# Managing permissions in AWS RAM In AWS RAM, there are [two types of managed permissions](getting-started-terms-and-concepts.md#term-managed-permission-version), AWS managed permissions and customer managed permissions. Managed permissions define how a consumer can act on the resources in a resource share. When you create a resource share, you must specify which managed permission to use for each resource type that is included in the resource share. The policy template in the managed permission contains everything needed for a resource-based policy except for the principal and the resource. The resource's Amazon Resource Name (ARN) and the ARN of the principals associated with the resource share complete the elements of a resource-based policy. AWS RAM then authors the resource-based policy that it attaches to all resources in that resource share. Each managed permission can have one or more versions. One version is designated as the *default* version for that managed permission. Occasionally, AWS updates an AWS managed permission for a resource type by creating a new version and designating that new version as the default. You can also update your customer managed permissions by creating new versions. Managed permissions that are already attached to a resource share are ***not*** automatically updated. The AWS RAM console does indicate when a new default version is available, and you can review the changes in the new default version compared to the previous one. **Note** We recommend that you update to the new version of the AWS managed permission as soon as possible. These updates typically add support for new or updated AWS services that can share additional resource types using AWS RAM. A new default version can also address and correct security vulnerabilities. **Important** You can only attach the default version of the managed permission to a new resource share. You can retrieve the list of the available managed permissions at any time. For more information, see [Viewing managed permissions](working-with-sharing-view-permissions.md). **Topics** + [ # Viewing managed permissions ](working-with-sharing-view-permissions.md) + [ # Creating and using customer managed permissions in AWS RAM ](create-customer-managed-permissions.md) + [ # Updating AWS managed permissions to a newer version ](working-with-sharing-update-permissions.md) + [ # Considerations for using customer managed permissions in AWS RAM ](managed-permission-considerations.md) + [ ## How managed permissions work ](#permissions-work) + [ ## Types of managed permissions ](#permissions-types) # Viewing managed permissions Viewing managed permissions You can view details about managed permissions that are available to assign to resource types in your resource shares. You can identify the managed permissions that are assigned to resource shares. To see these details, use the **Managed permissions library** in the AWS RAM console. ------ #### [ Console ] **To view details about managed permissions available in AWS RAM** 1. Navigate to the ****[Managed permissions library](https://console.aws.amazon.com/ram/home#Permissions:)**** page in the AWS RAM console. 1. Because AWS RAM resource shares exist in specific AWS Regions, choose the appropriate AWS Region from the dropdown list in the upper-right corner of the console. To see resource shares that contain global resources, you must set the AWS Region to US East (N. Virginia), (`us-east-1`). For more information about sharing global resources, see [Sharing Regional resources compared to global resources](working-with-regional-vs-global.md). Although all Regions share the same available AWS managed permissions, this affects the number of associated resource shares displayed for each managed permission in [Step 5](#step-5). Customer managed permissions are only available in the Region that they were created in. 1. In the **Managed permissions **list, choose the managed permission for which you want to view details. You can use the search box to filter the list of managed permissions by entering part of a name or a resource type, or choosing a managed permission type from the dropdown list. 1. (Optional) To change the display preferences, choose the gear icon in the upper right of the **Managed permissions** panel. You can change the following preferences: + **Page size** – The number of resources displayed on each page. + **Wrap lines** – Whether to wrap lines in table rows. + **Columns** – Whether to display or hide information about the resource type and associated shares. After you finish setting display preferences, choose **Confirm**. 