Sharing your Amazon resources
To share a resource that you own by using Amazon RAM, do the following:
Notes
-
Sharing a resource with principals outside of the Amazon Web Services account that owns the resource doesn't change the permissions or quotas that apply to the resource within the account that created it.
-
Amazon RAM is a Regional service. The principals that you share with can access resource shares in only the Amazon Web Services Regions in which they were created.
-
Some resources have special considerations and prerequisites for sharing. For more information, see Shareable Amazon resources.
Enable resource sharing within Amazon Organizations
When your account is managed by Amazon Organizations, you can take advantage of that to share resources more easily. With or without Organizations, a user can share with individual accounts. However, if your account is in an organization, then you can share with individual accounts, or with all accounts in the organization or in an OU without having to enumerate each account.
To share resources within an organization, you must first use the Amazon RAM console or Amazon Command Line Interface (Amazon CLI) to enable sharing with Amazon Organizations. When you share resources in your organization, Amazon RAM doesn't send invitations to principals. Principals in your organization gain access to shared resources without exchanging invitations.
When you enable resource sharing within your organization, Amazon RAM creates a
service-linked role called AWSServiceRoleForResourceAccessManager
. This role can be assumed by only the
Amazon RAM service, and grants Amazon RAM permission to retrieve information about the
organization it is a member of, by using the Amazon managed policy
AWSResourceAccessManagerServiceRolePolicy
.
If you no longer need to share resources with your entire organization or OUs, you can disable resource sharing. For more information, see Disabling resource sharing with Amazon Organizations.
Minimum permissions
To run the procedures below, you must sign in as a principal in the organization's management account that has the following permissions:
-
ram:EnableSharingWithAwsOrganization
-
iam:CreateServiceLinkedRole
-
organizations:enableAWSServiceAccess
-
organizations:DescribeOrganization
Requirements
-
You can perform these steps only while signed in as a principal in the organization's management account.
-
The organization must have all features enabled. For more information, see Enabling all features in your organization in the Amazon Organizations User Guide.
Important
You must enable sharing with Amazon Organizations by using the Amazon RAM console or the enable-sharing-with-aws-organization Amazon CLI command. This ensures that
the AWSServiceRoleForResourceAccessManager
service-linked role is
created. If you enable trusted access with Amazon Organizations by using the Amazon Organizations console or
the
enable-aws-service-access Amazon CLI command, the
AWSServiceRoleForResourceAccessManager
service-linked role isn't
created, and you can't share resources within your organization.
Create a resource share
To share resources that you own, create a resource share. Here's an overview of the process:
-
Add the resources that you want to share.
-
For each resource type that you include in the share, specify the managed permission to use for that resource type.
-
You can choose from one of the available Amazon managed permissions, an existing customer managed permission, or create a new customer managed permission.
-
Amazon managed permissions are created by Amazon to cover standard use cases.
-
Customer managed permissions allow you to tailor your own managed permissions to meet your security and business needs.
Note
If the selected managed permission has multiple versions, then Amazon RAM automatically attaches the default version. You can attach only the version that is designated as the default.
-
-
Specify the principals that you want to have access to the resources.
Considerations
-
If you later need to delete an Amazon resource that you included in a share, we recommend that you first either remove the resource from any resource share that includes it, or delete the resource share.
-
The resource types that you can include in a resource share are listed at Shareable Amazon resources.
-
You can share a resource only if you own it. You can't share a resource that's shared with you.
-
Amazon RAM is a Regional service. When you share a resource with principals in other Amazon Web Services accounts, those principals must access each resource from the same Amazon Web Services Region that it was created in. For supported global resources, you can access those resources from any Amazon Web Services Region that's supported by that resource's service console and tools. You can view such resource shares and their global resources in the Amazon RAM console and tools only in the designated home Region, US East (N. Virginia),
us-east-1
. For more information about Amazon RAM and global resources, see Sharing Regional resources compared to global resources. -
If the account you're sharing from is part of an organization in Amazon Organizations and sharing within your organization is enabled, any principals in the organization that you share with are automatically granted access to the resource shares without the use of invitations. A principal in an account with whom you share outside of the context of an organization receives an invitation to join the resource share and is granted access to the shared resources only after they accept the invitation.
If you share with a service principal, you can't associate any other principals with the resource share.
-
If the sharing is between accounts or principals that are part of an organization, then any changes to organization membership dynamically affect access to the resource share.
-
If you add an Amazon Web Services account to the organization or an OU that has access to a resource share, then that new member account automatically gets access to the resource share. The administrator of the account you shared with can then grant individual principals in that account access to the resources in that share.
-
If you remove an account from the organization or an OU that has access to a resource share, then any principals in that account automatically lose access to resources that were accessed through that resource share.
-
If you shared directly with a member account or with IAM roles or users in the member account and then remove that account from the organization, then any principals in that account lose access to the resources that were accessed through that resource share.
Important
When you share with an organization or an OU, and that scope includes the account that owns the resource share, all principals in the sharing account automatically get access to the resources in the share. The access granted is defined by the managed permissions associated with the share. This is because the resource-based policy that Amazon RAM attaches to each resource in the share uses
"Principal": "*"
. For more information, see Implications of using "Principal": "*" in a resource-based policy.Principals in the other consuming accounts don't immediately get access to the share's resources. The other accounts' administrators must first attach identity-based permission policies to the appropriate principals. Those policies must grant
Allow
access to the ARNs of individual resources in the resource share. The permissions in those policies can't exceed those specified in the managed permission associated with the resource share. -
-
You can add only the organization your account is a member of, and OUs from that organization to your resource shares. You can't add OUs or organizations from outside your own organization to a resource share as principals. However, you can add individual Amazon Web Services accounts or, for supported services, IAM roles and users from outside your organization as principals to a resource share.
Note
Not all resource types can be shared with IAM roles and users. For information about resources that you can share with these principals, see Shareable Amazon resources.
For the following resource types you have seven days to accept the invitation to join the share for the following resource types. If you don't accept the invitation before it expires, the invitation is automatically declined.
Important
For shared resource types not on the following list, you have 12 hours to accept the invitation to join the resource share. After 12 hours, the invitation expires and the end user principal in the resource share is disassociated. The invitation can no longer be accepted by end users.
-
Amazon Aurora – DB clusters
-
Amazon EC2 – capacity reservations and dedicated hosts
-
Amazon License Manager – License configurations
-
Amazon Outposts – Local gateway route tables, outposts, and sites
-
Amazon Route 53 – Forwarding rules
-
Amazon VPC – Customer-owned IPv4 addresses, prefix lists, subnets, traffic mirror targets, transit gateways, transit gateway multicast domains
-