AWS RAM permissions

AWS RAM permissions are policy fragments used by AWS RAM. They control which actions principals are allowed to perform on resources that are shared with them. AWS RAM permissions are used to generate the resource-based policies that are attached to shared resources.

AWS RAM includes default AWS-managed permissions for each supported shareable resource type. These managed permissions are created and managed by AWS, and they define the allowed actions for each shareable resource type. For more information about the default AWS-managed permissions, see AWS-managed permissions.

How AWS RAM permissions work

When you create a resource share, AWS RAM automatically attaches the default permission for each associated resource type to the resource share. For example, if you create a resource share and associate a subnet and a Capacity Reservation, AWS RAM automatically attaches the subnet and Capacity Reservation permissions to the resource share.

After the resource share has been created, the permissions are provided to the respective resource-owning services. The resource-owning service uses the provided permissions to create resource-based policies for each of the resources included in the resource share. The resulting resource-based policies created by the resource-owning service include the following elements:

• Resource—The resource included in the resource share.

• Effect—The effect of the AWS RAM permission. Always allow.

• Principal—The ARNs of the principals associated with the resource share.

• Action—The standard actions defined in the AWS RAM permission.

The resource-based policies are attached to the shared resources. They allow the specified principals to perform the allowed actions on the resource.

AWS-managed permissions

AWS RAM provides the following default AWS-managed permissions:

Contents

• AWS App Mesh
• Amazon Aurora
• AWS Certificate Manager Private Certificate Authority
• AWS CodeBuild
• Amazon EC2
• Amazon EC2 Image Builder
• AWS Glue
• AWS License Manager
• AWS Network Firewall
• AWS Outposts
• AWS Resource Groups
• Amazon Route 53
• Amazon VPC

AWS App Mesh

AWS RAM provides the following default AWS-managed permissions for shareable AWS App Mesh resources.

Resource type	Permission name and ARN	Effect	Actions
appmesh:Mesh	Name: AWSRAMDefaultPermissionAppMesh ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionAppMesh	Allow	appmesh:CreateVirtualNode appmesh:CreateVirtualRouter appmesh:CreateRoute appmesh:CreateVirtualService appmesh:UpdateVirtualNode appmesh:UpdateVirtualRouter appmesh:UpdateRoute appmesh:UpdateVirtualService appmesh:ListVirtualNodes appmesh:ListVirtualRouters appmesh:ListRoutes appmesh:ListVirtualServices appmesh:DescribeVirtualNode appmesh:DescribeVirtualRouter appmesh:DescribeRoute appmesh:DescribeVirtualService appmesh:DeleteVirtualNode appmesh:DeleteVirtualRouter appmesh:DeleteRoute appmesh:DeleteVirtualService

Amazon Aurora

AWS RAM provides the following default AWS-managed permissions for shareable Amazon Aurora resources.

Resource type	Permission name and ARN	Effect	Actions
rds:Cluster	Name: AWSRAMDefaultPermissionRDSCluster ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionRDSCluster	Allow	rds:RestoreDbClusterToPointInTime rds:DescribeDbClusters

AWS Certificate Manager Private Certificate Authority

AWS RAM provides the following default AWS-managed permissions for shareable ACM Private CA resources.

Resource type	Permission name and ARN	Effect	Actions
acm-pca:CertificateAuthority	Name: AWSRAMDefaultPermissionCertificateAuthority ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCertificateAuthority	Allow	acm-pca:IssueCertificate acm-pca:DescribeCertificateAuthority acm-pca:GetCertificate acm-pca:GetCertificateAuthorityCertificate acm-pca:ListPermissions acm-pca:ListTags

AWS CodeBuild

AWS RAM provides the following default AWS-managed permissions for shareable AWS CodeBuild resources.

