How AWS RAM permissions work AWS-managed permissions

AWS RAM permissions

AWS RAM permissions are policy fragments used by AWS RAM. They control which actions principals are allowed to perform on resources that are shared with them. AWS RAM permissions are used to generate the resource-based policies that are attached to shared resources.

AWS RAM includes default AWS-managed permissions for each supported shareable resource type. These managed permissions are created and managed by AWS, and they define the allowed actions for each shareable resource type. For more information about the default AWS-managed permissions, see AWS-managed permissions.

Topics

How AWS RAM permissions work
AWS-managed permissions

How AWS RAM permissions work

When you create a resource share, AWS RAM automatically attaches the default permission for each associated resource type to the resource share. For example, if you create a resource share and associate a subnet and a Capacity Reservation, AWS RAM automatically attaches the subnet and Capacity Reservation permissions to the resource share.

After the resource share has been created, the permissions are provided to the respective resource-owning services. The resource-owning service uses the provided permissions to create resource-based policies for each of the resources included in the resource share. The resulting resource-based policies created by the resource-owning service include the following elements:

Resource—The resource included in the resource share.
Effect—The effect of the AWS RAM permission. Always allow.
Principal—The ARNs of the principals associated with the resource share.
Action—The standard actions defined in the AWS RAM permission.

The resource-based policies are attached to the shared resources. They allow the specified principals to perform the allowed actions on the resource.

AWS-managed permissions

AWS RAM provides the following default AWS-managed permissions:

Contents

AWS App Mesh
Amazon Aurora
AWS Certificate Manager Private Certificate Authority
AWS CodeBuild
Amazon EC2
Amazon EC2 Image Builder
AWS Glue
AWS License Manager
AWS Network Firewall
AWS Outposts
AWS Resource Groups
Amazon Route 53
Amazon VPC

AWS App Mesh

AWS RAM provides the following default AWS-managed permissions for shareable AWS App Mesh resources.

Resource type Permission name and ARN Allowed actions

appmesh:Mesh

Resource type	Permission name and ARN	Allowed actions
appmesh:Mesh	Name: AWSRAMDefaultPermissionAppMesh ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionAppMesh	`appmesh:CreateVirtualNode` `appmesh:CreateVirtualRouter` `appmesh:CreateRoute` `appmesh:CreateVirtualService` `appmesh:UpdateVirtualNode` `appmesh:UpdateVirtualRouter` `appmesh:UpdateRoute` `appmesh:UpdateVirtualService` `appmesh:ListVirtualNodes` `appmesh:ListVirtualRouters` `appmesh:ListRoutes` `appmesh:ListVirtualServices` `appmesh:DescribeVirtualNode` `appmesh:DescribeVirtualRouter` `appmesh:DescribeRoute` `appmesh:DescribeVirtualService` `appmesh:DeleteVirtualNode` `appmesh:DeleteVirtualRouter` `appmesh:DeleteRoute` `appmesh:DeleteVirtualService`

Name: AWSRAMDefaultPermissionAppMesh

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionAppMesh

appmesh:CreateVirtualNode
appmesh:CreateVirtualRouter
appmesh:CreateRoute
appmesh:CreateVirtualService
appmesh:UpdateVirtualNode
appmesh:UpdateVirtualRouter
appmesh:UpdateRoute
appmesh:UpdateVirtualService
appmesh:ListVirtualNodes
appmesh:ListVirtualRouters
appmesh:ListRoutes
appmesh:ListVirtualServices
appmesh:DescribeVirtualNode
appmesh:DescribeVirtualRouter
appmesh:DescribeRoute
appmesh:DescribeVirtualService
appmesh:DeleteVirtualNode
appmesh:DeleteVirtualRouter
appmesh:DeleteRoute
appmesh:DeleteVirtualService

Amazon Aurora

AWS RAM provides the following default AWS-managed permissions for shareable Amazon Aurora resources.

Resource type Permission name and ARN Allowed actions

rds:Cluster

Resource type	Permission name and ARN	Allowed actions
rds:Cluster	Name: AWSRAMDefaultPermissionRDSCluster ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionRDSCluster	`rds:RestoreDbClusterToPointInTime` `rds:DescribeDbClusters`

Name: AWSRAMDefaultPermissionRDSCluster

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionRDSCluster

rds:RestoreDbClusterToPointInTime
rds:DescribeDbClusters

AWS Certificate Manager Private Certificate Authority

AWS RAM provides the following default AWS-managed permissions for shareable ACM Private CA resources.

