Viewing AWS RAM managed permissions - AWS Resource Access Manager

Viewing AWS RAM managed permissions

You can view details about AWS RAM managed permissions that are available to assign to resource types in your resource shares. You can identify the managed permissions that are assigned to resource shares. To see these details, use the Permissions library in the AWS RAM console.

To view details about managed permissions available in AWS RAM
  1. Navigate to the Permissions library page in the AWS RAM console.

  2. Because AWS RAM resource shares exist in specific AWS Regions, choose the appropriate AWS Region from the dropdown list in the upper-right corner of the console. To see resource shares that contain global resources, you must set the AWS Region to US East (N. Virginia), (us-east-1). For more information about sharing global resources, see Sharing Regional resources compared to global resources. Although all Regions share the same available AWS managed permissions, this affects the list of number of associated resource shares displayed for each permission in Step 5.

  3. In the Permissions list, choose the managed permission for which you want to view details. You can use the search box to filter the list of permissions by entering part of a name or a resource type.

  4. (Optional) To change the display preferences, choose the gear icon in the upper right of the Permissions panel. You can change the following preferences:

    • Page size – The number of resources displayed on each page.

    • Wrap lines – Whether to wrap lines in table rows.

    • Columns – Whether to display or hide information about the resource type and associated shares.

    After you finish setting display preferences, choose Confirm.

  5. For each permission, the list displays the following information:

    • Permission name – The name of the AWS managed permission.

    • Resource type – The resource type that is associated with the managed permission.

    • Associated shares – The number of resource shares that are associated with the managed permission. If a number appears, then you can choose the number to display a table of resource shares with the following information:

      • Resource share name – The name of the resource share that is associated with the managed permission.

      • Version – The version of the permission that is attached to this resource share.

      • Owner – The AWS account number of the resource share owner.

      • Allow external principals – Whether that resource share allows sharing with principals outside the organization in AWS Organizations.

      • Status – The current status of the association between the resource share and the managed permission.

    You can choose the managed permission's name to display more information about that permission. The details page for a permission displays the following information:

    • Resource type – The type of AWS resource to which this managed permission applies.

    • Number of versions – You can have up to 5 versions of a managed permission.

    • Default version – Specifies which version is the default and therefore assigned automatically to all new resource shares that use this permission. Any existing resource shares that use different versions display a prompt for you to update the resource share to the default version.

    • ARN – The Amazon Resource Name (ARN) of the managed permission. The ARNs for AWS managed permissions follow this format:


      The substring [DefaultPermission] (without the brackets in an actual ARN) is present in the name of only the one managed permission for that resource type that is designated the default.

    • Versions – You can choose which version's information to display in the tabs below this drop-down list.

      • Details tab:

        • Last updated time – The date and time when this version of the managed permission was last updated.

        • Creation time – The date and time when this version of the managed permission was created.

      • Allowed actions tab – The list of AWS service actions that this version of the managed permission allows principals to perform on the associated resource type.

      • Associated resource shares – The list of resource shares that use this version of the managed permission.

To view details about managed permissions available in AWS RAM

You can use the list-permissions command to get a list of the permissions available to use on resource shares in the current AWS Region for the calling account.

$ aws ram list-permissions { "permissions": [ { "arn": "arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority", "version": "1", "defaultVersion": true, "name": "AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority", "resourceType": "acm-pca:CertificateAuthority", "creationTime": "2021-06-09T09:22:57.427000-07:00", "lastUpdatedTime": "2021-06-09T09:22:57.427000-07:00" }, { "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionAppMesh", "version": "1", "defaultVersion": true, "name": "AWSRAMDefaultPermissionAppMesh", "resourceType": "appmesh:Mesh", "creationTime": "2020-05-12T11:12:54.068000-07:00", "lastUpdatedTime": "2020-05-12T11:12:54.068000-07:00" }, ... TRUNCATED FOR BREVITY ... RUN COMMAND TO SEE COMPLETE LIST OF PERMISSIONS ... { "arn": "arn:aws:ram::aws:permission/AWSRAMRevokeCertificateCertificateAuthority", "version": "1", "defaultVersion": true, "name": "AWSRAMRevokeCertificateCertificateAuthority", "resourceType": "acm-pca:CertificateAuthority", "creationTime": "2021-06-09T09:23:16.668000-07:00", "lastUpdatedTime": "2021-06-09T09:23:16.668000-07:00" }, { "arn": "arn:aws:ram::aws:permission/AWSRAMSubordinateCACertificatePathLen0IssuanceCertificateAuthority", "version": "1", "defaultVersion": true, "name": "AWSRAMSubordinateCACertificatePathLen0IssuanceCertificateAuthority", "resourceType": "acm-pca:CertificateAuthority", "creationTime": "2021-06-09T09:23:11.462000-07:00", "lastUpdatedTime": "2021-06-09T09:23:11.462000-07:00" } ] }

After you find the ARN of a specific permission you're interested in, you can retrieve its details, including the JSON policy text, by running the command get-permission.

$ aws ram get-permission \ --permission-arn arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResourceGroup { "permission": { "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResourceGroup", "version": "1", "defaultVersion": true, "name": "AWSRAMDefaultPermissionResourceGroup", "resourceType": "resource-groups:Group", "permission": "{\"Effect\":\"Allow\",\"Action\":[\"resource-groups:GetGroup\", \"resource-groups:GetGroupConfiguration\",\"resource-groups:ListGroupResources\"]}", "creationTime": 1582832306.525, "lastUpdatedTime": 1582832306.525, "isResourceTypeDefault": true } }