AWS RAM permissions - AWS Resource Access Manager

AWS RAM permissions

AWS RAM permissions are policy fragments used by AWS RAM. They control which actions principals are allowed to perform on resources that are shared with them. AWS RAM permissions are used to generate the resource-based policies that are attached to shared resources.

AWS RAM includes default AWS-managed permissions for each supported shareable resource type. These managed permissions are created and managed by AWS, and they define the allowed actions for each shareable resource type. For more information about the default AWS-managed permissions, see AWS-managed permissions.

How AWS RAM permissions work

When you create a resource share, AWS RAM automatically attaches the default permission for each associated resource type to the resource share. For example, if you create a resource share and associate a subnet and a Capacity Reservation, AWS RAM automatically attaches the subnet and Capacity Reservation permissions to the resource share.

After the resource share has been created, the permissions are provided to the respective resource-owning services. The resource-owning service uses the provided permissions to create resource-based policies for each of the resources included in the resource share. The resulting resource-based policies created by the resource-owning service include the following elements:

  • Resource—The resource included in the resource share.

  • Effect—The effect of the AWS RAM permission. Always allow.

  • Principal—The ARNs of the principals associated with the resource share.

  • Action—The standard actions defined in the AWS RAM permission.

The resource-based policies are attached to the shared resources. They allow the specified principals to perform the allowed actions on the resource.

AWS-managed permissions

AWS RAM provides the following default AWS-managed permissions:

AWS App Mesh

AWS RAM provides the following default AWS-managed permissions for shareable AWS App Mesh resources.

Resource type Permission name and ARN Allowed actions
appmesh:Mesh

Name: AWSRAMDefaultPermissionAppMesh

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionAppMesh

  • appmesh:CreateVirtualNode

  • appmesh:CreateVirtualRouter

  • appmesh:CreateRoute

  • appmesh:CreateVirtualService

  • appmesh:UpdateVirtualNode

  • appmesh:UpdateVirtualRouter

  • appmesh:UpdateRoute

  • appmesh:UpdateVirtualService

  • appmesh:ListVirtualNodes

  • appmesh:ListVirtualRouters

  • appmesh:ListRoutes

  • appmesh:ListVirtualServices

  • appmesh:DescribeVirtualNode

  • appmesh:DescribeVirtualRouter

  • appmesh:DescribeRoute

  • appmesh:DescribeVirtualService

  • appmesh:DeleteVirtualNode

  • appmesh:DeleteVirtualRouter

  • appmesh:DeleteRoute

  • appmesh:DeleteVirtualService

Amazon Aurora

AWS RAM provides the following default AWS-managed permissions for shareable Amazon Aurora resources.

Resource type Permission name and ARN Allowed actions
rds:Cluster

Name: AWSRAMDefaultPermissionRDSCluster

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionRDSCluster

  • rds:RestoreDbClusterToPointInTime

  • rds:DescribeDbClusters

AWS Certificate Manager Private Certificate Authority

AWS RAM provides the following default AWS-managed permissions for shareable ACM Private CA resources.

Resource type Permission name and ARN Allowed actions
acm-pca:CertificateAuthority

Name: AWSRAMDefaultPermissionCertificateAuthority

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCertificateAuthority

  • acm-pca:IssueCertificate

  • acm-pca:DescribeCertificateAuthority

  • acm-pca:GetCertificate

  • acm-pca:GetCertificateAuthorityCertificate

  • acm-pca:ListPermissions

  • acm-pca:ListTags

AWS CodeBuild

AWS RAM provides the following default AWS-managed permissions for shareable AWS CodeBuild resources.

Resource type Permission name and ARN Allowed actions
codebuild:Project

Name: AWSRAMDefaultPermissionCodeBuildProject

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildProject

  • codebuild:BatchGetBuilds

  • codebuild:BatchGetProjects

  • codebuild:ListBuildsForProject

codebuild:ReportGroup

Name: AWSRAMDefaultPermissionCodeBuildReportGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildReportGroup

  • codebuild:BatchGetReports

  • codebuild:BatchGetReportGroups

  • codebuild:ListReportsForReportGroup

  • codebuild:DescribeTestCases

Amazon EC2

AWS RAM provides the following default AWS-managed permissions for shareable Amazon EC2 resources.