Resource type Permission name and ARN Allowed actions

acm-pca:CertificateAuthority

Resource type	Permission name and ARN	Allowed actions
acm-pca:CertificateAuthority	Name: AWSRAMDefaultPermissionCertificateAuthority ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCertificateAuthority	`acm-pca:IssueCertificate` `acm-pca:DescribeCertificateAuthority` `acm-pca:GetCertificate` `acm-pca:GetCertificateAuthorityCertificate` `acm-pca:ListPermissions` `acm-pca:ListTags`

Name: AWSRAMDefaultPermissionCertificateAuthority

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCertificateAuthority

acm-pca:IssueCertificate
acm-pca:DescribeCertificateAuthority
acm-pca:GetCertificate
acm-pca:GetCertificateAuthorityCertificate
acm-pca:ListPermissions
acm-pca:ListTags

AWS CodeBuild

AWS RAM provides the following default AWS-managed permissions for shareable AWS CodeBuild resources.

Resource type Permission name and ARN Allowed actions

codebuild:Project

Resource type	Permission name and ARN	Allowed actions
codebuild:Project	Name: AWSRAMDefaultPermissionCodeBuildProject ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildProject	`codebuild:BatchGetBuilds` `codebuild:BatchGetProjects` `codebuild:ListBuildsForProject`
codebuild:ReportGroup	Name: AWSRAMDefaultPermissionCodeBuildReportGroup ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildReportGroup	`codebuild:BatchGetReports` `codebuild:BatchGetReportGroups` `codebuild:ListReportsForReportGroup` `codebuild:DescribeTestCases`

Name: AWSRAMDefaultPermissionCodeBuildProject

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildProject

codebuild:BatchGetBuilds
codebuild:BatchGetProjects
codebuild:ListBuildsForProject

codebuild:ReportGroup

Name: AWSRAMDefaultPermissionCodeBuildReportGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildReportGroup

codebuild:BatchGetReports
codebuild:BatchGetReportGroups
codebuild:ListReportsForReportGroup
codebuild:DescribeTestCases

Amazon EC2

AWS RAM provides the following default AWS-managed permissions for shareable Amazon EC2 resources.

Resource type Permission name and ARN Allowed actions

ec2:CapacityReservation

Resource type	Permission name and ARN	Allowed actions
ec2:CapacityReservation	Name: AWSRAMDefaultPermissionCapacityReservation ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCapacityReservation	`ec2:RunInstance` `ec2:DescribeCapacityReservations`
ec2:DedicatedHost	Name: AWSRAMDefaultPermissionDedicatedHost ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionDedicatedHost	`ec2:RunInstances` `ec2:StartInstances` `ec2:DescribeHosts` `ec2:ModifyInstancePlacement`

Name: AWSRAMDefaultPermissionCapacityReservation

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCapacityReservation

ec2:RunInstance
ec2:DescribeCapacityReservations

ec2:DedicatedHost

Name: AWSRAMDefaultPermissionDedicatedHost

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionDedicatedHost

ec2:RunInstances
ec2:StartInstances
ec2:DescribeHosts
ec2:ModifyInstancePlacement

Amazon EC2 Image Builder

AWS RAM provides the following default AWS-managed permissions for shareable Amazon EC2 Image Builder resources.

Resource type	Permission name and ARN	Allowed actions
imagebuilder:Component	Name: AWSRAMDefaultPermissionImageBuilderComponent ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderComponent	`imagebuilder:GetComponent` `imagebuilder:ListComponents`
imagebuilder:Image	Name: AWSRAMDefaultPermissionImageBuilderImage ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderImage	`imagebuilder:GetImage` `imagebuilder:ListImages`
imagebuilder:ImageRecipe	Name: AWSRAMDefaultPermissionImageBuilderImageRecipe ARN: arn:aws:ram::aws:permission/imagebuilder:AWSRAMDefaultPermissionImageBuilderImageRecipe	`imagebuilder:GetImageRecipe` `imagebuilder:ListImageRecipes`
imagebuilder:ContainerRecipe	Name: AWSRAMDefaultPermissionImageBuilderContainerRecipe ARN: arn:aws:ram::aws:permission/imagebuilder:AWSRAMDefaultPermissionImageBuilderContainerRecipe	`imagebuilder:GetContainerRecipe` `imagebuilder:ListContainerRecipes`

AWS Glue

AWS RAM provides the following default AWS-managed permissions for shareable AWS Glue resources.