1. For each managed permission, the list displays the following information: + **Managed permission name** – The name of the managed permission. + **Resource type** – The resource type that is associated with the managed permission. + **Managed permission type** – Whether the managed permission is an AWS managed permission or a customer managed permission. + **Associated shares** – The number of resource shares that are associated with the managed permission. If a number appears, then you can choose the number to display a table of resource shares with the following information: + **Resource share name** – The name of the resource share that is associated with the managed permission. + **Managed permission version** – The version of the managed permission that is attached to this resource share. + **Owner** – The AWS account number of the resource share owner. + **Allow external principals** – Whether that resource share allows sharing with principals outside the organization in AWS Organizations. + **Status** – The current status of the association between the resource share and the managed permission. + **Status** – Describes whether the managed permission is: + **Attachable** – You can attach the managed permission to your resource shares. + **Unattachable** – You can't attach the managed permission to your resource shares. + **Deleting** – The managed permission is no longer active and will soon be deleted. + **Deleted** – The managed permission has been deleted. It remains visible for two hours before it disappears from the **Managed permission library**. You can choose the managed permission's name to display more information about that managed permission. The details page for a managed permission displays the following information: + **Resource type** – The type of AWS resource to which this managed permission applies. + **Number of versions** – You can have up to five versions of a customer managed permission. + **Default version** – Specifies which version is the default and therefore assigned automatically to all new resource shares that use this managed permission. Any existing resource shares that use different versions display a prompt for you to update the resource share to the default version. + **ARN **– The [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) of the managed permission. The ARNs for AWS managed permissions use the following format: `arn:aws:ram::aws:permission/AWSRAM[DefaultPermission]ShareableResourceType` The substring `[DefaultPermission]` (without the brackets in an actual ARN) is present in the name of only the one managed permission for that resource type that is designated the default. + **Managed permission versions** – You can choose which version's information to display in the tabs below this dropdown list. + **Details** tab: + **Creation time** – The date and time when this version of the managed permission was created. + **Last updated time** – The date and time when this version of the managed permission was last updated. + **Policy template** tab – The list of service actions and conditions, if applicable, that this version of the managed permission allows principals to perform on the associated resource type. + **Associated resource shares** – The list of resource shares that use this version of the managed permission. ------ #### [ AWS CLI ] **To view details about managed permissions available in AWS RAM** You can use the [https://docs.aws.amazon.com/cli/latest/reference/ram/list-permissions.html](https://docs.aws.amazon.com/cli/latest/reference/ram/list-permissions.html) command to get a list of the managed permissions available to use on resource shares in the current AWS Region for the calling account. ``` $ aws ram list-permissions { "permissions": [ { "arn": "arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority", "version": "1", "defaultVersion": true, "name": "AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority", "resourceType": "acm-pca:CertificateAuthority", "status": "ATTACHABLE", "creationTime": "2022-06-30T13:03:31.732000-07:00", "lastUpdatedTime": "2022-06-30T13:03:31.732000-07:00", "isResourceTypeDefault": false, "permissionType": "AWS_MANAGED" }, { "arn": "arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPIPassthroughIssuanceCertificateAuthority", "version": "1", "defaultVersion": true, "name": "AWSRAMBlankEndEntityCertificateAPIPassthroughIssuanceCertificateAuthority", "resourceType": "acm-pca:CertificateAuthority", "status": "ATTACHABLE", "creationTime": "2022-11-18T07:05:46.976000-08:00", "lastUpdatedTime": "2022-11-18T07:05:46.976000-08:00", "isResourceTypeDefault": false, "permissionType": "AWS_MANAGED" }, ... TRUNCATED FOR BREVITY ... RUN COMMAND TO SEE COMPLETE LIST OF PERMISSIONS ... { "arn": "arn:aws:ram::aws:permission/AWSRAMVPCPermissionsNetworkManagerCoreNetwork", "version": "1", "defaultVersion": true, "name": "AWSRAMVPCPermissionsNetworkManagerCoreNetwork", "resourceType": "networkmanager:CoreNetwork", "status": "ATTACHABLE", "creationTime": "2022-06-30T13:03:46.557000-07:00", "lastUpdatedTime": "2022-06-30T13:03:46.557000-07:00", "isResourceTypeDefault": false, "permissionType": "AWS_MANAGED" }, { "arn": "arn:aws:ram:us-east-1:123456789012:permission/My-Test-CMP", "version": "1", "defaultVersion": true, "name": "My-Test-CMP", "resourceType": "ec2:IpamPool", "status": "ATTACHABLE", "creationTime": "2023-03-08T06:54:10.038000-08:00", "lastUpdatedTime": "2023-03-08T06:54:10.038000-08:00", "isResourceTypeDefault": false, "permissionType": "CUSTOMER_MANAGED" } ] } ``` You can also find the ARN of a specific managed permission by its name in the `--query` parameter of the `list-permissions` AWS CLI command. The following example filters the output to include only elements in the `permissions` array results that match the specified name. We also specify that we want to see only the ARN field in the results, and in plain text format instead of the default JSON. ``` $ aws ram list-permissions \ --query "permissions[?name == 'My-Test-CMP'].arn \ --output text arn:aws:ram:us-east-1:123456789012:permission/My-Test-CMP ``` After you find the ARN of the specific managed permission you're interested in, you can retrieve its details, including its JSON policy text, by running the command [https://docs.aws.amazon.com/cli/latest/reference/ram/get-permission.html](https://docs.aws.amazon.com/cli/latest/reference/ram/get-permission.html). ``` $ aws ram get-permission \ --permission-arn arn:aws:ram:us-east-1:123456789012:permission/My-Test-CMP { "permission": { "arn": "arn:aws:ram:us-east-1:123456789012:permission/My-Test-CMP", "version": "1", "defaultVersion": true, "name": "My-Test-CMP", "resourceType": "ec2:IpamPool", "permission": "{\n\t\"Effect\": \"Allow\",\n\t\"Action\": [\n\t\t\"ec2:GetIpamPoolAllocations\",\n\t\t\"ec2:GetIpamPoolCidrs\",\n\t\t\"ec2:AllocateIpamPoolCidr\",\n\t\t\"ec2:AssociateVpcCidrBlock\",\n\t\t\"ec2:CreateVpc\",\n\t\t\"ec2:ProvisionPublicIpv4PoolCidr\",\n\t\t\"ec2:ReleaseIpamPoolAllocation\"\n\t]\n}", "creationTime": "2023-03-08T06:54:10.038000-08:00", "lastUpdatedTime": "2023-03-08T06:54:10.038000-08:00", "isResourceTypeDefault": false, "permissionType": "CUSTOMER_MANAGED", "featureSet": "STANDARD", "status": "ATTACHABLE" } } ``` ------ # Creating and using customer managed permissions in AWS RAM Creating and using customer managed permissions AWS Resource Access Manager (AWS RAM) provides at least one AWS managed permission for every resource type that you can share. However, those managed permissions might not provide [least privilege access](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) for your sharing use case. When one of the provided AWS managed permissions doesn't work, you can create your own *customer managed permission*. Customer managed permissions are managed permissions that you author and maintain by precisely specifying which actions can be performed under which conditions with resources shared using AWS RAM. For example, you want to limit read access for your Amazon VPC IP Address Manager (IPAM) pools, which help you manage your IP addresses at scale. You can create customer managed permissions for your developers to assign IP addresses, but not view the range of IP addresses other developer accounts assign. You can follow the best practice of least privilege, granting only the permissions required to perform tasks on shared resources. In addition, you can update or delete customer managed permissions as needed. **Topics** + [ ## Create a customer managed permission ](#create_cmp) + [ ## Create a new version of a customer managed permission ](#update_mp) + [ ## Choose a different version to be the default for a customer managed permission ](#set_new_mp_default_version) + [ ## Delete a customer managed permission version ](#delete_mp_version) + [ ## Delete a customer managed permission ](#delete_mp) ## Create a customer managed permission Customer managed permissions are specific to an AWS Region. Make sure that you create this customer managed permission in the appropriate Region. ------ #### [ Console ] **To create a customer managed permission** 1. Do one of the following: + Navigate to the **[Managed permissions library](https://console.aws.amazon.com/ram/home#Permissions:)**, and choose **Create a customer managed permission**. + Navigate directly to the **[Create a customer managed permission](https://console.aws.amazon.com/ram/home#CreatePermission:)** page in the console. 1. For **Customer managed permission details**, enter a customer managed permission name. 1. Choose the resource type to which this managed permission applies. 