Resource type	Permission name and ARN	Effect	Actions
codebuild:Project	Name: AWSRAMDefaultPermissionCodeBuildProject ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildProject	Allow	codebuild:BatchGetBuilds codebuild:BatchGetProjects codebuild:ListBuildsForProject
codebuild:ReportGroup	Name: AWSRAMDefaultPermissionCodeBuildReportGroup ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildReportGroup	Allow	codebuild:BatchGetReports codebuild:BatchGetReportGroups codebuild:ListReportsForReportGroup codebuild:DescribeTestCases

Amazon EC2

AWS RAM provides the following default AWS-managed permissions for shareable Amazon EC2 resources.

Resource type	Permission name and ARN	Effect	Actions
ec2:CapacityReservation	Name: AWSRAMDefaultPermissionCapacityReservation ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCapacityReservation	Allow	ec2:RunInstance ec2:DescribeCapacityReservations
ec2:DedicatedHost	Name: AWSRAMDefaultPermissionDedicatedHost ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionDedicatedHost	Allow	ec2:RunInstances ec2:StartInstances ec2:DescribeHosts ec2:ModifyInstancePlacement

Amazon EC2 Image Builder

AWS RAM provides the following default AWS-managed permissions for shareable Amazon EC2 Image Builder resources.

Resource type	Permission name and ARN	Effect	Actions
imagebuilder:Component	Name: AWSRAMDefaultPermissionImageBuilderComponent ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderComponent	Allow	imagebuilder:GetComponent imagebuilder:ListComponents
imagebuilder:Image	Name: AWSRAMDefaultPermissionImageBuilderImage ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderImage	Allow	imagebuilder:GetImage imagebuilder:ListImages
imagebuilder:ImageRecipe	Name: AWSRAMDefaultPermissionImageBuilderImageRecipe ARN: arn:aws:ram::aws:permission/imagebuilder:AWSRAMDefaultPermissionImageBuilderImageRecipe	Allow	imagebuilder:GetImageRecipe imagebuilder:ListImageRecipes

AWS Glue

AWS RAM provides the following default AWS-managed permissions for shareable AWS Glue resources.

Resource type	Permission name and ARN	Effect	Actions
glue:Catalog	Name: AWSRAMDefaultPermissionGlueCatalog ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueCatalog	Allow	glue:GetTable glue:GetTableVersion glue:GetTableVersions glue:GetPartition glue:GetPartitions glue:BatchGetPartition glue:GetDatabase glue:GetTables glue:GetDatabases glue:SearchTables
glue:Database	Name: AWSRAMDefaultPermissionGlueDatabase ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueDatabase	Allow	glue:GetTable glue:GetTableVersion glue:GetTableVersions glue:GetPartition glue:GetPartitions glue:BatchGetPartition glue:GetDatabase glue:GetDatabases glue:GetTables glue:SearchTables
glue:Table	Name: AWSRAMDefaultPermissionGlueTable ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueTable	Allow	glue:GetTable glue:GetTableVersion glue:GetTableVersions glue:GetPartition glue:GetPartitions glue:BatchGetPartition glue:SearchTables

AWS License Manager

AWS RAM provides the following default AWS-managed permissions for shareable AWS License Manager resources.

Resource type	Permission name and ARN	Effect	Actions
license-manager:LicenseConfiguration	Name: AWSRAMDefaultPermissionLicenseConfiguration ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLicenseConfiguration	Allow	license-manager:GetLicenseConfiguration license-manager:ListLicenseConfigurations license-manager:ListAssociationsForLicenseConfiguration license-manager:ListUsageForLicenseConfiguration

AWS Network Firewall

AWS RAM provides the following default AWS-managed permissions for shareable AWS Network Firewall resources.

