Sharing Considerations - AWS Well-Architected Tool

Sharing Considerations

A workload can be shared with up to 20 different AWS accounts and IAM users. A workload can only be shared with accounts and users that are in the same AWS Region as the workload.

Shared access to a workload is not removed until the workload invitation is deleted.

You can share a workload with an AWS account, individual IAM users in an account, or both. When you share a workload with an AWS account, all IAM users in that account are given access to the workload. If only specific users in an account require access, follow the best practice of granting least privilege and share the workload individually with those IAM users.

If both an AWS account and an IAM user in the account have workload invitations, the workload invitation for the IAM user determines the user's permission to the workload. If you delete the workload invitation for the IAM user, the user's access is determined by the workload invitation for the AWS account. Delete both workload invitations to remove the user's access to the workload.