Resource type Permission name and ARN Allowed actions
ec2:CapacityReservation

Name: AWSRAMDefaultPermissionCapacityReservation

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCapacityReservation

  • ec2:RunInstance

  • ec2:DescribeCapacityReservations

ec2:DedicatedHost

Name: AWSRAMDefaultPermissionDedicatedHost

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionDedicatedHost

  • ec2:RunInstances

  • ec2:StartInstances

  • ec2:DescribeHosts

  • ec2:ModifyInstancePlacement

Amazon EC2 Image Builder

AWS RAM provides the following default AWS-managed permissions for shareable Amazon EC2 Image Builder resources.

Resource type Permission name and ARN Allowed actions
imagebuilder:Component

Name: AWSRAMDefaultPermissionImageBuilderComponent

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderComponent

  • imagebuilder:GetComponent

  • imagebuilder:ListComponents

imagebuilder:Image

Name: AWSRAMDefaultPermissionImageBuilderImage

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderImage

  • imagebuilder:GetImage

  • imagebuilder:ListImages

imagebuilder:ImageRecipe

Name: AWSRAMDefaultPermissionImageBuilderImageRecipe

ARN: arn:aws:ram::aws:permission/imagebuilder:AWSRAMDefaultPermissionImageBuilderImageRecipe

  • imagebuilder:GetImageRecipe

  • imagebuilder:ListImageRecipes

imagebuilder:ContainerRecipe

Name: AWSRAMDefaultPermissionImageBuilderContainerRecipe

ARN: arn:aws:ram::aws:permission/imagebuilder:AWSRAMDefaultPermissionImageBuilderContainerRecipe

  • imagebuilder:GetContainerRecipe

  • imagebuilder:ListContainerRecipes

AWS Glue

AWS RAM provides the following default AWS-managed permissions for shareable AWS Glue resources.

Resource type Permission name and ARN Allowed actions
glue:Catalog

Name: AWSRAMDefaultPermissionGlueCatalog

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueCatalog

  • glue:GetTable

  • glue:GetTableVersion

  • glue:GetTableVersions

  • glue:GetPartition

  • glue:GetPartitions

  • glue:BatchGetPartition

  • glue:GetDatabase

  • glue:GetTables

  • glue:GetDatabases

  • glue:SearchTables

glue:Database

Name: AWSRAMDefaultPermissionGlueDatabase

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueDatabase

  • glue:GetTable

  • glue:GetTableVersion

  • glue:GetTableVersions

  • glue:GetPartition

  • glue:GetPartitions

  • glue:BatchGetPartition

  • glue:GetDatabase

  • glue:GetDatabases

  • glue:GetTables

  • glue:SearchTables

glue:Table

Name: AWSRAMDefaultPermissionGlueTable

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueTable

  • glue:GetTable

  • glue:GetTableVersion

  • glue:GetTableVersions

  • glue:GetPartition

  • glue:GetPartitions

  • glue:BatchGetPartition

  • glue:SearchTables

AWS License Manager

AWS RAM provides the following default AWS-managed permissions for shareable AWS License Manager resources.

Resource type Permission name and ARN Allowed actions
license-manager:LicenseConfiguration

Name: AWSRAMDefaultPermissionLicenseConfiguration

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLicenseConfiguration

  • license-manager:GetLicenseConfiguration

  • license-manager:ListLicenseConfigurations

  • license-manager:ListAssociationsForLicenseConfiguration

  • license-manager:ListUsageForLicenseConfiguration

AWS Network Firewall

AWS RAM provides the following default AWS-managed permissions for shareable AWS Network Firewall resources.

Resource type Permission name and ARN Allowed actions
network-firewall:FirewallPolicy

Name: AWSRAMDefaultPermissionNetworkFirewallPolicy

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallPolicy

  • network-firewall:CreateFirewall

  • network-firewall:UpdateFirewall

  • network-firewall:AssociateFirewallPolicy

  • network-firewall:ListFirewallPolicies

network-firewall:StatefulRuleGroup

Name: AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup

  • network-firewall:CreateFirewallPolicy

  • network-firewall:UpdateFirewallPolicy

  • network-firewall:ListRuleGroups

network-firewall:StatelessRuleGroup

Name: AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup

  • network-firewall:CreateFirewallPolicy

  • network-firewall:UpdateFirewallPolicy

  • network-firewall:ListRuleGroups

AWS Outposts

AWS RAM provides the following default AWS-managed permissions for shareable AWS Outposts resources.

