Share your VPC Lattice resources

Amazon VPC Lattice integrates with AWS Resource Access Manager (AWS RAM) to enable resource sharing. AWS RAM is a service that enables you to share some VPC Lattice resources with other AWS accounts or through AWS Organizations. With AWS RAM, you share resources that you own by creating a resource share. A resource share specifies the resources to share, and the consumers with whom to share them. Consumers can include:

• Specific AWS accounts inside or outside of its organization in AWS Organizations.

• An organizational unit inside of its organization in AWS Organizations.

• An entire organization in AWS Organizations.

For more information about AWS RAM, see the AWS RAM User Guide.

Prerequisites for sharing VPC Lattice resources

• To share a resource, you must own it in your AWS account. This means that the resource must be allocated or provisioned in your account. You can't share a resource that has been shared with you.

• To share a resource with your organization or an organizational unit in AWS Organizations, you must enable sharing with AWS Organizations. For more information, see Enable resource sharing within AWS Organizations in the AWS RAM User Guide.

Share VPC Lattice resources

To share a resource, start by creating a resource share using AWS Resource Access Manager. A resource share specifies the resources to share, the consumers with whom they are shared, and what actions principals can perform.

When you share a VPC Lattice resource that you own with other AWS accounts, you enable those accounts to associate their resources with resources in your account. When you create an association against a shared resource, we generate an Amazon Resource Name (ARN) in the resource owner account and plus an ARN in the account that created the association. This way, both the resource owner and the account that created the association can delete the association.

If you are part of an organization in AWS Organizations and sharing within your organization is enabled, consumers in your organization are automatically granted access to the shared resource. Otherwise, consumers receive an invitation to join the resource share and are granted access to the shared resource after accepting the invitation.

Considerations

• You can share two types of VPC Lattice resources: service networks and services.

• You can share your VPC Lattice resources with any AWS account.

• You can't share your VPC Lattice resources with individual IAM users and roles.

• VPC Lattice supports customer managed permissions for both service networks and services.

To share a resource that you own using the VPC Lattice console

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

2. In the navigation pane, under VPC Lattice, choose Services or Service networks.

3. Choose the name of the resource to open its details page, and then choose Share service or Share service network from the Sharing tab.

4. Choose the AWS RAM resource shares from Resource shares. To create a resource share, choose Create a resource share in RAM console.

5. Choose Share service or Share service network.

To share a resource that you own using the AWS RAM console

Use the procedure described in Create a resource share in the AWS RAM User Guide.

To share a resource that you own using the AWS CLI

Use the associate-resource-share command.

Stop sharing VPC Lattice resources

To stop sharing a VPC Lattice resource that you own, you must remove it from the resource share. Existing associations persist after you stop sharing your resource. New associations to a previously shared resource are not allowed. When either the resource owner or the association owner deletes an association, it is deleted from both accounts. If an account owner wants to leave a resource share, they must ask the owner of the resource share to remove the account.

To stop sharing a resource that you own using the VPC Lattice console

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

2. In the navigation pane, under VPC Lattice, choose Services or Service networks.

3. Choose the name of the resource to open its details page.

4. On the Sharing tab, select the check box for the resource share and then choose Remove.

To stop sharing a resource that you own using the AWS RAM console

See Update a resource share in the AWS RAM User Guide.

To stop sharing a resource that you own using the AWS CLI

Use the disassociate-resource-share command.

Responsibilities and permissions

The following responsibilities and permissions apply when using shared VPC Lattice resources.

Resource owners

• The service network owner can't modify a service created by a consumer.

• The service network owner can't delete a service created by a consumer.

• The service network owner can describe all service associations for the service network.

• The service network owner can disassociate any service associated with the service network, regardless of who created the association.

• The service network owner can describe all VPC associations for the service network.

• The service network owner can disassociate any VPC that a consumer associated with the service network.

• The service owner can describe all network associations with the service.

• The service owner can disassociate a service from any service network that it is associated with.

• Only the account that created an association can update the association between the service network and the VPC.

Resource consumers

• The consumer can't delete a service that they didn’t create.