1. For **Policy template**, you define which operations are allowed to be performed on this resource type. + You can choose **Import managed permission** to use actions from an existing managed permission. + Select or deselect access level information to meet your requirements in the visual editor. + Add or modify conditions using the **JSON editor**. 1. (Optional) To attach tags to the managed permission, for **Tags**, enter a tag key and value. Add additional tags by choosing **Add new tag**. Repeat this step as needed. 1. When you're done, choose **Create customer managed permission**. ------ #### [ AWS CLI ] **To create a customer managed permission** + Run the command [create-permission](https://docs.aws.amazon.com/cli/latest/reference/ram/create-permission.html) and specify a name, the resource type that the customer managed permission applies to, and the policy template body text. The following example command creates a managed permission for the `imagebuilder:Component` resource type. ``` $ aws ram create-permission \ --name TestCMP \ --resource-type imagebuilder:Component \ --policy-template "{\"Effect\":\"Allow\",\"Action\":[\"imagebuilder:ListComponents\"]}" { "permission": { "arn": "arn:aws:ram:us-east-1:123456789012:permission/TestCMP", "version": "1", "defaultVersion": true, "isResourceTypeDefault": false, "name": "TestCMP", "resourceType": "imagebuilder:Component", "status": "ATTACHABLE", "creationTime": 1680033769.401, "lastUpdatedTime": 1680033769.401 } } ``` ------ ## Create a new version of a customer managed permission If the use case for your customer managed permission changes, you can create a new version of the managed permission. This doesn't affect your existing resource shares, only the new resource shares going forward that use this customer managed permission. Each managed permission can have up to five versions, but you can associate only the default version. ------ #### [ Console ] **To create a new version of a customer managed permission** 1. Navigate to the **[Managed permissions library](https://console.aws.amazon.com/ram/home#Permissions:)**. 1. Filter the list of managed permissions by **Customer managed**, or search for the name of the customer managed permission that you want to change. 1. From the managed permission details page, under the **Managed permission versions** section, choose **Create version**. 1. For **Policy template**, you can add or remove actions and conditions with the visual editor or JSON editor. You also have the option to choose **Import managed permission** to use an existing policy template. 1. When you're finished, choose **Create version** at the bottom of the page. ------ #### [ AWS CLI ] **To create a new version of a customer managed permission** 1. Find the Amazon Resource Name (ARN) of the managed permission for which you want create a new version. Do this by calling [list-permissions](https://docs.aws.amazon.com/cli/latest/reference/ram/list-permissions.html) with the `--permission-type CUSTOMER_MANAGED` parameter to include only customer managed permissions. ``` $ aws ram-cmp list-permissions --permission-type CUSTOMER_MANAGED { "permissions": [ { "arn": "arn:aws:ram:us-east-1:123456789012:permission/TestCMP", "version": "2", "defaultVersion": true, "isResourceTypeDefault": false, "name": "TestCMP", "permissionType": "CUSTOMER_MANAGED", "resourceType": "imagebuilder:Component", "status": "ATTACHABLE", "creationTime": 1680035597.346, "lastUpdatedTime": 1680035597.346 } ] } ``` 1. After you have the ARN, you can call the [create-permission-version](https://docs.aws.amazon.com/cli/latest/reference/ram/create-permission-version.html) operation and provide the updated policy template. ``` $ aws ram create-permission-version \ --permission-arn arn:aws:ram:us-east-1:123456789012:permission/TestCMP \ --policy-template {"Effect":"Allow","Action":["imagebuilder:ListComponents"]} { "permission": { "arn": "arn:aws:ram:us-east-1:123456789012:permission/TestCMP", "version": "2", "defaultVersion": true, "isResourceTypeDefault": false, "name": "TestCMP", "status": "ATTACHABLE", "resourceType": "imagebuilder:Component", "permission": "{\"Effect\":\"Allow\",\"Action\":[\"imagebuilder:ListComponents\"]}", "creationTime": 1680038973.79, "lastUpdatedTime": 1680038973.79 } } ``` The output includes the version number of the new version. ------ ## Choose a different version to be the default for a customer managed permission You can set another customer managed permission version as the new default version. ------ #### [ Console ] **To set a new default version for a customer managed permission** 1. Navigate to the **[Managed permissions library](https://console.aws.amazon.com/ram/home#Permissions:)**. 