Safe

AWS ARN (Amazon Resource Name) Regex for Java

/^arn:(?:aws|aws-cn|aws-us-gov|aws-iso(?:-[a-z])?):([a-z0-9\-]+):([a-z0-9\-]*):([0-9]{12}|):([a-zA-Z0-9\-_/:.]+)$/

What this pattern does

This page provides a comprehensive, battle-tested regular expression for matching aws arn (amazon resource name), ported and verified for Java. A rigorously tested regex reduces debugging time and protects your application from edge-case failures. The snippet below is ready to drop into your Java project — whether you're validating in a Spring Boot controller, a Jakarta EE service, or a standalone utility class.

Java Implementation

Java

// AWS ARN (Amazon Resource Name)
// ReDoS-safe | RegexVault — Dev & Systems > Environment

import java.util.regex.Pattern;

public class AwsArnAmazonResourceNameValidator {
    private static final Pattern PATTERN =
        Pattern.compile("^arn:(?:aws|aws-cn|aws-us-gov|aws-iso(?:-[a-z])?):([a-z0-9\\-]+):([a-z0-9\\-]*):([0-9]{12}|):([a-zA-Z0-9\\-_/:.]+)$");

    public static boolean validate(String input) {
        return PATTERN.matcher(input).matches();
    }

    // Example
    public static void main(String[] args) {
        System.out.println(validate("arn:aws:s3:::my-bucket")); // true
    }
}

Test Cases

Matches (Valid)	Rejects (Invalid)
`arn:aws:s3:::my-bucket`	`arn:aws:s3`
`arn:aws:iam::123456789012:user/john`	`not:an:arn`
`arn:aws:lambda:us-east-1:123456789012:function:my-function`	`arn:azure:s3:::bucket`
`arn:aws-cn:s3:::china-bucket`	`arn::s3:::bucket`
`arn:aws:sts::123456789012:assumed-role/MyRole/session`	—

When to use this pattern

This pattern is drawn from the Dev & Systems > Environment category and carries a ReDoS-safe certification. That matters for Java developers because critical in Java applications since the JVM regex engine uses backtracking and is susceptible to ReDoS without careful pattern design. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

S3 bucket ARNs (arn:aws:s3:::bucket) have empty region and account fields. IAM ARNs include account but no region. Always check the specific service ARN format in AWS documentation.

Technical Notes

Groups: 1=service, 2=region (empty for IAM/S3), 3=account ID (empty for some services), 4=resource. S3 ARNs omit region and account. IAM ARNs include account but not region. Lambda ARNs include both.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern