AWS RAM managed permissions - AWS Resource Access Manager

AWS RAM managed permissions

AWS RAM managed permissions define the actions that are allowed for each shareable resource type in a resource share. For each shareable resource type, managed permissions define the actions that principals who have access to the shared resources are allowed to perform on those resources.

How AWS RAM managed permissions work

When you create a resource share, you can associate a managed permission with each resource type that you want to share. After you create the resource share, AWS RAM provides the permission that you associate with each resource type to the respective resource-owning service, such as AWS Certificate Manager Private Certificate Authority. The permissions are then attached to each of the resources in the resource share.

AWS RAM managed permissions specify the following:

Effect

Indicates whether to allow or deny a principal permission to perform an action or operation on a shared resource. For an AWS RAM managed permission, the effect is always Allow.

Principal

The organization or organizational unit (OU) in AWS Organizations, an AWS account, IAM role, or IAM user that can access the shared resource.

Note

Not all resource types can be shared with IAM roles and IAM users. For information about resources that you can share with these principals, see the next section.

Action

The action or operation that the principal is granted permission to perform. This can be an action in the AWS Management Console or an operation in the AWS CLI or AWS API. The actions are defined in the AWS RAM permission.

Sharing with IAM roles and IAM users

AWS RAM lets you share your resources with an organization or organizational units (OUs) in AWS Organizations, and AWS accounts. For supported resource types, you can also share resources with IAM roles and IAM users. For each shareable resource type, the following table indicates whether you can share resources of that type with IAM roles and IAM users.

Service Resource type Can be shared with IAM roles and IAM users

AWS App Mesh

appmesh:Mesh

Yes

Amazon Aurora

rds:Cluster

No

AWS Certificate Manager Private Certificate Authority

acm-pca:CertificateAuthority

Yes

AWS CodeBuild

codebuild:Project

codebuild:ReportGroup

Yes

Amazon EC2

ec2:CapacityReservation

ec2:DedicatedHost

No

Amazon EC2 Image Builder

imagebuilder:Component

imagebuilder:ContainerRecipe

imagebuilder:Image

imagebuilder:ImageRecipe

Yes

AWS Glue

glue:Catalog

glue:Database

glue:Table

No

AWS License Manager

license-manager:LicenseConfiguration

No

AWS Network Firewall

network-firewall:FirewallPolicy

network-firewall:StatefulRuleGroup

network-firewall:StatelessRuleGroup

Yes

AWS Outposts

outposts:Outpost

No

AWS Resource Groups

resource-groups:Group

No

Amazon Route 53

route53resolver:FirewallRuleGroup

route53resolver:ResolverQueryLogConfig

Yes

Amazon Route 53

route53resolver:ResolverRule

No

AWS Systems Manager Incident Manager

ssm-contacts:Contact

ssm-incidents:ResponsePlan

Yes

Amazon VPC

ec2:PrefixList

ec2:Subnet

ec2:TrafficMirrorTarget

ec2:TransitGateway

ec2:LocalGatewayRouteTable

No

Types of AWS RAM managed permissions

When you create a resource share, you choose a permission to associate with each resource type that you want to share. Managed permissions are defined by the resource-owning service but are managed by AWS RAM.

  • Default managed permissions – These permissions are available for every resource type that AWS RAM supports. For each resource type, the default AWS RAM managed permission allows principals to perform specific actions that are defined by the service for the resource type. For example, for the Amazon VPC ec2:Subnet resource type, the default managed permission allows principals to perform the following actions:

    • ec2:RunInstances

    • ec2:CreateNetworkInterface

    • ec2:DescribeSubnets

    The names of default managed permissions use the following format: AWSRAMDefaultPermissionShareableResource. For example, for the ec2:Subnet resource type, the name of the default AWS RAM managed permission is AWSRAMDefaultPermissionSubnet.

  • Additional managed permissions – Examples include read-only access or full access (Read and Write access). These permissions provide you with more flexibility to choose which permissions to grant to specific principals for supported resource types. For example, when you share a resource type that supports full access (Read and Write permissions) and read-only managed permissions, you can share the resources with the full access managed permission with an administrator. You can then share the resources with other team members with the read-only managed permission to follow the security best practice of granting least privilege. Least privilege means the minimum permissions required for access to shared resources.

