Terms and concepts for Amazon RAM - Amazon Resource Access Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Terms and concepts for Amazon RAM

The following concepts help explain how you can use Amazon Resource Access Manager (Amazon RAM) to share your resources.

Resource share

You share resources using Amazon RAM by creating a resource share. A resource share has the following three elements:

  • A list of one or more Amazon resources to be shared.

  • A list of one or more principals to whom access to the resources is granted.

  • A managed permission for each type of resource that you include in the share. Each managed permission applies to all resources of that type in that resource share.

After you use Amazon RAM to create a resource share, the principals specified in the resource share can be granted access to the share's resources.

  • If you turn on Amazon RAM sharing with Amazon Organizations, and your principals that you share with are in the same organization as the sharing account, those principals can receive access as soon as their account administrator grants them permissions to use the resources using an Amazon Identity and Access Management (IAM) permission policy.

  • If you don't turn on Amazon RAM sharing with Organizations, you can still share resources with individual Amazon Web Services accounts that are in your organization. The administrator in the consuming account receives an invitation to join the resource share, and they must accept the invitation before the principals specified in the resource share can access the shared resources.

  • You can also share with accounts outside of your organization, if the resource type supports it. The administrator in the consuming account receives an invitation to join the resource share, and they must accept the invitation before the principals specified in the resource share can access the shared resources. For information about which resource types support this type of sharing, see Shareable Amazon resources and view the Can share with accounts outside its organization column.

Sharing account

The sharing account contains the resource that is shared and in which the Amazon RAM administrator creates the Amazon resource share by using Amazon RAM.

An Amazon RAM administrator is an IAM principal who has permissions to create and configure resource shares in the Amazon Web Services account. Because Amazon RAM works by attaching a resource-based policy to the resources in a resource share, the Amazon RAM administrator also must have permissions to call the PutResourcePolicy operation in the Amazon Web Service for each resource type included in a resource share.

Consuming principals

The consuming account is the Amazon Web Services account to which a resource is shared. The resource share can specify an entire account as the principal, or for some resource types, individual roles or users in the account. For information about which resource types support this type of sharing, see Shareable Amazon resources and view the Can share with IAM roles & users column.

Amazon RAM also supports service principals as consumers of resource shares. For information about which resource types support this type of sharing, see Shareable Amazon resources and view the Can share with service principals column.

The principals in the consuming account can perform only those actions allowed by both of the following permissions:

  • The managed permissions attached to the resource share. These specify the maximum permissions that can be granted to the principals in the consuming account.

  • The IAM identity-based policies attached to individual roles or users by the IAM administrator in the consuming account. Those policies must grant Allow access to specified actions and to the Amazon Resource Name (ARN) of a resource in the sharing account.

Amazon RAM supports the following IAM principal types as consumers of resource shares:

  • Another Amazon Web Services account – The resource share makes the included resources in the sharing account available to the consuming account.

  • Individual IAM roles or users in another account – Some resource types support sharing directly with individual IAM roles or users. Specify this principal type by its ARN.

    • IAM rolearn:aws-cn:iam::123456789012:role/rolename

    • IAM userarn:aws-cn:iam::123456789012:user/username

  • Service principal – Share a resource with an Amazon service to grant the service access to a resource share. Service principal sharing allows an Amazon service to take actions on your behalf to ease the operational burden.

    To share with a service principal, choose to allow sharing with anyone, and then, under Select principal type, choose Service principal from the dropdown list. Specify the service principal's name in the following format:

    • service-id.amazonaws.com

    To mitigate the risk of confused deputy, the resource policy shows the resource owner's account ID in the aws:SourceAccount condition key.

  • Accounts in an organization – If the sharing account is managed by Amazon Organizations, then the resource share can specify the organization’s ID to share with all of the accounts in the organization. The resource share can alternatively specify an organizational unit (OU) ID to share with all of the accounts in that OU. A sharing account can share only with its own organization or OU IDs within its own organization. Specify accounts in an organization by the ARN of the organization or the OU.

    • All accounts in an organization – Following is an example ARN of an organization in Amazon Organizations:

      arn:aws-cn:organizations::123456789012:organization/o-<orgid>

    • All accounts in an organizational unit– Following is an example ARN of an OU ID:

      arn:aws-cn:organizations::123456789012:organization/o-<orgid>/ou-<rootid>-<ouid>

    Important

    When you share with an organization or an OU, and that scope includes the account that owns the resource share, all principals in the sharing account automatically get access to the resources in the share. The access granted is defined by the managed permissions associated with the share. This is because the resource-based policy that Amazon RAM attaches to each resource in the share uses "Principal": "*". For more information, see Implications of using "Principal": "*" in a resource-based policy.

