Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Support sharing plans across accounts for ARC Region switch

Amazon Application Recovery Controller (ARC) integrates with Amazon Resource Access Manager to enable resource sharing. Amazon RAM is a service that enables you to share resources with other Amazon Web Services accounts or through Amazon Organizations. For ARC Region switch, you can share the Region switch plan. (To use resources from another account in your plan, you use a crossAccount role. To learn more, see Cross-account resources.)

With Amazon RAM, you share resources that you own by creating a resource share. A resource share specifies the resources to share, and the participants to share them with. Participants can include:

For more information about Amazon RAM, see the Amazon RAM User Guide.

By using Amazon Resource Access Manager to share plans across accounts in ARC, you can use one plan with several different Amazon Web Services accounts. When you opt to share a plan, other Amazon Web Services accounts that you specify can execute the plan to perform application recovery.

Amazon RAM is a service that helps Amazon customers to securely share resources across Amazon Web Services accounts. With Amazon RAM, you can share resources within an organization or organizational units (OUs) in Amazon Organizations, by using IAM roles and users. Amazon RAM is a centralized and controlled way to share a plan.

When you share a plan, you can reduce the number of total plans that your organization requires. With a shared plan, you can allocate the total cost of running the plan across different teams, to maximize the benefits of ARC with lower cost. Sharing plans across accounts can also ease the process of onboarding multiple applications to ARC, especially if you have a large number of applications distributed across several accounts and operations teams.

To get started with cross-account sharing in ARC, you create a resource share i n Amazon RAM. The resource share specifies participants who are authorized to share the plan that your account owns.

This topic explains how to share resources that you own, and how to use resources that are shared with you.

Prerequisites for sharing plans

Sharing a plan

When you share a plan, the participants that you specify to share the plan can view and, if you grant additional permissions, execute the plan.

To share a plan, you must add it to a resource share. A resource share is an Amazon RAM resource that lets you share your resources across Amazon Web Services accounts. A resource share specifies the resources to share, and the participants they're shared with. To share a plan you can create a new resource share or add the resource to an existing resource share. To create a new resource share, you can use the Amazon RAM console, or use Amazon RAM API operations with the Amazon Command Line Interface or Amazon SDKs.

If you are part of an organization in Amazon Organizations and sharing within your organization is enabled, participants in your organization are automatically granted access to the shared plan. Otherwise, participants receive an invitation to join the resource share and are granted access to the shared plan after accepting the invitation.

You can share a plan that you own by using the Amazon RAM console, or by using Amazon RAM API operations with the Amazon CLI or SDKs.

To share a plan that you own by using the Amazon RAM console

See Creating a resource share in the Amazon RAM User Guide.

To share a plan that you own by using the Amazon CLI

Use the create-resource-share command.

Granting permissions to share plans

Sharing plans across accounts requires the following additional permissions for the IAM principal sharing the plan by using Amazon RAM:

# read and execute plan permissions
"arc-region-switch:GetPlan",
"arc-region-switch:GetPlanInRegion",  
"arc-region-switch:GetPlanExecution",  
"arc-region-switch:ListPlanExecutionEvents",
"arc-region-switch:ListPlanExecutions", 
"arc-region-switch:ListRoute53HealthChecks",  
"arc-region-switch:GetPlanEvaluationStatus",
"arc-region-switch:StartPlanExecution",
"arc-region-switch:CancelPlanExecution",  
"arc-region-switch:UpdatePlanExecution", 
"arc-region-switch:UpdatePlanExecutionStep"

The owner who shares the plan must have the following permissions. If you attempt to share a plan through Amazon RAM without having these permissions, an error is returned.

"arc-region-switch:PutResourcePolicy" # Permission only apis
"arc-region-switch:DeleteResourcePolicy" # Permission only apis
"arc-region-switch:GetResourcePolicy" # Permission only apis

For more information about the way that Amazon Resource Access Manager uses IAM see How Amazon Resource Access Manager uses IAM in the Amazon RAM User Guide.

Unsharing a shared plan

When you unshare a plan, the following applies to participants and owners:

To unshare a shared plan that you own, remove it from the resource share. You can do this by using the Amazon RAM console or by using Amazon RAM API operations with the Amazon CLI or SDKs.

To unshare a shared plan that you own using the Amazon RAM console

See Updating a resource share in the Amazon RAM User Guide.

To unshare a shared plan that you own using the Amazon CLI

Use the disassociate-resource-share command.

Identifying a shared plan

Owners and participants can identify shared plans by viewing information in Amazon RAM. They can also get information about shared resources by using the ARC console and Amazon CLI.

In general, to learn more about the resources that you've shared or that have been shared with you, see the information in the Amazon Resource Access Manager User Guide:

As an owner, you can determine if you're sharing a plan by viewing information in the Amazon Web Services Management Console or by using the Amazon Command Line Interface with ARC API operations.

To identify if a plan that you own is shared by using the console

In the Amazon Web Services Management Console, on the details page for a plan, see the plan sharing status.

As a participant, when a plan is shared with you, you typically must accept the share so that you can access the plan.

Responsibilities and permissions for shared plans

Permissions for owners

Participants can view or execute the plan (if they have the correct permissions).

Permissions for participants

When you share a plan that you own with other Amazon Web Services accounts, participants can view or execute the plan (if they have the correct permissions).

When you share a plan by using Amazon RAM, a participant has, by default, read-only permissions. To review a list of read-only permissions for Region switch, see Read-only permissions. Participants need additional permissions to execute a Region switch plan. Participants who need to execute plans need additional permissions. Be aware that you cannot grant permission to a Amazon RAM participant for the following operations:

Billing costs

The owner of a plan in ARC is billed for costs associated with the plan. There are no additional costs, for plan owners or for participants, for creating resources hosted in a plan.

For detailed pricing information and examples, see Amazon Application Recovery Controller (ARC) Pricing and scroll down to Amazon Application Recovery Controller (ARC).

Quotas

All resources created in a shared plan count toward quotas for the plan owner.

For a list of Region switch plan quotas, see Quotas for Region switch.