1. Filter the list of managed permissions by **Customer managed**, or search for the name of the customer managed permission that you want to change. 1. From the Customer managed permission details page, under the **Managed permission versions** section, use the dropdown list to choose the version that you want to set as the new default. 1. Choose **Set as default version**. 1. When the dialog box appears, confirm that you want this version to be the default for all new resource shares that use this customer managed permission. If you agree, choose **Set as default version**. ------ #### [ AWS CLI ] **To set a new default version for a customer managed permission** 1. Find the version number that you want to set as the default version by calling [list-permission-versions](https://docs.aws.amazon.com/cli/latest/reference/ram/list-permission-versions.html). The following example command retrieves the current versions for the specified managed permission. ``` $ aws ram list-permission-versions \ --permission-arn arn:aws:ram:us-east-1:123456789012:permission/TestCMP { "permissions": [ { "arn": "arn:aws:ram:us-east-1:123456789012:permission/TestCMP", "version": "1", "defaultVersion": false, "isResourceTypeDefault": false, "name": "TestCMP", "permissionType": "CUSTOMER_MANAGED", "featureSet": "STANDARD", "resourceType": "imagebuilder:Component", "status": "UNATTACHABLE", "creationTime": 1680033769.401, "lastUpdatedTime": 1680035597.345 }, { "arn": "arn:aws:ram:us-east-1:123456789012:permission/TestCMP", "version": "2", "defaultVersion": true, "isResourceTypeDefault": false, "name": "TestCMP", "permissionType": "CUSTOMER_MANAGED", "featureSet": "STANDARD", "resourceType": "imagebuilder:Component", "status": "ATTACHABLE", "creationTime": 1680035597.346, "lastUpdatedTime": 1680035597.346 } ] } ``` 1. After you have the version number to set as default, you can call the [set-default-permission-version](https://docs.aws.amazon.com/cli/latest/reference/ram/set-default-permission-version.html) operation. ``` $ aws ram-cmp set-default-permission-version \ --permission-arn arn:aws:ram:us-east-1:123456789012:permission/TestCMP \ --version 2 ``` This command returns no output if successful. You can run [list-permission-versions](https://docs.aws.amazon.com/cli/latest/reference/ram/list-permission-versions.html) again and verify that the `defaultVersion` field of the chosen version is now set to `true`. ------ ## Delete a customer managed permission version You can have up to five versions of each customer managed permission. When a version is no longer needed, and not in use, you can delete it. You can't delete the default version of a customer managed permission. Deleted versions remain visible in the console for up to two hours with a deleted status before they are completely removed. ------ #### [ Console ] **To delete a customer managed permission version** 1. Navigate to the **[Managed permissions library](https://console.aws.amazon.com/ram/home#Permissions:)**. 1. Filter the list of managed permissions by **Customer managed**, or search for the name of the customer managed permission with the version that you want to delete. 1. Make sure that the version you want to delete isn't currently the default. 1. For the **Versions** section of the page, choose the **Associated resource shares** tab to see if any shares use this version. If there are any shares associated, you must change the customer managed permission version before you can delete this version. 1. Choose **Delete version** on the right side of the **Version** section. 1. In the confirmation dialog box, select **Delete** to confirm that you want to delete this version of your customer managed permission. Choose **Cancel** if you don't want to delete this version of your customer managed permission. ------ #### [ AWS CLI ] **To delete one version of a customer managed permission** 1. Call the [list-permission-versions](https://docs.aws.amazon.com/cli/latest/reference/ram/list-permission-versions.html) operation to retrieve the available version numbers. 1. After you have the version number, provide it as a parameter to [delete-permission-version](https://docs.aws.amazon.com/cli/latest/reference/ram/delete-permission-version.html). ``` $ aws ram-cmp delete-permission-version \ --permission-arn arn:aws:ram:us-east-1:123456789012:permission/TestCMP \ --version 1 ``` This command returns no output if successful. You can run [list-permission-versions](https://docs.aws.amazon.com/cli/latest/reference/ram/list-permission-versions.html) again and verify that the version is no longer included in the output. ------ ## Delete a customer managed permission If a customer managed permission is no longer needed, and not in use, you can delete it. You can't delete a customer managed permission that is associated with a resource share. The deleted customer managed permission disappears after two hours. Until then, it remains visible in the **Managed permission library** with a deleted status. ------ #### [ Console ] **To delete a customer managed permission** 1. Navigate to the **[Managed permissions library](https://console.aws.amazon.com/ram/home#Permissions:)**. 