Sharing your AWS resources - AWS Resource Access Manager
Enable sharing with AWS OrganizationsCreate a resource share

Sharing your AWS resources

To start sharing a resource that you own using AWS RAM, do the following:

Note

Some resources have special considerations and prerequisites for sharing. For more information, see Shareable AWS resources.

Enable sharing with AWS Organizations

If you would like to share resources with your organization or organizational units, then you must use the AWS RAM console or CLI command to enable sharing with AWS Organizations. When you share resources within your organization, AWS RAM does not send invitations to principals. Principals in your organization get access to shared resources without exchanging invitations.

If you no longer need to share resources with your entire organization or organizational units, you can disable sharing. For more information, see Disabling resource sharing with AWS Organizations.

Requirements

  • Only the management account can enable sharing with AWS Organizations.

  • The organization must be enabled for all features. For more information, see Enabling All Features in Your Organization in the AWS Organizations User Guide.

Important

  • If you do not enable sharing with AWS Organizations, you cannot share resources with your organization or organizational units within your organization. However, you can still share resources with individual AWS accounts in your organization. In this case, the accounts are treated as external principals. They receive an invitation to join the resource share, and they must accept the invitation to get access to the shared resources.

  • You must enable sharing with AWS Organizations using the AWS RAM console or the enable-sharing-with-aws-organization AWS CLI command. This ensures that the AWSServiceRoleForResourceAccessManager service-linked role is created. If you enable trusted access with AWS Organizations using the AWS Organizations console or the enable-aws-service-access AWS CLI command, the AWSServiceRoleForResourceAccessManager service-linked role is not created, and you will not be able to share resources within your organization.

To enable sharing with AWS Organizations using the console

  1. Open the Settings page of AWS RAM console at https://console.aws.amazon.com/ram/home#Settings.

  2. Choose Enable sharing with AWS Organizations.

To enable sharing with AWS Organizations using the AWS CLI

Use the enable-sharing-with-aws-organization command.

This command can be used in any region, and it enables sharing with AWS Organizations in all regions in which AWS RAM is supported.

Create a resource share

To share resources that you own, create a resource share, add the resources to share, and specify the principals with whom they are to be shared.

Considerations

  • You can share a resource only if you own it. You can't share a resource that is shared with you.

  • If you are part of an organization in AWS Organizations and sharing within your organization is enabled, principals in your organization are automatically granted access to the shared resources. Otherwise, principals receive an invitation to join the resource share and are granted access to the shared resources after accepting the invitation.

  • After you add an organization to a resource share, changes to the OU or organization affect the resource share. For example, if you add a new account to the organization, it has access to the shared resources.

  • You can't add the following to a resource share as principals: IAM users, IAM roles, or OUs or organizations outside your organization in AWS Organizations.

To create a resource share using the console

  1. Open the AWS RAM console at https://console.aws.amazon.com/ram.

  2. If you are new to AWS RAM, choose Create a resource share from the home page. Otherwise, choose Create resource share from the Resource shares page.

  3. Under Description, for Name, type a descriptive name for the resource share.

  4. (Optional) Under Resources, select resources to add to the resource share as follows:

    1. For Select resource type, select the type of resource. This filters the list of shareable resources to resources of the selected type.

    2. Select the check boxes next to the resources. The selected resources are moved under Selected resources.

      If you are sharing zonal resources, using the Availability Zone ID (AZ ID) helps you determine the relative location of these resources across accounts. For more information, see AZ IDs for your AWS resources.

  5. (Optional) Under Principals, do the following:

    1. By default, you can share resources with any AWS account. To restrict resource sharing to your organization in AWS Organizations, clear Allow external accounts.

    2. For each principal, specify its ID and choose Add:

      • To add an AWS account, type the 12-digit account ID. For example, 123456789012.

      • To add an OU, type the ID of the OU. For example, ou-abcd1234-mnop5678qrst9098uv76.

      • To add your entire organization, type the ID of the organization. For example, o-abcd1234efgh5678.

  6. (Optional) Under Tags, type a tag key and tag value. To add another tag, choose Add tag and type a tag key and tag value pair. These tags are not applied to the resources included in the resource share.

  7. Choose Create resource share.

    It can take a few minutes for the resource and principal associations to complete. Allow this process to complete before attempting to use the resource share.

  8. You can add and remove resources and principals or apply custom tags to your resource share at any time. You can delete your resource share when you no longer want to share the resources. For more information, see Sharing AWS resources owned by you.

To create a resource share using the AWS CLI

Use the create-resource-share command.