Resource type Permission name and ARN Allowed actions

glue:Catalog

Resource type	Permission name and ARN	Allowed actions
glue:Catalog	Name: AWSRAMDefaultPermissionGlueCatalog ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueCatalog	`glue:GetTable` `glue:GetTableVersion` `glue:GetTableVersions` `glue:GetPartition` `glue:GetPartitions` `glue:BatchGetPartition` `glue:GetDatabase` `glue:GetTables` `glue:GetDatabases` `glue:SearchTables`
glue:Database	Name: AWSRAMDefaultPermissionGlueDatabase ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueDatabase	`glue:GetTable` `glue:GetTableVersion` `glue:GetTableVersions` `glue:GetPartition` `glue:GetPartitions` `glue:BatchGetPartition` `glue:GetDatabase` `glue:GetDatabases` `glue:GetTables` `glue:SearchTables`
glue:Table	Name: AWSRAMDefaultPermissionGlueTable ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueTable	`glue:GetTable` `glue:GetTableVersion` `glue:GetTableVersions` `glue:GetPartition` `glue:GetPartitions` `glue:BatchGetPartition` `glue:SearchTables`

Name: AWSRAMDefaultPermissionGlueCatalog

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueCatalog

glue:GetTable
glue:GetTableVersion
glue:GetTableVersions
glue:GetPartition
glue:GetPartitions
glue:BatchGetPartition
glue:GetDatabase
glue:GetTables
glue:GetDatabases
glue:SearchTables

glue:Database

Name: AWSRAMDefaultPermissionGlueDatabase

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueDatabase

glue:GetTable
glue:GetTableVersion
glue:GetTableVersions
glue:GetPartition
glue:GetPartitions
glue:BatchGetPartition
glue:GetDatabase
glue:GetDatabases
glue:GetTables
glue:SearchTables

glue:Table

Name: AWSRAMDefaultPermissionGlueTable

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueTable

glue:GetTable
glue:GetTableVersion
glue:GetTableVersions
glue:GetPartition
glue:GetPartitions
glue:BatchGetPartition
glue:SearchTables

AWS License Manager

AWS RAM provides the following default AWS-managed permissions for shareable AWS License Manager resources.

Resource type Permission name and ARN Allowed actions

license-manager:LicenseConfiguration

Resource type	Permission name and ARN	Allowed actions
license-manager:LicenseConfiguration	Name: AWSRAMDefaultPermissionLicenseConfiguration ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLicenseConfiguration	`license-manager:GetLicenseConfiguration` `license-manager:ListLicenseConfigurations` `license-manager:ListAssociationsForLicenseConfiguration` `license-manager:ListUsageForLicenseConfiguration`

Name: AWSRAMDefaultPermissionLicenseConfiguration

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLicenseConfiguration

license-manager:GetLicenseConfiguration
license-manager:ListLicenseConfigurations
license-manager:ListAssociationsForLicenseConfiguration
license-manager:ListUsageForLicenseConfiguration

AWS Network Firewall

AWS RAM provides the following default AWS-managed permissions for shareable AWS Network Firewall resources.

Resource type Permission name and ARN Allowed actions

network-firewall:FirewallPolicy

Resource type	Permission name and ARN	Allowed actions
network-firewall:FirewallPolicy	Name: AWSRAMDefaultPermissionNetworkFirewallPolicy ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallPolicy	`network-firewall:CreateFirewall` `network-firewall:UpdateFirewall` `network-firewall:AssociateFirewallPolicy` `network-firewall:ListFirewallPolicies`
network-firewall:StatefulRuleGroup	Name: AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup	`network-firewall:CreateFirewallPolicy` `network-firewall:UpdateFirewallPolicy` `network-firewall:ListRuleGroups`
network-firewall:StatelessRuleGroup	Name: AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup	`network-firewall:CreateFirewallPolicy` `network-firewall:UpdateFirewallPolicy` `network-firewall:ListRuleGroups`

Name: AWSRAMDefaultPermissionNetworkFirewallPolicy

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallPolicy

network-firewall:CreateFirewall
network-firewall:UpdateFirewall
network-firewall:AssociateFirewallPolicy
network-firewall:ListFirewallPolicies

network-firewall:StatefulRuleGroup

Name: AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup

network-firewall:CreateFirewallPolicy
network-firewall:UpdateFirewallPolicy
network-firewall:ListRuleGroups

network-firewall:StatelessRuleGroup

Name: AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup

network-firewall:CreateFirewallPolicy
network-firewall:UpdateFirewallPolicy
network-firewall:ListRuleGroups

AWS Outposts

AWS RAM provides the following default AWS-managed permissions for shareable AWS Outposts resources.

Note

For the default AWS-managed permissions for shared subnets and local gateway route tables on Outposts, see Subnets and local gateway route tables.

Resource type Permission name and ARN Allowed actions

outposts:Outpost

Resource type	Permission name and ARN	Allowed actions
outposts:Outpost	Name: AWSRAMDefaultPermissionOutpostsOutpost ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionOutpostsOutpost	`outposts:GetOutpost` `outposts:GetOutpostInstanceTypes` `outposts:ListOutposts`

Name: AWSRAMDefaultPermissionOutpostsOutpost

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionOutpostsOutpost

outposts:GetOutpost
outposts:GetOutpostInstanceTypes
outposts:ListOutposts

AWS Resource Groups

AWS RAM provides the following default AWS-managed permissions for shareable AWS Resource Groups resources.