1. Filter the list of managed permissions by **Customer managed**, or search for the name of the customer managed permission that you want to delete. 1. Confirm there are 0 associated shares from the managed permissions list before selecting the customer managed permission. If there are still resource shares associated with the managed permission, you must assign another managed permission to all resource shares before you can continue. 1. In the top right corner of the Customer managed permission details page, choose **Delete managed permission**. 1. When the confirmation dialog box appears, choose **Delete** to delete the managed permission. ------ #### [ AWS CLI ] **To delete a customer managed permission** 1. Find the ARN of the managed permission you want to delete by calling [list-permissions](https://docs.aws.amazon.com/cli/latest/reference/ram/list-permissions.html) with the `--permission-type CUSTOMER_MANAGED` parameter to include only customer managed permissions. ``` $ aws ram-cmp list-permissions --permission-type CUSTOMER_MANAGED { "permissions": [ { "arn": "arn:aws:ram:us-east-1:123456789012:permission/TestCMP", "version": "2", "defaultVersion": true, "isResourceTypeDefault": false, "name": "TestCMP", "permissionType": "CUSTOMER_MANAGED", "resourceType": "imagebuilder:Component", "status": "ATTACHABLE", "creationTime": 1680035597.346, "lastUpdatedTime": 1680035597.346 } ] } ``` 1. After you have the ARN of the managed permission to delete, provide it as a parameter to [delete-permission](https://docs.aws.amazon.com/cli/latest/reference/ram/delete-permission.html). ``` $ aws ram delete-permission \ --permission-arn arn:aws:ram:us-east-1:123456789012:permission/TestCMP { "returnValue": true, "permissionStatus": "DELETING" } ``` ------ # Updating AWS managed permissions to a newer version Updating managed permission versions Occasionally, AWS updates the AWS managed permissions available to attach to a resource share for a specific resource type. When AWS does this, it creates a new version of the AWS managed permission. Resource shares that include the specified resource type aren't automatically updated to use the latest version of the managed permission. You must explicitly update the managed permission for each resource share. This extra step is required so that you can evaluate the changes before you apply them to your resource shares. ------ #### [ Console ] Whenever the console displays a page that lists the permissions associated with a resource share, and one or more of those permissions are using a version other than the default for the permission, the console displays a banner at the top of the console page. The banner indicates that your resource share is using a version other than the default. In addition, individual permissions can display an **Update to default version** button next to the current version number when that version is not the default. Choosing that button starts the [**Update resource share**](working-with-sharing-update.md) wizard. On Step 2 of the wizard you can update the version of any non-default permissions to use their default versions. The changes are not saved until you complete the wizard by choosing **Submit** on the last page of the wizard. **Note** You can attach only the default version, and you can't revert to another version. For customer managed permissions, after you update the permissions to the default version, you can't apply another version to a resource share unless you first set that other version as the default. For example, if you updated a permission to the default version and then found an error that you wanted to roll back, you could designate the previous version as the default. Alternatively, you could create a different new version and then designate that as the default. After you performed one of those options, you would then update your resource shares to use what is now the default version. ------ #### [ AWS CLI ] **To update the version of an AWS managed permission** 1. Run the command [https://docs.aws.amazon.com/cli/latest/reference/ram/get-resource-shares.html](https://docs.aws.amazon.com/cli/latest/reference/ram/get-resource-shares.html) with the `--permission-arn` parameter to specify the [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) of the managed permission that you want to update. This results in the command returning only those resource shares that use that managed permission. For example, the following sample command returns details for every resource share that uses the default AWS managed permission for Amazon EC2 capacity reservations. ``` $ aws ram get-resource-shares \ --resource-owner SELF \ --permission-arn arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCapacityReservation ``` The output includes the ARN of every resource share with at least one resource whose access is controlled by that managed permission. 