Resource type	Permission name and ARN	Effect	Actions
network-firewall:FirewallPolicy	Name: AWSRAMDefaultPermissionNetworkFirewallPolicy ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallPolicy	Allow	network-firewall:CreateFirewall network-firewall:UpdateFirewall network-firewall:AssociateFirewallPolicy network-firewall:ListFirewallPolicies
network-firewall:StatefulRuleGroup	Name: AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup	Allow	network-firewall:CreateFirewallPolicy network-firewall:UpdateFirewallPolicy network-firewall:ListRuleGroups
network-firewall:StatelessRuleGroup	Name: AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup	Allow	network-firewall:CreateFirewallPolicy network-firewall:UpdateFirewallPolicy network-firewall:ListRuleGroups

AWS Outposts

AWS RAM provides the following default AWS-managed permissions for shareable AWS Outposts resources.

Note

For the default AWS-managed permissions for shared subnets and local gateway route tables on Outposts, see Subnets and local gateway route tables.

Resource type	Permission name and ARN	Effect	Actions
outposts:Outpost	Name: AWSRAMDefaultPermissionOutpostsOutpost ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionOutpostsOutpost	Allow	outposts:GetOutpost outposts:GetOutpostInstanceTypes outposts:ListOutposts

AWS Resource Groups

AWS RAM provides the following default AWS-managed permissions for shareable AWS Resource Groups resources.

Resource type	Permission name and ARN	Effect	Actions
resource-groups:Group	Name: AWSRAMDefaultPermissionResourceGroup ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResourceGroup	Allow	resource-groups:GetGroup resource-groups:GetGroupConfiguration resource-groups:ListGroupResources

Amazon Route 53

AWS RAM provides the following default AWS-managed permissions for shareable Amazon Route 53 resources.

Resource type	Permission name and ARN	Effect	Actions
route53resolver:ResolverRule	Name: AWSRAMDefaultPermissionResolverRule ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverRule	Allow	route53resolver:GetResolverRule route53resolver:AssociateResolverRule route53resolver:DisassociateResolverRule route53resolver:ListResolverRules route53resolver:ListResolverRuleAssociations
route53resolver:ResolverQueryLogConfig	Name: AWSRAMDefaultPermissionResolverQueryLogConfig ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverQueryLogConfig	Allow	route53resolver:AssociateResolverQueryLogConfig route53resolver:DisassociateResolverQueryLogConfig route53resolver:ListResolverQueryLogConfigs

Amazon VPC

AWS RAM provides the following default AWS-managed permissions for shareable Amazon VPC resources.

Resource type	Permission name and ARN	Effect	Actions
ec2:PrefixList	Name: AWSRAMDefaultPermissionPrefixList ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionPrefixList	Allow	ec2:DescribeManagedPrefixLists ec2:GetManagedPrefixListEntries
ec2:Subnet	Name: AWSRAMDefaultPermissionSubnet ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSubnet	Allow	ec2:RunInstances ec2:CreateNetworkInterface ec2:DescribeSubnets
ec2:TrafficMirrorTarget	Name: AWSRAMDefaultPermissionTrafficMirror ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTrafficMirror	Allow	ec2:DescribeTrafficMirrorTargets ec2:CreateTrafficMirrorSession ec2:DeleteTrafficMirrorSession ec2:DescribeTrafficMirrorSessions
ec2:TransitGateway	Name: AWSRAMDefaultPermissionTransitGateway ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTransitGateway	Allow	ec2:DescribeTransitGateways ec2:CreateTransitGatewayVpcAttachment ec2:ModifyTransitGatewayVpcAttachment ec2:DeleteTransitGatewayVpcAttachment
ec2:LocalGatewayRouteTable	Name: AWSRAMDefaultPermissionLocalGateway ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLocalGateway	Allow	ec2:CreateLocalGatewayRouteTableVpcAssociation ec2:DeleteLocalGatewayRouteTableVpcAssociation ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations ec2:DescribeLocalGatewayRouteTableVpcAssociations ec2:DescribeLocalGatewayRouteTables ec2:DescribeLocalGatewayVirtualInterfaceGroups ec2:DescribeLocalGatewayVirtualInterfaces ec2:DescribeLocalGateways ec2:SearchTransitGatewayRoutes