Resource type Permission name and ARN Allowed actions

resource-groups:Group

Resource type	Permission name and ARN	Allowed actions
resource-groups:Group	Name: AWSRAMDefaultPermissionResourceGroup ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResourceGroup	`resource-groups:GetGroup` `resource-groups:GetGroupConfiguration` `resource-groups:ListGroupResources`

Name: AWSRAMDefaultPermissionResourceGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResourceGroup

resource-groups:GetGroup
resource-groups:GetGroupConfiguration
resource-groups:ListGroupResources

Amazon Route 53

AWS RAM provides the following default AWS-managed permissions for shareable Amazon Route 53 resources.

Resource type Permission name and ARN Allowed actions

route53resolver:FirewallRuleGroup

Resource type	Permission name and ARN	Allowed actions
route53resolver:FirewallRuleGroup	Name: AWSRAMDefaultPermissionResolverFirewallRuleGroup ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverFirewallRuleGroup	`route53resolver:GetFirewallRuleGroup` `route53resolver:ListFirewallRuleGroups`
route53resolver:ResolverRule	Name: AWSRAMDefaultPermissionResolverRule ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverRule	`route53resolver:GetResolverRule` `route53resolver:AssociateResolverRule` `route53resolver:DisassociateResolverRule` `route53resolver:ListResolverRules` `route53resolver:ListResolverRuleAssociations`
route53resolver:ResolverQueryLogConfig	Name: AWSRAMDefaultPermissionResolverQueryLogConfig ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverQueryLogConfig	`route53resolver:AssociateResolverQueryLogConfig` `route53resolver:DisassociateResolverQueryLogConfig` `route53resolver:ListResolverQueryLogConfigs`

Name: AWSRAMDefaultPermissionResolverFirewallRuleGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverFirewallRuleGroup

route53resolver:GetFirewallRuleGroup
route53resolver:ListFirewallRuleGroups

route53resolver:ResolverRule

Name: AWSRAMDefaultPermissionResolverRule

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverRule

route53resolver:GetResolverRule
route53resolver:AssociateResolverRule
route53resolver:DisassociateResolverRule
route53resolver:ListResolverRules
route53resolver:ListResolverRuleAssociations

route53resolver:ResolverQueryLogConfig

Name: AWSRAMDefaultPermissionResolverQueryLogConfig

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverQueryLogConfig

route53resolver:AssociateResolverQueryLogConfig
route53resolver:DisassociateResolverQueryLogConfig
route53resolver:ListResolverQueryLogConfigs

Amazon VPC

AWS RAM provides the following default AWS-managed permissions for shareable Amazon VPC resources.

Resource type	Permission name and ARN	Allowed actions
ec2:PrefixList	Name: AWSRAMDefaultPermissionPrefixList ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionPrefixList	`ec2:DescribeManagedPrefixLists` `ec2:GetManagedPrefixListEntries`
ec2:Subnet	Name: AWSRAMDefaultPermissionSubnet ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSubnet	`ec2:RunInstances` `ec2:CreateNetworkInterface` `ec2:DescribeSubnets`
ec2:TrafficMirrorTarget	Name: AWSRAMDefaultPermissionTrafficMirror ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTrafficMirror	`ec2:DescribeTrafficMirrorTargets` `ec2:CreateTrafficMirrorSession` `ec2:DeleteTrafficMirrorSession` `ec2:DescribeTrafficMirrorSessions`
ec2:TransitGateway	Name: AWSRAMDefaultPermissionTransitGateway ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTransitGateway	`ec2:DescribeTransitGateways` `ec2:CreateTransitGatewayVpcAttachment` `ec2:ModifyTransitGatewayVpcAttachment` `ec2:DeleteTransitGatewayVpcAttachment`
ec2:LocalGatewayRouteTable	Name: AWSRAMDefaultPermissionLocalGateway ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLocalGateway	`ec2:CreateLocalGatewayRouteTableVpcAssociation` `ec2:DeleteLocalGatewayRouteTableVpcAssociation` `ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations` `ec2:DescribeLocalGatewayRouteTableVpcAssociations` `ec2:DescribeLocalGatewayRouteTables` `ec2:DescribeLocalGatewayVirtualInterfaceGroups` `ec2:DescribeLocalGatewayVirtualInterfaces` `ec2:DescribeLocalGateways` `ec2:SearchTransitGatewayRoutes`

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Disable sharing with Organizations

Logging and monitoring