Shareable AWS resources - AWS Resource Access Manager

Shareable AWS resources

With AWS Resource Access Manager (AWS RAM), you can share resources that are created and managed by other AWS services. You can share resources with individual AWS accounts. You can also share resources with the accounts in an organization or organizational units (OUs) in AWS Organizations. Some supported resource types also let you share resources with individual AWS Identity and Access Management (IAM) roles and users.

The following sections list the services that work with AWS RAM, and the resources that support sharing. Also identified are which resource types can be shared with individual IAM users and roles.

AWS App Mesh

You can share the following AWS App Mesh resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

Mesh

appmesh:Mesh

Create and manage a mesh centrally, and share it with other AWS accounts or your organization. A shared mesh allows resources created by different AWS accounts to communicate with each other in the same mesh. For more information, see Working with shared meshes in the AWS App Mesh User Guide.

Yes

Amazon Aurora

You can share the following Amazon Aurora resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

DB clusters

rds:Cluster

Create and manage a DB cluster centrally, and share it with other AWS accounts or your organization. This lets multiple AWS accounts clone a shared, centrally managed DB cluster. For more information, see Cross-account cloning with AWS RAM and Amazon Aurora in the Amazon Aurora User Guide.

No

AWS Certificate Manager Private Certificate Authority

You can share the following ACM Private CA resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

Private certificate authority (CA)

acm-pca:CertificateAuthority

Create and manage private certificate authorities (CAs) for your organization’s internal public key infrastructure (PKI), and share those CAs with other AWS accounts or your organization. This lets AWS Certificate Manager users in other accounts issue X.509 certificates signed by your shared CA. For more information, see Controlling access to a private CA in the AWS Certificate Manager Private Certificate Authority User Guide.

Yes

AWS CodeBuild

You can share the following AWS CodeBuild resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

Project

codebuild:Project

Create a project, and use it to run builds. Share the project with other AWS accounts or your organization. This lets multiple AWS accounts and users view information about a project and analyze its builds. For more information, see Working with shared projects in the AWS CodeBuild User Guide.

Yes

Report group

codebuild:ReportGroup

Create a report group, and use it to create reports when you build a project. Share the report group with other AWS accounts or your organization. This lets multiple AWS accounts and users view the report group and its reports, and the test case results for each report. A report can be viewed for 30 days after it's created, and then it expires and is no longer available to view. For more information, see Working with shared projects in the AWS CodeBuild User Guide.

Yes

Amazon EC2

You can share the following Amazon EC2 resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

Capacity reservations

ec2:CapacityReservation

Create and manage capacity reservations centrally, and share the reserved capacity with other AWS accounts or your organization. This lets multiple AWS accounts launch their Amazon EC2 instances into centrally managed reserved capacity. For more information, see Working with shared Capacity Reservations in the Amazon EC2 User Guide for Linux Instances.

No

Dedicated hosts

ec2:DedicatedHost

Allocate and manage Amazon EC2 dedicated hosts centrally, and share the host's instance capacity with other AWS accounts or your organization. This lets multiple AWS accounts launch their Amazon EC2 instances on to centrally managed dedicated hosts. For more information, see Working with shared Dedicated Hosts in the Amazon EC2 User Guide for Linux Instances.

No

EC2 Image Builder

You can share the following EC2 Image Builder resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

Components

imagebuilder:Component

Create and manage components centrally, and share them with other AWS accounts or your organization. Manage who can use predefined build and test components in their image recipes. For more information, see Share EC2 Image Builder resources in the EC2 Image Builder User Guide.

Yes

Container recipes

imagebuilder:ContainerRecipe

Create and manage your container recipes centrally, and share them with other AWS accounts or your organization. This allows you to manage who can use predefined documents to duplicate container image builds. For more information, see Share EC2 Image Builder resources in the EC2 Image Builder User Guide.

Yes

Images

imagebuilder:Image

Create and manage your golden images centrally, and share them with other AWS accounts or your organization. Manage who can use images created with EC2 Image Builder across your organization. For more information, see Share EC2 Image Builder resources in the EC2 Image Builder User Guide.

Yes

Image recipes

imagebuilder:ImageRecipe

Create and manage your image recipes centrally, and share them with other AWS accounts or your organization. This allows you to manage who can use predefined documents to duplicate AMI builds. For more information, see Share EC2 Image Builder resources in the EC2 Image Builder User Guide.

Yes

AWS Glue

You can share the following AWS Glue resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

Data catalogs

glue:Catalog

Manage a central data catalog, and share metadata about databases and tables with AWS accounts or your organization. This enables users to run queries on data across multiple accounts. For more information, see Sharing Data Catalog Tables and Databases Across AWS Accounts in the AWS Lake Formation Developer Guide.

No

Databases

glue:Database

Create and manage data catalog databases centrally, and share them with AWS accounts or your organization. Databases are collections of data catalog tables. This enables users to run queries and extract, transform, and load (ETL) jobs that can join and query data across multiple accounts. For more information, see Sharing Data Catalog Tables and Databases Across AWS Accounts in the AWS Lake Formation Developer Guide.