    Principals in the other consuming accounts don't immediately get access to the share's resources. The other accounts' administrators must first attach identity-based permission policies to the appropriate principals. Those policies must grant Allow access to the ARNs of individual resources in the resource share. The permissions in those policies can't exceed those specified in the managed permission associated with the resource share.

Resource-based policy

Resource-based policies are JSON text documents that implement the IAM policy language. Unlike identity-based policies that you attach to the principal, such as an IAM role or user, you attach resource-based policies to the resource. Amazon RAM authors resource-based policies on your behalf based on the information you provide for your resource share. You must specify a Principal policy element that determines who can access the resource. For more information, see Identity-based policies and resource-based policies in the IAM User Guide.

The resource-based policies generated by Amazon RAM are evaluated along with all other IAM policy types. This includes any IAM identity-based policies attached to the principals who are attempting to access the resource, and service control policies (SCPs) for Amazon Organizations that might apply to the Amazon Web Services account. Resource-based policies generated by Amazon RAM participate in the same policy evaluation logic as all other IAM policies. For complete details of policy evaluation and how to determine the resulting permissions, see Policy evaluation logic in the IAM User Guide.

Amazon RAM provides a simple and secure resource sharing experience by providing easy-to-use abstraction resource-based policies.

For those resource types that support resource-based policies, Amazon RAM automatically constructs and manages the resource-based policies for you. For a given resource, Amazon RAM builds the resource-based policy by combining the information from all of the resource shares that include that resource. For example, consider an Amazon SageMaker pipeline that you share by using Amazon RAM and include in two different resource shares. You could use one resource share to provide read-only access to your entire organization. You could then use the other resource share to grant only SageMaker execution permissions to a single account. Amazon RAM automatically combines those two different sets of permissions into a single resource policy with multiple statements. It then attaches the combined resource-based policy to the pipeline resource. You can view this underlying resource policy by calling the GetResourcePolicy operation. Amazon Web Services then use that resource-based policy to authorize any principal who attempts to perform an action on the shared resource.

Although you can manually create the resource-based policies and attach them to your resources by calling PutResourcePolicy, we recommend that you use Amazon RAM because it provides the following advantages:

  • Discoverability for share consumers – If you share resources by using Amazon RAM, users can see all of the resources shared with them directly in the resource owning service's console and API operations as if those resources were directly in the user's account. For example, if you share an Amazon CodeBuild project with another account, users in the consuming account can see the project in the CodeBuild console and in the results of CodeBuild API operations performed. Resources shared by directly attaching a resource-based policy aren't visible this way. Instead, you must discover and explicitly refer to the resource by its ARN.

  • Manageability for share owners – If you share resources by using Amazon RAM, resource owners in the sharing account can centrally see which other accounts have access to their resources. If you share a resource using a resource-based policy, you can see the consuming accounts only by examining the policy for individual resources in the relevant service console or API.

  • Efficiency – If you share resources by using Amazon RAM, you can share multiple resources and manage them as a unit. Resources shared by using only resource-based policies require individual policies attached to every resource that you share.

  • Simplicity – With Amazon RAM, you don't need to understand the JSON-based IAM policy language. Amazon RAM provides ready-to-use Amazon managed permissions that you can choose from to attach to your resource shares.

By using Amazon RAM, you can even share some resource types that don’t support resource-based policies yet. For such resource types, Amazon RAM automatically generates a resource-based policy as a representation of the actual permissions. Users can view this representation by calling GetResourcePolicy. This includes the following resource types:

  • Amazon Aurora – DB clusters

  • Amazon EC2 – capacity reservations and dedicated hosts

  • Amazon License Manager – License configurations

  • Amazon Outposts – Local gateway route tables, outposts, and sites

  • Amazon Route 53 – Forwarding rules

  • Amazon Virtual Private Cloud – Customer-owned IPv4 addresses, prefix lists, subnets, traffic mirror targets, transit gateways, and transit gateway multicast domains

