Creating a resource share in AWS RAM
To share resources that you own, create a resource share. Here's an overview of the process:
-
Add the resources that you want to share.
-
For each resource type that you include in the share, specify the managed permission to use for that resource type.
-
You can choose from one of the available AWS managed permissions, an existing customer managed permission, or create a new customer managed permission.
-
AWS managed permissions are created by AWS to cover standard use cases.
-
Customer managed permissions allow you to tailor your own managed permissions to meet your security and business needs.
Note
If the selected managed permission has multiple versions, then AWS RAM automatically attaches the default version. You can attach only the version that is designated as the default.
-
-
Specify the principals that you want to have access to the resources.
Considerations
-
If you later need to delete an AWS resource that you included in a share, we recommend that you first either remove the resource from any resource share that includes it, or delete the resource share.
-
The resource types that you can include in a resource share are listed at Shareable AWS resources.
-
You can share a resource only if you own it. You can't share a resource that's shared with you.
-
AWS RAM is a Regional service. When you share a resource with principals in other AWS accounts, those principals must access each resource from the same AWS Region that it was created in. For supported global resources, you can access those resources from any AWS Region that's supported by that resource's service console and tools. You can view such resource shares and their global resources in the AWS RAM console and tools only in the designated home Region, US East (N. Virginia),
us-east-1
. For more information about AWS RAM and global resources, see Sharing Regional resources compared to global resources. -
If the account you're sharing from is part of an organization in AWS Organizations and sharing within your organization is enabled, any principals in the organization that you share with are automatically granted access to the resource shares without the use of invitations. A principal in an account with whom you share outside of the context of an organization receives an invitation to join the resource share and is granted access to the shared resources only after they accept the invitation.
If you share with a service principal, you can't associate any other principals with the resource share.
-
If the sharing is between accounts or principals that are part of an organization, then any changes to organization membership dynamically affect access to the resource share.
-
If you add an AWS account to the organization or an OU that has access to a resource share, then that new member account automatically gets access to the resource share. The administrator of the account you shared with can then grant individual principals in that account access to the resources in that share.
-
If you remove an account from the organization or an OU that has access to a resource share, then any principals in that account automatically lose access to resources that were accessed through that resource share.
-
If you shared directly with a member account or with IAM roles or users in the member account and then remove that account from the organization, then any principals in that account lose access to the resources that were accessed through that resource share.
Important
When you share with an organization or an OU, and that scope includes the account that owns the resource share, all principals in the sharing account automatically get access to the resources in the share. The access granted is defined by the managed permissions associated with the share. This is because the resource-based policy that AWS RAM attaches to each resource in the share uses
"Principal": "*"
. For more information, see Implications of using "Principal": "*" in a resource-based policy.Principals in the other consuming accounts don't immediately get access to the share's resources. The other accounts' administrators must first attach identity-based permission policies to the appropriate principals. Those policies must grant
Allow
access to the ARNs of individual resources in the resource share. The permissions in those policies can't exceed those specified in the managed permission associated with the resource share. -
-
You can add only the organization your account is a member of, and OUs from that organization to your resource shares. You can't add OUs or organizations from outside your own organization to a resource share as principals. However, you can add individual AWS accounts or, for supported services, IAM roles and users from outside your organization as principals to a resource share.
Note
Not all resource types can be shared with IAM roles and users. For information about resources that you can share with these principals, see Shareable AWS resources.
For the following resource types you have seven days to accept the invitation to join the share for the following resource types. If you don't accept the invitation before it expires, the invitation is automatically declined.
Important
For shared resource types not on the following list, you have 12 hours to accept the invitation to join the resource share. After 12 hours, the invitation expires and the end user principal in the resource share is disassociated. The invitation can no longer be accepted by end users.
-
Amazon Aurora – DB clusters
-
Amazon EC2 – capacity reservations and dedicated hosts
-
AWS License Manager – License configurations
-
AWS Outposts – Local gateway route tables, outposts, and sites
-
Amazon Route 53 – Forwarding rules
-
Amazon VPC – Customer-owned IPv4 addresses, prefix lists, subnets, traffic mirror targets, transit gateways, transit gateway multicast domains
-