AWS RAM Permissions - AWS Resource Access Manager

AWS RAM Permissions

AWS RAM permissions are policy fragments used by AWS RAM. They control which actions principals are allowed to perform on resources that are shared with them. AWS RAM permissions are used to generate the resource-based policies that are attached to shared resources.

AWS RAM includes default AWS-managed permissions for each supported shareable resource type. These managed permissions are created and managed by AWS, and they define the allowed actions for each shareable resource type. For more information about the default AWS-managed permissions, see AWS-Managed Permissions.

How AWS RAM Permissions Work

When you create a resource share, AWS RAM automatically attaches the default permission for each associated resource type to the resource share. For example, if you create a resource share and associate a subnet and a Capacity Reservation, AWS RAM automatically attaches the subnet and Capacity Reservation permissions to the resource share.

After the resource share has been created, the permissions are provided to the respective resource-owning services. The resource-owning service uses the provided permissions to create resource-based policies for each of the resources included in the resource share. The resulting resource-based policies created by the resource-owning service include the following elements:

  • Resource—The resource included in the resource share.

  • Effect—The effect of the AWS RAM permission. Always allow.

  • Principal—The ARNs of the principals associated with the resource share.

  • Action—The standard actions defined in the AWS RAM permission.

The resource-based policies are attached to the shared resources. They allow the specified prinicipals to perform the allowed actions on the resource.

AWS-Managed Permissions

AWS RAM provides the following default AWS-managed permissions:

AWS App Mesh

AWS RAM prodvides the following default AWS-managed permissions for shareable AWS App Mesh resources.

Resource type Permission name and ARN Effect Actions
appmesh:Mesh

Name: AWSRAMDefaultPermissionAppMesh

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionAppMesh

Allow
  • appmesh:CreateVirtualNode

  • appmesh:CreateVirtualRouter

  • appmesh:CreateRoute

  • appmesh:CreateVirtualService

  • appmesh:UpdateVirtualNode

  • appmesh:UpdateVirtualRouter

  • appmesh:UpdateRoute

  • appmesh:UpdateVirtualService

  • appmesh:ListVirtualNodes

  • appmesh:ListVirtualRouters

  • appmesh:ListRoutes

  • appmesh:ListVirtualServices

  • appmesh:DescribeVirtualNode

  • appmesh:DescribeVirtualRouter

  • appmesh:DescribeRoute

  • appmesh:DescribeVirtualService

  • appmesh:DeleteVirtualNode

  • appmesh:DeleteVirtualRouter

  • appmesh:DeleteRoute

  • appmesh:DeleteVirtualService

Amazon Aurora

AWS RAM prodvides the following default AWS-managed permissions for shareable Amazon Aurora resources.

Resource type Permission name and ARN Effect Actions
rds:Cluster

Name: AWSRAMDefaultPermissionRDSCluster

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionRDSCluster

Allow
  • rds:RestoreDbClusterToPointInTime

  • rds:DescribeDbClusters

AWS CodeBuild

AWS RAM prodvides the following default AWS-managed permissions for shareable AWS CodeBuild resources.

Resource type Permission name and ARN Effect Actions
codebuild:Project

Name: AWSRAMDefaultPermissionCodeBuildProject

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildProject

Allow
  • codebuild:BatchGetBuilds

  • codebuild:BatchGetProjects

  • codebuild:ListBuildsForProject

codebuild:ReportGroup

Name: AWSRAMDefaultPermissionCodeBuildReportGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildReportGroup

Allow
  • codebuild:BatchGetReports

  • codebuild:BatchGetReportGroups

  • codebuild:ListReportsForReportGroup

  • codebuild:DescribeTestCases

Amazon EC2

AWS RAM prodvides the following default AWS-managed permissions for shareable Amazon EC2 resources.

Resource type Permission name and ARN Effect Actions
ec2:CapacityReservation

Name: AWSRAMDefaultPermissionCapacityReservation

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCapacityReservation

Allow
  • ec2:RunInstance

  • ec2:DescribeCapacityReservations

ec2:DedicatedHost

Name: AWSRAMDefaultPermissionDedicatedHost

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionDedicatedHost

Allow
  • ec2:RunInstances

  • ec2:StartInstances

  • ec2:DescribeHosts

  • ec2:ModifyInstancePlacement

Amazon EC2 Image Builder

AWS RAM prodvides the following default AWS-managed permissions for shareable Amazon EC2 Image Builder resources.