No

Tables

glue:Table

Create and manage data catalog tables centrally, and share them with AWS accounts or your organization. Data catalog tables contain metadata about data tables in Amazon S3, JDBC data sources, Amazon Redshift, streaming sources, and other data stores. This enables users to run queries and ETL jobs that can join and query data across multiple accounts. For more information, see Sharing Data Catalog Tables and Databases Across AWS Accounts in the AWS Lake Formation Developer Guide.

No

AWS License Manager

You can share the following AWS License Manager resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

License configurations

license-manager:LicenseConfiguration

Create and manage license configurations centrally, and share them with other AWS accounts or your organization. This lets you enforce centrally managed licensing rules that are based on the terms of your enterprise agreements across multiple AWS accounts. For more information, see License configurations in License Manager in the License Manager User Guide.

No

AWS Migration Hub Refactor Spaces

You can share the following Migration Hub Refactor Spaces resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

Refactor Spaces Environment

refactor-spaces:Environment

Create a Refactor Spaces environment, and use it to contain your Refactor Spaces applications. Share the environment with other AWS accounts or all of the accounts in your organization. This lets multiple AWS accounts and users view information about the environment and the applications in it. For more information, see Sharing Refactor Spaces environments using AWS RAM in the AWS Migration Hub Refactor Spaces User Guide.

Yes

AWS Network Firewall

You can share the following AWS Network Firewall resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

Firewall policies

network-firewall:FirewallPolicy

Create and manage firewall policies centrally, and share them with other AWS accounts or your organization. This enables multiple accounts in an organization to share a common set of network monitoring, protection, and filtering behaviors. For more information, see Sharing firewall policies and rule groups in the AWS Network Firewall Developer Guide.

Yes

Rule groups

network-firewall:StatefulRuleGroup

network-firewall:StatelessRuleGroup

Create and manage stateless and stateful rule groups centrally, and share them with other AWS accounts or your organization. This enables multiple accounts in an organization in AWS Organizations to share a set of criteria for inspecting and handling network traffic. For more information, see Sharing firewall policies and rule groups in the AWS Network Firewall Developer Guide.

Yes

AWS Outposts

You can share the following AWS Outposts resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

Outposts

outposts:Outpost

Create and manage Outposts centrally, and share them with other AWS accounts in your organization. This lets multiple accounts create subnets and EBS volumes on your shared, centrally managed Outposts. For more information, see Working with shared AWS Outposts resources in the AWS Outposts User Guide.

No

Local gateway route table

ec2:LocalGatewayRouteTable

Create and manage VPC associations to a local gateway centrally, and share them with other AWS accounts in your organization. This lets multiple accounts create VPC associations to a local gateway, and view route table and virtual interface configuration. For more information, see Shareable Outpost resources in the AWS Outposts User Guide.

No

Sites

outposts:Site

Create and manage Outpost sites and share them with other AWS accounts in your organization. This lets multiple accounts create and manage Outposts at the shared site and supports split control between the Outpost resources and the site. For more information, see Working with shared AWS Outposts resources in the AWS Outposts User Guide.

No

Amazon S3 on Outposts

You can share the following Amazon S3 on Outposts resource by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

S3 on Outpost

s3-outposts:Outpost

Create and manage Amazon S3 buckets, access points, and endpoints on the Outpost. This lets multiple accounts create and manage Outposts at the shared site and supports split control between the Outpost resources and the site. For more information, see Working with shared AWS Outposts resources in the AWS Outposts User Guide.

No

AWS Resource Groups

You can share the following AWS Resource Groups resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

Resource groups

resource-groups:Group

Create and manage a host resource group centrally, and share it with other AWS accounts in your organization. This lets multiple AWS accounts share a group of Amazon EC2 Dedicated Hosts created using AWS License Manager. For more information, see Host resource groups in AWS License Manager in the AWS License Manager User Guide.

No

Amazon Route 53

You can share the following Amazon Route 53 resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

Route 53 Resolver DNS Firewall rule groups

route53resolver:FirewallRuleGroup

Create and manage Route 53 Resolver DNS Firewall rule groups centrally, and share them with other AWS accounts or your organization. This enables multiple accounts to share a set of criteria for inspecting and handling outbound DNS queries that go through Route 53 Resolver. For more information, see Sharing Route 53 Resolver DNS Firewall rule groups between AWS accounts in the Amazon Route 53 Developer Guide.

Yes

Forwarding rules

route53resolver:ResolverRule

Create and manage forwarding rules centrally, and share them with other AWS accounts or your organization. This lets multiple accounts forward DNS queries from their virtual private clouds (VPCs) to the target IP addresses defined in shared, centrally managed resolver rules. For more information, see Sharing forwarding rules with other AWS accounts and using shared rules in the Amazon Route 53 Developer Guide.