Note

For the default AWS-managed permissions for shared subnets and local gateway route tables on Outposts, see Subnets and local gateway route tables.

Resource type Permission name and ARN Allowed actions
outposts:Outpost

Name: AWSRAMDefaultPermissionOutpostsOutpost

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionOutpostsOutpost

  • outposts:GetOutpost

  • outposts:GetOutpostInstanceTypes

  • outposts:ListOutposts

AWS Resource Groups

AWS RAM provides the following default AWS-managed permissions for shareable AWS Resource Groups resources.

Resource type Permission name and ARN Allowed actions
resource-groups:Group

Name: AWSRAMDefaultPermissionResourceGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResourceGroup

  • resource-groups:GetGroup

  • resource-groups:GetGroupConfiguration

  • resource-groups:ListGroupResources

Amazon Route 53

AWS RAM provides the following default AWS-managed permissions for shareable Amazon Route 53 resources.

Resource type Permission name and ARN Allowed actions
route53resolver:FirewallRuleGroup

Name: AWSRAMDefaultPermissionResolverFirewallRuleGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverFirewallRuleGroup

  • route53resolver:GetFirewallRuleGroup

  • route53resolver:ListFirewallRuleGroups

route53resolver:ResolverRule

Name: AWSRAMDefaultPermissionResolverRule

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverRule

  • route53resolver:GetResolverRule

  • route53resolver:AssociateResolverRule

  • route53resolver:DisassociateResolverRule

  • route53resolver:ListResolverRules

  • route53resolver:ListResolverRuleAssociations

route53resolver:ResolverQueryLogConfig

Name: AWSRAMDefaultPermissionResolverQueryLogConfig

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverQueryLogConfig

  • route53resolver:AssociateResolverQueryLogConfig

  • route53resolver:DisassociateResolverQueryLogConfig

  • route53resolver:ListResolverQueryLogConfigs

Amazon VPC

AWS RAM provides the following default AWS-managed permissions for shareable Amazon VPC resources.

Resource type Permission name and ARN Allowed actions
ec2:PrefixList

Name: AWSRAMDefaultPermissionPrefixList

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionPrefixList

  • ec2:DescribeManagedPrefixLists

  • ec2:GetManagedPrefixListEntries

ec2:Subnet

Name: AWSRAMDefaultPermissionSubnet

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSubnet

  • ec2:RunInstances

  • ec2:CreateNetworkInterface

  • ec2:DescribeSubnets

ec2:TrafficMirrorTarget

Name: AWSRAMDefaultPermissionTrafficMirror

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTrafficMirror

  • ec2:DescribeTrafficMirrorTargets

  • ec2:CreateTrafficMirrorSession

  • ec2:DeleteTrafficMirrorSession

  • ec2:DescribeTrafficMirrorSessions

ec2:TransitGateway

Name: AWSRAMDefaultPermissionTransitGateway

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTransitGateway

  • ec2:DescribeTransitGateways

  • ec2:CreateTransitGatewayVpcAttachment

  • ec2:ModifyTransitGatewayVpcAttachment

  • ec2:DeleteTransitGatewayVpcAttachment

ec2:LocalGatewayRouteTable

Name: AWSRAMDefaultPermissionLocalGateway

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLocalGateway

  • ec2:CreateLocalGatewayRouteTableVpcAssociation

  • ec2:DeleteLocalGatewayRouteTableVpcAssociation

  • ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations

  • ec2:DescribeLocalGatewayRouteTableVpcAssociations

  • ec2:DescribeLocalGatewayRouteTables

  • ec2:DescribeLocalGatewayVirtualInterfaceGroups

  • ec2:DescribeLocalGatewayVirtualInterfaces

  • ec2:DescribeLocalGateways

  • ec2:SearchTransitGatewayRoutes