    Note

    Currently, only some AWS services that work with AWS RAM support these permissions. For services that don’t support additional managed permissions, when you create a resource share, AWS RAM automatically applies the default permission defined for the resource type that you choose.

AWS RAM managed permissions reference

For services that work with AWS RAM, the following sections list the default managed permissions for shareable resources.

AWS App Mesh

Following are the default AWS RAM managed permissions for shareable AWS App Mesh resources.

Resource type Permission name and ARN Allowed actions
appmesh:Mesh

Name: AWSRAMDefaultPermissionAppMesh

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionAppMesh

  • appmesh:CreateVirtualNode

  • appmesh:CreateVirtualRouter

  • appmesh:CreateRoute

  • appmesh:CreateVirtualService

  • appmesh:UpdateVirtualNode

  • appmesh:UpdateVirtualRouter

  • appmesh:UpdateRoute

  • appmesh:UpdateVirtualService

  • appmesh:ListVirtualNodes

  • appmesh:ListVirtualRouters

  • appmesh:ListRoutes

  • appmesh:ListVirtualServices

  • appmesh:DescribeVirtualNode

  • appmesh:DescribeVirtualRouter

  • appmesh:DescribeRoute

  • appmesh:DescribeVirtualService

  • appmesh:DeleteVirtualNode

  • appmesh:DeleteVirtualRouter

  • appmesh:DeleteRoute

  • appmesh:DeleteVirtualService

Amazon Aurora

Following are the default AWS RAM managed permissions for shareable Amazon Aurora resources.

Resource type Permission name and ARN Allowed actions
rds:Cluster

Name: AWSRAMDefaultPermissionRDSCluster

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionRDSCluster

  • rds:RestoreDbClusterToPointInTime

  • rds:DescribeDbClusters

AWS Certificate Manager Private Certificate Authority

Following are the default AWS RAM managed permissions for shareable ACM Private CA resources.

Resource type Permission name and ARN Allowed actions
acm-pca:CertificateAuthority

Name: AWSRAMDefaultPermissionCertificateAuthority

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCertificateAuthority

  • acm-pca:IssueCertificate

  • acm-pca:DescribeCertificateAuthority

  • acm-pca:GetCertificate

  • acm-pca:GetCertificateAuthorityCertificate

  • acm-pca:ListPermissions

  • acm-pca:ListTags

AWS CodeBuild

Following are the default AWS RAM managed permissions for shareable AWS CodeBuild resources.

Resource type Permission name and ARN Allowed actions
codebuild:Project

Name: AWSRAMDefaultPermissionCodeBuildProject

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildProject

  • codebuild:BatchGetBuilds

  • codebuild:BatchGetProjects

  • codebuild:ListBuildsForProject

codebuild:ReportGroup

Name: AWSRAMDefaultPermissionCodeBuildReportGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildReportGroup

  • codebuild:BatchGetReports

  • codebuild:BatchGetReportGroups

  • codebuild:ListReportsForReportGroup

  • codebuild:DescribeTestCases

Amazon EC2

Following are the default AWS RAM managed permissions for shareable Amazon EC2 resources.

Resource type Permission name and ARN Allowed actions
ec2:CapacityReservation

Name: AWSRAMDefaultPermissionCapacityReservation

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCapacityReservation

  • ec2:RunInstance

  • ec2:DescribeCapacityReservations

ec2:DedicatedHost

Name: AWSRAMDefaultPermissionDedicatedHost

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionDedicatedHost

  • ec2:RunInstances

  • ec2:StartInstances

  • ec2:DescribeHosts

  • ec2:ModifyInstancePlacement

Amazon EC2 Image Builder

Following are the default AWS RAM managed permissions for shareable Amazon EC2 Image Builder resources.

