Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Support cross-account for clusters in ARC

Amazon Application Recovery Controller (ARC) integrates with Amazon Resource Access Manager to enable resource sharing. Amazon RAM is a service that enables you to share resources with other Amazon Web Services accounts or through Amazon Organizations. For ARC, you can share the cluster resource.

With Amazon RAM, you share resources that you own by creating a resource share. A resource share specifies the resources to share, and the participants to share them with. Participants can include:

For more information about Amazon RAM, see the Amazon RAM User Guide.

By using Amazon Resource Access Manager to share cluster resources across accounts in ARC, you can use one cluster to host control panels and routing controls owned by several different Amazon Web Services accounts. When you opt to share a cluster, other Amazon Web Services accounts that you specify can use the cluster to host their own control panels and routing controls, allowing more control and flexibility over routing capabilities across different teams.

Amazon RAM is a service that helps Amazon customers to securely share resources across Amazon Web Services accounts. With Amazon RAM, you can share resources within an organization or organizational units (OUs) in Amazon Organizations, by using IAM roles and users. Amazon RAM is a centralized and controlled way to share a cluster.

When you share a cluster, you can reduce the number of total clusters that your organization requires. With a shared cluster, you can allocate the total cost of running the cluster across different teams, to maximize the benefits of ARC with lower cost. (Creating resources that are hosted in a cluster does not have additional costs, for the owner or for participants.) Sharing clusters across accounts can also ease the process of onboarding multiple applications to ARC, especially if you have a large number of applications distributed across several accounts and operations teams.

To get started with cross-account sharing in ARC, you create a resource share in Amazon RAM. The resource share specifies participants who are authorized to share the cluster that your account owns. Then, participants can create resources, such as control panels and routing controls, in the cluster, by using the Amazon Web Services Management Console or by running ARC API operations using the Amazon Command Line Interface or Amazon SDKs.

This topic explains how to share resources that you own, and how to use resources that are shared with you.

Prerequisites for sharing clusters

Sharing a cluster

When you share a cluster that you own, the participants that you specify to share the cluster can create and host their own ARC resources in the cluster.

To share a cluster, you must add it to a resource share. A resource share is an Amazon RAM resource that lets you share your resources across Amazon Web Services accounts. A resource share specifies the resources to share, and the participants they're shared with. To share a cluster you can create a new resource share or add the resource to an existing resource share. To create a new resource share, you can use the Amazon RAM console, or use Amazon RAM API operations with the Amazon Command Line Interface or Amazon SDKs.

If you are part of an organization in Amazon Organizations and sharing within your organization is enabled, participants in your organization are automatically granted access to the shared cluster. Otherwise, participants receive an invitation to join the resource share and are granted access to the shared cluster after accepting the invitation.

You can share a cluster that you own by using the Amazon RAM console, or by using Amazon RAM API operations with the Amazon CLI or SDKs.

To share a cluster that you own by using the Amazon RAM console

See Creating a resource share in the Amazon RAM User Guide.

To share a cluster that you own by using the Amazon CLI

Use the create-resource-share command.

Granting permissions to share clusters

Sharing clusters across accounts requires permissions for the IAM principal sharing the cluster via Amazon RAM.

We recommend using the AmazonRoute53RecoveryControlConfigFullAccess managed IAM policy to ensure that your IAM principals have the required permissions to share and use shared clusters.

Sharing a cluster using a custom IAM policy requires route53-recovery-control-config:PutResourcePolicy, route53-recovery-control-config:GetResourcePolicy, and route53-recovery-control-config:DeleteResourcePolicy permissions for that cluster. PutResourcePolicy and DeleteResourcePolicy are permission-only IAM actions. Attempting to share a cluster through Amazon RAM without having these permissions will result in an error.

For more information about the way that Amazon Resource Access Manager uses IAM see How Amazon Resource Access Manager uses IAM in the Amazon RAM User Guide.

Unsharing a shared cluster

When you unshare a cluster, the following applies to participants and owners:

To unshare a shared cluster that you own, remove it from the resource share. You can do this by using the Amazon RAM console or by using Amazon RAM API operations with the Amazon CLI or SDKs.

To unshare a shared cluster that you own using the Amazon RAM console

See Updating a resource share in the Amazon RAM User Guide.

To unshare a shared cluster that you own using the Amazon CLI

Use the disassociate-resource-share command.

Identifying a shared cluster

Owners and participants can identify shared clusters by viewing information in Amazon RAM. They can also get information about shared resources by using the ARC console and Amazon CLI.

In general, to learn more about the resources that you've shared or that have been shared with you, see the information in the Amazon Resource Access Manager User Guide:

As an owner, you can determine if you're sharing a cluster by viewing information in the Amazon Web Services Management Console or by using the Amazon Command Line Interface with ARC API operations.

To identify if a cluster that you own is shared by using the console

In the Amazon Web Services Management Console, on the details page for a cluster, see the Cluster sharing status.

To identify if a cluster that you own is shared by using the Amazon CLI

Use the get-resource-policy command. If there is a resource policy for a cluster, the command returns information about the policy.

As a participant, when a cluster is shared with you, you typically must accept the share. In addition, the Owner field for the cluster contains the account of the cluster owner.

Responsibilities and permissions for shared clusters

Permissions for owners

When you share a cluster that you own with other Amazon Web Services accounts, participants who are permitted to use the cluster can create control panels, routing controls, and other resources in the cluster.

As a cluster owner, you are responsible for creating, managing, and deleting clusters. You can't modify or delete resources created by participants, such as routing controls and safety rules. For example, you can't update a routing control created by a participant to change the routing control state.

However, you can view the details for routing controls that are created by participants in a cluster that you own. For example, you can view routing control states by calling a ARC routing control API operation, using the Amazon Command Line Interface or Amazon SDKs.

If you need to modify resources create by participants, they can set up a role in IAM with permission to access the resources, and add your account to the role.

Permissions for participants

In general, participants can create and use control panels, routing controls, safety rules, and health checks that they create in a cluster that is shared with them. They can only view, modify, or delete cluster resources in the shared cluster if they own the resources. For example, participants can create and delete safety rules for control panels that they have created.

The following restrictions apply for participants:

As noted, participants cannot create routing controls in the default control panel for a shared cluster, because the cluster owner owns the default control panel. However, the cluster owner can create a cross-account IAM role that provides permission to access the default control panel for the cluster. Then, the owner can grant a participant permissions to assume the role, so that the participant can access the default control panel to use it however the owner has specified through the role's permissions.

Billing costs

The owner of a cluster in ARC is billed for costs associated with the cluster. There are no additional costs, for cluster owners or for participants, for creating resources hosted in a cluster.

For detailed pricing information and examples, see Amazon Application Recovery Controller (ARC) Pricing and scroll down to Amazon Application Recovery Controller (ARC).

Quotas

All resources created in a shared cluster—including resources created by all participants with access to the shared cluster—count toward quotas in effect for the cluster and other resources, such as routing controls. If accounts that share the cluster resource have a higher quota than the cluster owner's quotas, the cluster owner's quotas takes precedence over the quotas for the accounts that are sharing.

To better understand how this works, see the following examples. To illustrate how quotas work with resource sharing, for these examples, let's say that the cluster owner is Owner and an account that the cluster has been shared with is Participant.

For a list of routing control quotas, see Quotas for routing control.