Resource type Permission name and ARN Effect Actions
imagebuilder:Component

Name: AWSRAMDefaultPermissionImageBuilderComponent

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderComponent

Allow
  • imagebuilder:GetComponent

  • imagebuilder:ListComponents

imagebuilder:Image

Name: AWSRAMDefaultPermissionImageBuilderImage

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderImage

Allow
  • imagebuilder:GetImage

  • imagebuilder:ListImages

imagebuilder:ImageRecipe

Name: AWSRAMDefaultPermissionImageBuilderImageRecipe

ARN: arn:aws:ram::aws:permission/imagebuilder:AWSRAMDefaultPermissionImageBuilderImageRecipe

Allow
  • imagebuilder:GetImageRecipe

  • imagebuilder:ListImageRecipes

AWS Glue

AWS RAM prodvides the following default AWS-managed permissions for shareable AWS Glue resources.

Resource type Permission name and ARN Effect Actions
glue:Catalog

Name: AWSRAMDefaultPermissionGlueCatalog

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueCatalog

Allow
  • glue:GetTable

  • glue:GetTableVersion

  • glue:GetTableVersions

  • glue:GetPartition

  • glue:GetPartitions

  • glue:BatchGetPartition

  • glue:GetDatabase

  • glue:GetTables

  • glue:GetDatabases

  • glue:SearchTables

glue:Database

Name: AWSRAMDefaultPermissionGlueDatabase

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueDatabase

Allow
  • glue:GetTable

  • glue:GetTableVersion

  • glue:GetTableVersions

  • glue:GetPartition

  • glue:GetPartitions

  • glue:BatchGetPartition

  • glue:GetDatabase

  • glue:GetDatabases

  • glue:GetTables

  • glue:SearchTables

glue:Table

Name: AWSRAMDefaultPermissionGlueTable

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueTable

Allow
  • glue:GetTable

  • glue:GetTableVersion

  • glue:GetTableVersions

  • glue:GetPartition

  • glue:GetPartitions

  • glue:BatchGetPartition

  • glue:SearchTables

AWS License Manager

AWS RAM prodvides the following default AWS-managed permissions for shareable AWS License Manager resources.

Resource type Permission name and ARN Effect Actions
license-manager:LicenseConfiguration

Name: AWSRAMDefaultPermissionLicenseConfiguration

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLicenseConfiguration

Allow
  • license-manager:GetLicenseConfiguration

  • license-manager:ListLicenseConfigurations

  • license-manager:ListAssociationsForLicenseConfiguration

  • license-manager:ListUsageForLicenseConfiguration

AWS Resource Groups

AWS RAM prodvides the following default AWS-managed permissions for shareable AWS Resource Groups resources.

Resource type Permission name and ARN Effect Actions
resource-groups:Group

Name: AWSRAMDefaultPermissionResourceGroup

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResourceGroup

Allow
  • resource-groups:GetGroup

  • resource-groups:GetGroupConfiguration

  • resource-groups:ListGroupResources

Amazon Route 53

AWS RAM prodvides the following default AWS-managed permissions for shareable Amazon Route 53 resources.

Resource type Permission name and ARN Effect Actions
route53resolver:ResolverRule

Name: AWSRAMDefaultPermissionResolverRule

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverRule

Allow
  • route53resolver:GetResolverRule

  • route53resolver:AssociateResolverRule

  • route53resolver:DisassociateResolverRule

  • route53resolver:ListResolverRules

  • route53resolver:ListResolverRuleAssociations

Amazon VPC

AWS RAM prodvides the following default AWS-managed permissions for shareable Amazon VPC resources.

Resource type Permission name and ARN Effect Actions
ec2:PrefixList

Name: AWSRAMDefaultPermissionPrefixList

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionPrefixList

Allow

  • ec2:DescribeManagedPrefixLists

  • ec2:GetManagedPrefixListEntries

ec2:Subnet

Name: AWSRAMDefaultPermissionSubnet

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSubnet

Allow
  • ec2:RunInstances

  • ec2:CreateNetworkInterface

  • ec2:DescribeSubnets

ec2:TrafficMirrorTarget

Name: AWSRAMDefaultPermissionTrafficMirror

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTrafficMirror

Allow
  • ec2:DescribeTrafficMirrorTargets

  • ec2:CreateTrafficMirrorSession

  • ec2:DeleteTrafficMirrorSession

  • ec2:DescribeTrafficMirrorSessions

ec2:TransitGateway

Name: AWSRAMDefaultPermissionTransitGateway

ARN: arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTransitGateway

Allow
  • ec2:DescribeTransitGateways

  • ec2:CreateTransitGatewayVpcAttachment

  • ec2:ModifyTransitGatewayVpcAttachment

  • ec2:DeleteTransitGatewayVpcAttachment