Creating, editing, and removing cross-account attachments in AWS Global Accelerator - AWS Global Accelerator

Creating, editing, and removing cross-account attachments in AWS Global Accelerator

To allow someone to add a resource from another account as an endpoint or a BYOIP address for an accelerator, the owner of the resource must create a cross-account attachment in Global Accelerator. In the attachment, the resource owner specifies one or more accelerators or accounts—principals— that are allowed to add resources, along with the specific resources that the principals can add to accelerators.

As a resource owner, be aware that to specify a resource in a cross-account attachment, you must own the resource in your AWS account. That is, the resource must be allocated or provisioned in your account; you cannot specify a resource that has been shared with you, such as a shared subnet.

Follow the steps in this section to add, edit, or delete a cross-account attachment using the Global Accelerator console.

To create a cross-account attachment

  1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

  2. Choose Create cross-account attachment.

  3. On the Create cross-account attachment page, enter a name for the attachment.

  4. Add the AWS accounts or the ARNs for the accelerators, or both, that you want to allow to add your resources.

  5. Select the resources that you want to allow to be used. For example, to add resources that can added as endpoints, for each resource, choose an AWS Region. Then, from the drop-down menus, select an endpoint type (resource type) and the endpoint (resource) to add.

  6. Choose Create attachment.

You can edit a cross-account attachment to add or remove principals or resources, rename the attachment, or delete the attachment.

Be aware of the following when you remove principals or resources, or delete an attachment:

  • To remove a principal or CIDR from an attachment, the principal must first remove shared IP addresses from all accelerators that use them. Then, you can remove the principal, or CIDRs, from the attachment.

  • Before you can remove shared IP addresses or remove authorization for principals to access a shared CIDR from an attachment, the shared IP addresses for the CIDR must not be currently used by any accelerators.

  • If you remove a principal from a cross-account attachment that enables the principal to add one or more shared endpoints, Global Accelerator removes those cross-account endpoints from any accelerator that uses that permission for cross-account resources listed in the attachment.

  • If you remove an endpoint resource from a cross-account attachment, Global Accelerator removes the cross-account endpoint from any accelerator where it was added as an endpoint based on the permissions in the attachment.

  • If you delete a cross-account attachment, Global Accelerator removes all cross-account endpoints listed in the attachment from all accelerators where the resources were added as endpoints based on the permissions in the attachment.

  • If there are multiple cross-account attachments that include a principal, or that include a resource, Global Accelerator continues to allow the access that any existing attachment provides. So, for example, if you remove a principal from one attachment but the principal still has permission to access a resource that's granted by a second attachment, Global Accelerator continues to allow the principal access to the cross-account resource.

To edit a cross-account attachment

  1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

  2. Choose Cross-account attachments.

  3. Choose a cross-account attachment to update, and then choose Edit.

  4. Modify the attachment to make the desired changes. For example, you can add or remove principals, rename the attachment, or add or remove resources.

  5. Choose Save changes.

To delete a cross-account attachment

  1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

  2. Choose Cross-account attachments.

  3. Choose a cross-account attachment, and then choose Delete.

  4. In the dialog box, type delete in the text box, to confirm that you want to delete the cross-account attachment.

  5. Choose Delete.