AWS RAM permissions
AWS RAM permissions are policy fragments used by AWS RAM. They control which actions principals are allowed to perform on resources that are shared with them. AWS RAM permissions are used to generate the resource-based policies that are attached to shared resources.
AWS RAM includes default AWS-managed permissions for each supported shareable resource type. These managed permissions are created and managed by AWS, and they define the allowed actions for each shareable resource type. For more information about the default AWS-managed permissions, see AWS-managed permissions.
How AWS RAM permissions work
When you create a resource share, AWS RAM automatically attaches the default permission for each associated resource type to the resource share. For example, if you create a resource share and associate a subnet and a Capacity Reservation, AWS RAM automatically attaches the subnet and Capacity Reservation permissions to the resource share.
After the resource share has been created, the permissions are provided to the respective resource-owning services. The resource-owning service uses the provided permissions to create resource-based policies for each of the resources included in the resource share. The resulting resource-based policies created by the resource-owning service include the following elements:
-
Resource
—The resource included in the resource share. -
Effect
—The effect of the AWS RAM permission. Alwaysallow
. -
Principal
—The ARNs of the principals associated with the resource share. -
Action
—The standard actions defined in the AWS RAM permission.
The resource-based policies are attached to the shared resources. They allow the specified principals to perform the allowed actions on the resource.
AWS-managed permissions
AWS RAM provides the following default AWS-managed permissions:
Contents
AWS App Mesh
AWS RAM provides the following default AWS-managed permissions for shareable AWS App Mesh resources.
Resource type | Permission name and ARN | Effect | Actions |
---|---|---|---|
appmesh:Mesh |
Name: AWSRAMDefaultPermissionAppMesh ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionAppMesh |
Allow |
|
Amazon Aurora
AWS RAM provides the following default AWS-managed permissions for shareable Amazon Aurora resources.
Resource type | Permission name and ARN | Effect | Actions |
---|---|---|---|
rds:Cluster |
Name: AWSRAMDefaultPermissionRDSCluster ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionRDSCluster |
Allow |
|
AWS Certificate Manager Private Certificate Authority
AWS RAM provides the following default AWS-managed permissions for shareable ACM Private CA resources.
Resource type | Permission name and ARN | Effect | Actions |
---|---|---|---|
acm-pca:CertificateAuthority |
Name: AWSRAMDefaultPermissionCertificateAuthority ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCertificateAuthority |
Allow |
|
AWS CodeBuild
AWS RAM provides the following default AWS-managed permissions for shareable AWS CodeBuild resources.
Resource type | Permission name and ARN | Effect | Actions |
---|---|---|---|
codebuild:Project |
Name: AWSRAMDefaultPermissionCodeBuildProject ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildProject |
Allow |
|
codebuild:ReportGroup |
Name: AWSRAMDefaultPermissionCodeBuildReportGroup ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildReportGroup |
Allow |
|
Amazon EC2
AWS RAM provides the following default AWS-managed permissions for shareable Amazon EC2 resources.
Resource type | Permission name and ARN | Effect | Actions |
---|---|---|---|
ec2:CapacityReservation |
Name: AWSRAMDefaultPermissionCapacityReservation ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCapacityReservation |
Allow |
|
ec2:DedicatedHost |
Name: AWSRAMDefaultPermissionDedicatedHost ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionDedicatedHost |
Allow |
|
Amazon EC2 Image Builder
AWS RAM provides the following default AWS-managed permissions for shareable Amazon EC2 Image Builder resources.
Resource type | Permission name and ARN | Effect | Actions |
---|---|---|---|
imagebuilder:Component |
Name: AWSRAMDefaultPermissionImageBuilderComponent ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderComponent |
Allow |
|
imagebuilder:Image |
Name: AWSRAMDefaultPermissionImageBuilderImage ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderImage |
Allow |
|
imagebuilder:ImageRecipe |
Name: AWSRAMDefaultPermissionImageBuilderImageRecipe ARN: arn:aws:ram::aws:permission/imagebuilder:AWSRAMDefaultPermissionImageBuilderImageRecipe |
Allow |
|
AWS Glue
AWS RAM provides the following default AWS-managed permissions for shareable AWS Glue resources.
Resource type | Permission name and ARN | Effect | Actions |
---|---|---|---|
glue:Catalog |
Name: AWSRAMDefaultPermissionGlueCatalog ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueCatalog |
Allow |
|
glue:Database |
Name: AWSRAMDefaultPermissionGlueDatabase ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueDatabase |
Allow |
|
glue:Table |
Name: AWSRAMDefaultPermissionGlueTable ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueTable |
Allow |
|
AWS License Manager
AWS RAM provides the following default AWS-managed permissions for shareable AWS License Manager resources.
Resource type | Permission name and ARN | Effect | Actions |
---|---|---|---|
license-manager:LicenseConfiguration |
Name: AWSRAMDefaultPermissionLicenseConfiguration ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLicenseConfiguration |
Allow |
|
AWS Network Firewall
AWS RAM provides the following default AWS-managed permissions for shareable AWS Network Firewall resources.
Resource type | Permission name and ARN | Effect | Actions |
---|---|---|---|
network-firewall:FirewallPolicy |
Name: AWSRAMDefaultPermissionNetworkFirewallPolicy ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallPolicy |
Allow |
|
network-firewall:StatefulRuleGroup |
Name: AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup |
Allow |
|
network-firewall:StatelessRuleGroup |
Name: AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup |
Allow |
|
AWS Outposts
AWS RAM provides the following default AWS-managed permissions for shareable AWS Outposts resources.
For the default AWS-managed permissions for shared subnets and local gateway route tables on Outposts, see Subnets and local gateway route tables.
Resource type | Permission name and ARN | Effect | Actions |
---|---|---|---|
outposts:Outpost |
Name: AWSRAMDefaultPermissionOutpostsOutpost ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionOutpostsOutpost |
Allow |
|
AWS Resource Groups
AWS RAM provides the following default AWS-managed permissions for shareable AWS Resource Groups resources.
Resource type | Permission name and ARN | Effect | Actions |
---|---|---|---|
resource-groups:Group |
Name: AWSRAMDefaultPermissionResourceGroup ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResourceGroup |
Allow |
|
Amazon Route 53
AWS RAM provides the following default AWS-managed permissions for shareable Amazon Route 53 resources.
Resource type | Permission name and ARN | Effect | Actions |
---|---|---|---|
route53resolver:ResolverRule |
Name: AWSRAMDefaultPermissionResolverRule ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverRule |
Allow |
|
route53resolver:ResolverQueryLogConfig |
Name: AWSRAMDefaultPermissionResolverQueryLogConfig ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverQueryLogConfig |
Allow |
|
Amazon VPC
AWS RAM provides the following default AWS-managed permissions for shareable Amazon VPC resources.
Resource type | Permission name and ARN | Effect | Actions |
---|---|---|---|
ec2:PrefixList |
Name: AWSRAMDefaultPermissionPrefixList ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionPrefixList |
Allow |
|
ec2:Subnet |
Name: AWSRAMDefaultPermissionSubnet ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSubnet |
Allow |
|
ec2:TrafficMirrorTarget |
Name: AWSRAMDefaultPermissionTrafficMirror ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTrafficMirror |
Allow |
|
ec2:TransitGateway |
Name: AWSRAMDefaultPermissionTransitGateway ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTransitGateway |
Allow |
|
ec2:LocalGatewayRouteTable |
Name: AWSRAMDefaultPermissionLocalGateway ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLocalGateway |
Allow |
|