Resource type Permission name and ARN Allowed actions
imagebuilder:Component

Name: AWSRAMDefaultPermissionImageBuilderComponent

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderComponent

  • imagebuilder:GetComponent

  • imagebuilder:ListComponents

imagebuilder:Image

Name: AWSRAMDefaultPermissionImageBuilderImage

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderImage

  • imagebuilder:GetImage

  • imagebuilder:ListImages

imagebuilder:ImageRecipe

Name: AWSRAMDefaultPermissionImageBuilderImageRecipe

ARN: arn:aws:ram::aws:permission/imagebuilder:AWSRAMDefaultPermissionImageBuilderImageRecipe

  • imagebuilder:GetImageRecipe

  • imagebuilder:ListImageRecipes

imagebuilder:ContainerRecipe

Name: AWSRAMDefaultPermissionImageBuilderContainerRecipe

ARN: arn:aws:ram::aws:permission/imagebuilder:AWSRAMDefaultPermissionImageBuilderContainerRecipe

  • imagebuilder:GetContainerRecipe

  • imagebuilder:ListContainerRecipes

AWS Glue

Following are the default AWS RAM managed permissions for shareable AWS Glue resources.

Resource type Permission name and ARN Allowed actions
glue:Catalog

Name: AWSRAMDefaultPermissionGlueCatalog

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueCatalog

  • glue:GetTable

  • glue:GetTableVersion

  • glue:GetTableVersions

  • glue:GetPartition

  • glue:GetPartitions

  • glue:BatchGetPartition

  • glue:GetDatabase

  • glue:GetTables

  • glue:GetDatabases

  • glue:SearchTables

glue:Database

Name: AWSRAMDefaultPermissionGlueDatabase

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueDatabase

  • glue:GetTable

  • glue:GetTableVersion

  • glue:GetTableVersions

  • glue:GetPartition

  • glue:GetPartitions

  • glue:BatchGetPartition

  • glue:GetDatabase

  • glue:GetDatabases

  • glue:GetTables

  • glue:SearchTables

glue:Table

Name: AWSRAMDefaultPermissionGlueTable

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueTable

  • glue:GetTable

  • glue:GetTableVersion

  • glue:GetTableVersions

  • glue:GetPartition

  • glue:GetPartitions

  • glue:BatchGetPartition

  • glue:SearchTables

AWS License Manager

Following are the default AWS RAM managed permissions for shareable AWS License Manager resources.

Resource type Permission name and ARN Allowed actions
license-manager:LicenseConfiguration

Name: AWSRAMDefaultPermissionLicenseConfiguration

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLicenseConfiguration

  • license-manager:GetLicenseConfiguration

  • license-manager:ListLicenseConfigurations

  • license-manager:ListAssociationsForLicenseConfiguration

  • license-manager:ListUsageForLicenseConfiguration

AWS Network Firewall

Following are the default AWS RAM managed permissions for shareable AWS Network Firewall resources.

Resource type Permission name and ARN Allowed actions
network-firewall:FirewallPolicy

Name: AWSRAMDefaultPermissionNetworkFirewallPolicy

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallPolicy

  • network-firewall:CreateFirewall

  • network-firewall:UpdateFirewall

  • network-firewall:AssociateFirewallPolicy

  • network-firewall:ListFirewallPolicies

network-firewall:StatefulRuleGroup

Name: AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup

  • network-firewall:CreateFirewallPolicy

  • network-firewall:UpdateFirewallPolicy

  • network-firewall:ListRuleGroups

network-firewall:StatelessRuleGroup

Name: AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup

  • network-firewall:CreateFirewallPolicy

  • network-firewall:UpdateFirewallPolicy

  • network-firewall:ListRuleGroups

AWS Outposts

Following are the default AWS RAM managed permissions for shareable AWS Outposts resources.

Note

For the default AWS RAM managed permissions for shared subnets and local gateway route tables on Outposts, see Subnets and local gateway route tables.

Resource type Permission name and ARN Allowed actions
outposts:Outpost

Name: AWSRAMDefaultPermissionOutpostsOutpost

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionOutpostsOutpost

  • outposts:GetOutpost

  • outposts:GetOutpostInstanceTypes

  • outposts:ListOutposts

AWS Resource Groups

Following are the default AWS RAM managed permissions for shareable AWS Resource Groups resources.

Resource type Permission name and ARN Allowed actions
resource-groups:Group

Name: AWSRAMDefaultPermissionResourceGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResourceGroup

  • resource-groups:GetGroup

  • resource-groups:GetGroupConfiguration

  • resource-groups:ListGroupResources

Amazon Route 53

Following are the default AWS RAM managed permissions for shareable Amazon Route 53 resources.

