Sharing your AWS resources
To share a resource that you own by using AWS RAM, do the following:
-
Sharing a resource makes it available for use by principals outside of the AWS account that created the resource. Sharing doesn't change any permissions or quotas that apply to the resource in the account that created it.
-
AWS RAM is a Regional service. The principals that you share with can access resource shares in only the AWS Regions in which they were created.
-
Some resources have special considerations and prerequisites for sharing. For more information, see Shareable AWS resources.
Enable resource sharing within AWS Organizations
When your account is managed by AWS Organizations, you can take advantage of that to share resources more easily. With or without Organizations, a user can share with individual accounts. However, if your account is in an organization, then you can share with individual accounts, or with all accounts in the organization or in an OU without having to enumerate each account.
To share resources within an organization, you must first use the AWS RAM console or AWS Command Line Interface (AWS CLI) to enable sharing with AWS Organizations. When you share resources in your organization, AWS RAM doesn't send invitations to principals. Principals in your organization gain access to shared resources without exchanging invitations.
When you enable resource sharing within your organization, AWS RAM creates a
service-linked role called AWSServiceRoleForResourceAccessManager
. This role can be assumed by only the
AWS RAM service, and grants AWS RAM permission to retrieve information about the
organization it is a member of, by using the AWS managed
policyAWSResourceAccessManagerServiceRolePolicy
.
If you no longer need to share resources with your entire organization or OUs, you can disable resource sharing. For more information, see Disabling resource sharing with AWS Organizations.
Minimum permissions
To run the procedures below, you must have the following permissions:
-
ram:EnableSharingWithAwsOrganization
-
iam:CreateServiceLinkedRole
-
organizations:DescribeOrganization
Requirements
-
You can perform these steps only while signed in as a principal in the organization's management account.
-
The organization must have all features enabled. For more information, see Enabling all features in your organization in the AWS Organizations User Guide.
You must enable sharing with AWS Organizations by using the AWS RAM console or the enable-sharing-with-aws-organization AWS CLI command. This ensures that
the AWSServiceRoleForResourceAccessManager
service-linked role is
created. If you enable trusted access with AWS Organizations by using the AWS Organizations console or
the
enable-aws-service-access AWS CLI command, the
AWSServiceRoleForResourceAccessManager
service-linked role isn't
created, and you can't share resources within your organization.
Create a resource share
To share resources that you own, create a resource share. When you create a resource share, you do the following:
-
Add the resources that you want to share.
-
For each resource type that you include in the share, specify the permission to use for that resource type.
-
If only the default permission is available for a resource type, then AWS RAM automatically associates that permission with the resource type and there is no action for you.
-
If more than the default AWS RAM managed permission is available for a resource type, then you must choose the permission to associate with that resource type.
-
-
Specify the principals that you want to have access to the resources.
Considerations
-
The resource types that you can include in a resource share are listed at Shareable AWS resources.
-
You can share a resource only if you own it. You can't share a resource that's shared with you.
-
AWS RAM is a Regional service. When you share a resource with principals in other AWS accounts, they must access each resource from the same AWS Region that it was created in. For supported global resources, you can access those resources from any AWS Region that's supported by that resource's service console and tools. Note that you can view such resource shares and their global resources in the AWS RAM console and tools only in the designated home Region, US East (N. Virginia),
us-east-1
. For more information about AWS RAM and global resources, see Sharing Regional resources compared to global resources. -
If the account you're sharing from is part of an organization in AWS Organizations and sharing within your organization is enabled, any principals in the organization that you share with are automatically granted access to the shared resources without the use of invitations. A principal in an account with whom you share outside of the context of an organization receives an invitation to join the resource share and is granted access to the shared resources only after they accept the invitation.
-
For the following resource types you have seven days to accept the invitation to join the share for the following resource types. If you don't accept the invitation before it expires, the invitation is automatically declined.
Important For shared resource types not on the following list, you have 12 hours to accept the invitation to join the resource share. If you try to accept the invitation after 12 hours, RAM fails to process the invitation and the originating account must share the resources again to generate a new invitation.
-
Amazon Aurora – DB clusters
-
Amazon EC2 – capacity reservations and dedicated hosts
-
AWS License Manager – License configurations
-
AWS Outposts – Local gateway route tables, outposts, and sites
-
Amazon Route 53 – Forwarding rules
-
Amazon VPC – Customer-owned IPv4 addresses, prefix lists, subnets, traffic mirror targets, transit gateways, transit gateway multicast domains
-
-
After you add an organization or an organization unit (OU) to a resource share, changes to the accounts that are in an OU or accounts that join or leave an organization dynamically affect the resource share. For example, if you add a new account to an OU that has access to a resource share, then the new member account automatically receives access to the shared resources.
-
You can add only the organization your account is a member of, and OUs from that organization to your resource shares. You can't add OUs or organizations from outside your own organization to a resource share as principals. However, you can add individual AWS accounts, IAM users, and IAM roles from outside your organization as principals to a resource share.
Note Not all resource types can be shared with IAM roles and users. For information about resources that you can share with these principals, see Shareable AWS resources.