• The consumer can disassociate only the services that they associated with a service network.

• The consumer and network owner can describe all associations between a service network and a service.

• The consumer can't retrieve service information of a service that they don't own.

• The consumer can describe all service associations with a shared service network.

• The consumer can associate a service with a shared service network.

• The consumer can see all VPC associations with a shared service network.

• The consumer can associate a VPC with a shared service network.

• The consumer can disassociate only the VPCs that they associated with a service network.

• The consumer of a shared service can't associate a service with a service network that they don't own.

• The consumer of a shared service network can't associate a VPC or service that they don't own.

• The consumer can describe a service or a service network that is shared with them.

• The consumer can't associate two resources if both are shared with them.

Cross-account events

When resource owners and consumers perform actions on a shared resource, those actions are recorded as cross-account events in AWS CloudTrail.

CreateServiceNetworkServiceAssociationBySharee

Sent to the resource owner when a resource consumer calls CreateServiceNetworkServiceAssociation with a shared resource. If the caller owns the service, the event is sent to the owner of the service network. If the caller owns the service network, the event is sent to the owner of the service.

CreateServiceNetworkVpcAssociationBySharee

Sent to the resource owner when a resource consumer calls CreateServiceNetworkVpcAssociation with a shared service network.

DeleteServiceNetworkServiceAssociationByOwner

Sent to the association owner when the resource owner calls DeleteServiceNetworkServiceAssociation with a shared resource. If the caller owns the service, the event is sent to the owner of the service network association. If the caller owns the service network, the event is sent to the owner of the service association.

DeleteServiceNetworkServiceAssociationBySharee

Sent to the resource owner when a resource consumer calls DeleteServiceNetworkServiceAssociation with a shared resource. If the caller owns the service, the event is sent to the owner of the service network. If the caller owns the service network, the event is sent to the owner of the service.

DeleteServiceNetworkVpcAssociationByOwner

Sent to the association owner when the resource owner calls DeleteServiceNetworkVpcAssociation with a shared service network.

DeleteServiceNetworkVpcAssociationBySharee

Sent to the resource owner when a resource consumer calls DeleteServiceNetworkVpcAssociation with a shared service network.

GetServiceBySharee

Sent to the resource owner when a resource consumer calls GetService with a shared service.

GetServiceNetworkBySharee

Sent to the resource owner when a resource consumer calls GetServiceNetwork with a shared service network.

GetServiceNetworkServiceAssociationBySharee

Sent to the resource owner when a resource consumer calls GetServiceNetworkServiceAssociation with a shared resource. If the caller owns the service, the event is sent to the owner of the service network. If the caller owns the service network, the event is sent to the owner of the service.

GetServiceNetworkVpcAssociationBySharee

Sent to the resource owner when a resource consumer calls GetServiceNetworkVpcAssociation with a shared service network.

The following is an example entry for the CreateServiceNetworkServiceAssociationBySharee event.

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "Unknown"
    },
    "eventTime": "2023-04-27T17:12:46Z",
    "eventSource": "vpc-lattice.amazonaws.com",
    "eventName": "CreateServiceNetworkServiceAssociationBySharee",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "vpc-lattice.amazonaws.com",
    "userAgent": "ec2.amazonaws.com",
    "requestParameters": null,
    "responseElements": null,
    "additionalEventData": {
        "callerAccountId": "111122223333"
    },
    "requestID": "ddabb0a7-70c6-4f70-a6c9-00cbe8a6a18b",
    "eventID": "bd03cdca-7edd-4d50-b9c9-eaa89f4a47cd",
    "readOnly": false,
    "resources": [
        {
            "accountId": "123456789012",
            "type": "AWS::VpcLattice::ServiceNetworkServiceAssociation",
            "ARN": "arn:aws:vpc-lattice:region:123456789012:servicenetworkserviceassociation/snsa-0d5ea7bc72EXAMPLE"
        }
    ],
    "eventType": "AwsServiceEvent",
    "managementEvent": true,
    "recipientAccountId": "123456789012",
    "eventCategory": "Management"
}