Resource type Permission name and ARN Allowed actions
route53resolver:FirewallRuleGroup

Name: AWSRAMDefaultPermissionResolverFirewallRuleGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverFirewallRuleGroup

  • route53resolver:GetFirewallRuleGroup

  • route53resolver:ListFirewallRuleGroups

route53resolver:ResolverRule

Name: AWSRAMDefaultPermissionResolverRule

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverRule

  • route53resolver:GetResolverRule

  • route53resolver:AssociateResolverRule

  • route53resolver:DisassociateResolverRule

  • route53resolver:ListResolverRules

  • route53resolver:ListResolverRuleAssociations

route53resolver:ResolverQueryLogConfig

Name: AWSRAMDefaultPermissionResolverQueryLogConfig

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverQueryLogConfig

  • route53resolver:AssociateResolverQueryLogConfig

  • route53resolver:DisassociateResolverQueryLogConfig

  • route53resolver:ListResolverQueryLogConfigs

AWS Systems Manager Incident Manager

Following are the default AWS RAM managed permissions for shareable AWS Systems Manager Incident Manager resources.

Resource type Permission name and ARN Allowed actions
ssm-contacts:Contact

Name: AWSRAMDefaultPermissionSSMContactsContact

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSSMContactsContact

  • ssm-contacts:GetContact

  • ssm-contacts:StartEngagement

  • ssm-contacts:DescribeEngagement

  • ssm-contacts:ListPagesByEngagement

  • ssm-contacts:StopEngagement

ssm-incidents:ResponsePlan

Name: AWSRAMDefaultPermissionSSMIncidentsResponsePlan

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSSMIncidentsResponsePlan

  • ssm-incidents:GetResponsePlan

  • ssm-incidents:StartIncident

  • ssm-incidents:UpdateIncidentRecord

  • ssm-incidents:GetIncidentRecord

  • ssm-incidents:CreateTimelineEvent

  • ssm-incidents:UpdateTimelineEvent

  • ssm-incidents:GetTimelineEvent

  • ssm-incidents:ListTimelineEvents

  • ssm-incidents:UpdateRelatedItems

  • ssm-incidents:ListRelatedItems

Amazon VPC

Following are the default AWS RAM managed permissions for shareable Amazon VPC resources.

Resource type Permission name and ARN Allowed actions
ec2:PrefixList

Name: AWSRAMDefaultPermissionPrefixList

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionPrefixList

  • ec2:DescribeManagedPrefixLists

  • ec2:GetManagedPrefixListEntries

ec2:Subnet

Name: AWSRAMDefaultPermissionSubnet

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSubnet

  • ec2:RunInstances

  • ec2:CreateNetworkInterface

  • ec2:DescribeSubnets

ec2:TrafficMirrorTarget

Name: AWSRAMDefaultPermissionTrafficMirror

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTrafficMirror

  • ec2:DescribeTrafficMirrorTargets

  • ec2:CreateTrafficMirrorSession

  • ec2:DeleteTrafficMirrorSession

  • ec2:DescribeTrafficMirrorSessions

ec2:TransitGateway

Name: AWSRAMDefaultPermissionTransitGateway

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTransitGateway

  • ec2:DescribeTransitGateways

  • ec2:CreateTransitGatewayVpcAttachment

  • ec2:ModifyTransitGatewayVpcAttachment

  • ec2:DeleteTransitGatewayVpcAttachment

ec2:LocalGatewayRouteTable

Name: AWSRAMDefaultPermissionLocalGateway

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLocalGateway

  • ec2:CreateLocalGatewayRouteTableVpcAssociation

  • ec2:DeleteLocalGatewayRouteTableVpcAssociation

  • ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations

  • ec2:DescribeLocalGatewayRouteTableVpcAssociations

  • ec2:DescribeLocalGatewayRouteTables

  • ec2:DescribeLocalGatewayVirtualInterfaceGroups

  • ec2:DescribeLocalGatewayVirtualInterfaces

  • ec2:DescribeLocalGateways

  • ec2:SearchTransitGatewayRoutes