1. For each resource share specified in the previous command, run the command [https://docs.aws.amazon.com/cli/latest/reference/ram/associate-resource-share-permission.html](https://docs.aws.amazon.com/cli/latest/reference/ram/associate-resource-share-permission.html). Include the `--resource-share-arn` to specify the resource share to update, the `--permission-arn` to specify which AWS managed permission you're updating, and the `--replace` parameter to specify that you want to update the share to use the latest version of that managed permission. You don't need to specify the version number; the default version is automatically used. ``` $ aws ram associate-resource-share-permission \ --resource-share-arn < ARN of one of the shares from the output of the previous command > \ --permission-arn arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCapacityReservation \ --replace ``` 1. Repeat the command in the previous step for each `ResourceShareArn` that you received in the results from the command in step 1. ------ # Considerations for using customer managed permissions in AWS RAM Customer managed permission considerations Customer managed permissions are only available in the AWS Region that you create them in. Not all resource types support customer managed permissions. For a list of supported resource types in AWS Resource Access Manager, see [Shareable AWS resources](shareable.md). Customer managed permissions with multiple statements aren't supported. You can only use single non-negating operators in customer managed permissions. The following conditions aren't supported in customer managed permissions: + Condition keys used to match properties of the principal: + `aws:PrincipalOrgId` + `aws:PrincipalOrgPaths` + `aws:PrincipalAccount` + Condition keys used to restrict access for service principals: + `aws:SourceArn` + `aws:SourceAccount` + `aws:SourceOrgPaths` + `aws:SourceOrgID` + System tags: + `aws:PrincipalTag/aws:` + `aws:ResourceTag/aws:` + `aws:RequestTag/aws:` **Note** The `aws:SourceAccount` value is automatically populated when sharing to service principals. ## How managed permissions work For a quick overview, watch the following video that demonstrates how managed permissions let you apply the best practice of least privilege access to your AWS resources. This video demonstrates how to author and associate customer managed permissions following the best practice of least privilege. For more information see, [Creating and using customer managed permissions in AWS RAM](create-customer-managed-permissions.md). [![AWS Videos](http://img.youtube.com/vi/https://www.youtube.com/embed/SQoJOuIDLKM/0.jpg)](http://www.youtube.com/watch?v=https://www.youtube.com/embed/SQoJOuIDLKM) When you create a resource share, you associate an AWS managed permission with each resource type that you want to share. If the managed permission has more than one version, the new resource share always uses the version designated as the default. After you create the resource share, AWS RAM uses the managed permission to generate a resource-based policy that is attached to each shared resource. The policy template in a managed permission specifies the following: **Effect** Indicates whether to `Allow` or `Deny` the principal permission to perform an operation on a shared resource. For a managed permission, the effect is always `Allow`. For more information, see [Effect](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html) in the *IAM User Guide*. **Action** The list of operations that the principal is granted permission to perform. This can be an action in the AWS Management Console or an operation in the AWS Command Line Interface (AWS CLI) or AWS API. The actions are defined by the AWS permission. For more information, see [Action](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html) in the *IAM User Guide*. **Condition** When and how a principal can interact with a resource in a resource share. Conditions add an extra layer of security to your shared resources. Use them to limit access for sensitive actions to your shared resources. For