No

Query logs

route53resolver:ResolverQueryLogConfig

Create and manage query logs centrally, and share them with other AWS accounts or your organization. This enables multiple AWS accounts to log DNS queries that originate in their VPCs to a centrally managed query log. For more information, see Sharing Resolver query logging configurations with other AWS accounts in the Amazon Route 53 Developer Guide.

Yes

Amazon SageMaker

You can share the following Amazon SageMaker resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

Lineage group

sagemaker:LineageGroup

Amazon SageMaker lets you create lineage groups of your pipeline metadata to get a deeper understanding of its history and relationships. Share the lineage group with other AWS accounts or the accounts in your organization. This lets multiple AWS accounts and users view information about the lineage group and query the tracking entities within it. For more information, see Cross-Account Lineage Tracking in the Amazon SageMaker Developer Guide.

No

AWS Systems Manager Incident Manager

You can share the following AWS Systems Manager Incident Manager resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

Contacts

ssm-contacts:Contact

Create and manage contacts and escalation plans centrally, and share the contact details with other AWS accounts or your organization. This lets many AWS accounts view engagements occurring during an incident. For more information, see Working with shared contacts and response plans in the AWS Systems Manager Incident Manager User Guide.

Yes

Response plans

ssm-incidents:ResponsePlan

Create and manage response plans centrally, and share them with other AWS accounts or your organization. This lets those AWS accounts connect Amazon CloudWatch alarms and Amazon EventBridge event rules to response plans, automatically creating an incident when it’s detected. The incident also has access to the metrics of these other AWS accounts. For more information, see Working with shared contacts and response plans in the AWS Systems Manager Incident Manager User Guide.

Yes

Amazon VPC

You can share the following Amazon Virtual Private Cloud (Amazon VPC) resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

Customer-owned IPv4 addresses

ec2:CoipPool

During the AWS Outposts installation process, AWS creates an address pool, known as a customer-owned IP address pool, based on information that you provide about your on-premises network.

Customer-owned IP addresses provide local, or external connectivity to resources in your Outposts subnets through your on-premises network. You can assign these addresses to resources on your Outpost, such as EC2 instances, using Elastic IP addresses or using the subnet setting that automatically assigns customer-owned IP addresses. For more information, see Customer-owned IP addresses in the AWS Outposts User Guide.

No

IP Address Manager (IPAM) pool

ec2:IpamPool

Share IPAM pools centrally with other AWS accounts, IAM roles or users, or an entire organization or organizational unit (OU) in AWS Organizations. This lets those principals allocate CIDRs from the pool to AWS resources, such as VPCs, in their respective accounts. For more information, see Share an IPAM pool using AWS RAM in the Amazon VPC IP Address Manager User Guide. For more information, see Work with VPCs and subnets in the Amazon VPC User Guide.

Yes

Prefix lists

ec2:PrefixList

Create and manage prefix lists centrally, and share them with other AWS accounts or your organization. This lets multiple AWS accounts reference prefix lists in their resources, such as VPC security groups and subnet route tables. For more information, see Working with shared prefix lists in the Amazon VPC User Guide.

No

Subnets

ec2:Subnet

Create and manage subnets centrally, and share them with other AWS accounts or your organization. This lets multiple AWS accounts launch their application resources into centrally managed VPCs. These resources include Amazon EC2 instances, Amazon Relational Database Service (RDS) databases, Amazon Redshift clusters, and AWS Lambda functions. For more information, see Working with VPC sharing in the Amazon VPC User Guide.

No

Traffic mirror targets

ec2:TrafficMirrorTarget

Create and manage traffic mirror targets centrally, and share them with other AWS accounts or your organization. This lets multiple AWS accounts send mirrored network traffic from traffic mirror sources in their accounts to a shared, centrally managed traffic mirror target. For more information, see Cross-account traffic mirroring targets in the Traffic Mirroring Guide.

No

Transit gateways

ec2:TransitGateway

Create and manage transit gateways centrally, and share them with other AWS accounts or your organization. This lets multiple AWS accounts route traffic between their VPCs and on-premises networks through a shared, centrally managed transit gateway. For more information, see Sharing a transit gateway in the Amazon VPC Transit Gateways.

No

Transit gateway multicast domains

ec2:TransitGatewayMulticastDomain

Create and manage transit gateway multicast domains centrally, and share them with other AWS accounts or your organization. This lets multiple AWS accounts register and deregister group members or group sources in the multicast domain. For more information, see Working with shared multicast domains in the Transit Gateways Guide. No

AWS Cloud WAN

You can share the following AWS Cloud WAN resources by using AWS RAM.

Resource type and code Use case Can share with IAM users and roles

Cloud WAN core network

networkmanager:CoreNetwork

Create and manage a Cloud WAN core network centrally, and share it with other AWS accounts. This lets multiple AWS accounts access and provision hosts on a single Cloud WAN core network. For more information, see Share a core network in the AWS Cloud WAN User Guide.

No