Shared core network

You can use AWS Resource Access Manager to share a core network across accounts or across your organization. By default, AWS Identity and Access Management (IAM) users do not have permission to create or modify AWS RAM resources. To allow users to create or modify resources and perform tasks, you must create IAM policies that grant permission to use specific resources and API actions. You then attach those policies to the users or groups that require those permissions.

Only the network owner can perform the following operations:

• Create a resource share.

• Create a core network.

• Update a resource share.

• View a resource share.

• View the resources shared by your account, across all resource shares.

• View the principals with whom you're sharing your resources, across all resource shares. Viewing these principals provides you with the information to determine who has access to your shared resources.

• Delete a resource share.

You can perform the following operations on resources that are shared with you:

• Accept or reject a resource share invitation.

• View a resource share.

• View the shared resources that you can access.

• View a list of all of the principals that are sharing resources with you.

• Run the list-core-networks API to view information about the core networks you own. See list-core-networks.

• Run the APIs that create, view, and delete VPC attachments:

  Note

  A shared core network supports only VPC and transit gateway route table attachments.

  • Create a VPC attachment: create-vpc-attachment

  • Get a VPC attachment: get-vpc-attachment

  • Delete a VPC attachment: delete-vpc-attachment

• Leave a resource share.

When a core network is shared with an account, the account that accepts the shared core network can't make any changes to it, but it can create VPC attachments to the shared network.

Important

You must share your global resource from the N. Virginia (us-east-1) Region so that all other Regions can see the global resource.