example, you can include conditions requiring the actions to originate from a specific corporate IP address range, or that the actions must be performed by users authenticated with multi-factor authentication. For more information about conditions, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*. For more information about service-specific conditions, see [ Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference*. Conditions are available for customer managed permissions and supported resource types for AWS managed permissions. For information about conditions that are excluded from use with customer managed permissions, see [Considerations for using customer managed permissions in AWS RAM](managed-permission-considerations.md). ## Types of managed permissions When you create a resource share, you choose a managed permission to associate with each resource type that you include in the resource share. AWS managed permissions are defined by the AWS resource-owning service and managed by AWS RAM. You author and maintain your own customer managed permissions. + **AWS managed permission** – There is one default managed permission available for every resource type that AWS RAM supports. The default managed permission is the one used for a resource type unless you explicitly choose one of the additional managed permissions. The default managed permission is intended to support the most common customer scenarios for sharing resources of the specified type. The default managed permission allows principals to perform specific actions that are defined by the service for the resource type. For example, for the Amazon VPC `ec2:Subnet` resource type, the default managed permission allows principals to perform the following actions: + `ec2:RunInstances` + `ec2:CreateNetworkInterface` + `ec2:DescribeSubnets` The names of default AWS managed permissions use the following format: `AWSRAMDefaultPermissionShareableResourceType`. For example, for the `ec2:Subnet` resource type, the name of the default AWS managed permission is `AWSRAMDefaultPermissionSubnet`. **Note** The default managed permission is separate from the default [*version*](getting-started-terms-and-concepts.md#term-managed-permission-version) of a managed permission. All managed permissions, whether default or one of the additional managed permissions supported by some resource types, are separate, complete permissions with different effects and actions that support different sharing scenarios, such as read-write versus read-only access. Any managed permission, whether AWS or customer managed can have multiple versions, one of which is the default version for that permission. For example, when you share a resource type that supports both a full access (`Read` and `Write`) managed permission and a read-only managed permission, you can create one resource share for the administrator with the full access managed permission. You can then create a separate resource share for other developers using the read-only managed permission to follow the [practice of granting least privilege](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#grant-least-privilege). **Note** All AWS services that work with AWS RAM support at least one default managed permission. You can view the available permissions for each AWS service on the **[Managed permissions library](https://console.aws.amazon.com/ram/home#Permissions:)** page. This page provides details about each available managed permission, including any resource shares that are currently associated with the permission and whether sharing with external principals is allowed, if applicable. For more information, see [Viewing managed permissions](working-with-sharing-view-permissions.md). For services that don’t support additional managed permissions, when you create a resource share, AWS RAM automatically applies the default permission defined for the resource type that you choose. If supported, you will also have the option to choose **Create customer managed permission** on the **Associate managed permissions** page. + **Customer managed permission** – Customer managed permissions are managed permissions that you author and maintain by precisely specifying which actions can be performed under which conditions with resources shared using AWS RAM. For example, you want to limit read access for your Amazon VPC IP Address Manager (IPAM) pools, which help you manage your IP addresses at scale. You can create customer managed permissions for your developers to assign IP addresses, but not view the range of IP addresses other developer accounts assign. You can follow the best practice of least privilege, granting only the permissions required to perform tasks on shared resources.