Examples of Amazon RAM generated resource-based policies

If you share an EC2 Image Builder image resource with an individual account, Amazon RAM generates a policy that looks like the following example and attaches it to any image resources that are included in the resource share.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"AWS": "arn:aws-cn:iam::123456789012:root"}, "Action": [ "imagebuilder:GetImage", "imagebuilder:ListImages", ], "Resource": "arn:aws-cn:imagebuilder:cn-north-1:123456789012:image/testimage/1.0.0/44" } ] }

If you share an EC2 Image Builder image resource with an IAM role or user in a different Amazon Web Services account, Amazon RAM generates a policy that looks like the following example and attaches it to any image resources that are included in the resource share.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws-cn:iam::123456789012:role/MySampleRole" }, "Action": [ "imagebuilder:GetImage", "imagebuilder:ListImages", ], "Resource": "arn:aws-cn:imagebuilder:cn-north-1:123456789012:image/testimage/1.0.0/44" } ] }

If you share an EC2 Image Builder image resource with all of the accounts in an organization or with the accounts an OU, Amazon RAM generates a policy that looks like the following example and attaches it to any image resources that are included in the resource share.

Note

This policy uses "Principal": "*" and then uses the "Condition" element to restrict permissions to identities that match the specified PrincipalOrgID. For more information, see Implications of using "Principal": "*" in a resource-based policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "imagebuilder:GetImage", "imagebuilder:ListImages", ], "Resource": "arn:aws-cn:imagebuilder:cn-north-1:123456789012:image/testimage/1.0.0/44" "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-123456789" } } } ] }

Implications of using "Principal": "*" in a resource-based policy

When you include "Principal": "*" in a resource-based policy, the policy grants access to all IAM principals in the account that contains the resource, subject to any restrictions imposed by a Condition element, if it exists. Explicit Deny statements in any policy that applies to the calling principal overrides the permissions granted by this policy. However, an implicit Deny (meaning the lack of an explicit Allow) in any applicable identity policies, permissions boundary policies, or session policies does not result in a Deny to the principals granted access to an action by such a resource-based policy.

If this behavior isn’t desirable for your scenario, then you can limit this behavior by adding an explicit Deny statement to an identity policy, permissions boundary, or session policy that affects the relevant roles and users.

Managed permissions

Managed permissions define what actions principals can perform under which conditions on supported resource types in a resource share. When you create a resource share, you must specify which managed permission to use for each resource type included in the resource share. A managed permission lists the set of actions and conditions that principals can perform with the resource shared using Amazon RAM.

You can attach only one managed permission for each resource type in a resource share. You can't create a resource share in which some resources of a certain type use one managed permission and other resources of the same type use a different managed permission. To do that, you would need to create two different resource shares and split the resources among them, giving each set a different managed permission. There are two different types of managed permissions:

Amazon managed permissions

Amazon managed permissions are created and maintained by Amazon and grant permissions for common customer scenarios. Amazon RAM defines at least one Amazon managed permission for every supported resource type. Some resource types support more than one Amazon managed permission, with one managed permission designated as the Amazon default. The default Amazon managed permission is associated unless you specify otherwise.

Customer managed permissions

Customer managed permissions are managed permissions that you author and maintain by precisely specifying which actions can be performed under which conditions with resources shared using Amazon RAM. For example, you want to limit read access for your Amazon VPC IP Address Manager (IPAM) pools, which help you manage your IP addresses at scale. You can create customer managed permissions for your developers to assign IP addresses, but not view the range of IP addresses other developer accounts assign. You can follow the best practice of least privilege, granting only the permissions required to perform tasks on shared resources.

You define your own permission for a resource type in a resource share with the option to add conditions such as Global Context Keys and service specific keys to specify the conditions under which principals have access to the resource. These permissions can be used in one or more Amazon RAM shares. Customer managed permissions are Region specific.

Amazon RAM takes managed permissions as an input to author the resource-based policies for the resources you share.

Managed permission version

Any change to a managed permission is represented as a new version of that managed permission. The new version is the default for all new resource shares. Each managed permission always has one version designated as the default version. When you or Amazon creates a new managed permission version, you must explicitly update the managed permission for each existing resource share. You can evaluate the changes before you apply them to your resource share in this step. All new resource shares will automatically use the new version of the managed permission for the corresponding resource type.

Amazon managed permission versions

Amazon handles all changes to Amazon managed permissions. Such changes address new functionality or remove discovered shortcomings. You can only apply the default managed permission version to your resource shares.

Customer managed permission versions

You handle all changes to customer managed permissions. You can create a new default version, set an older version as the default, or delete versions that are no longer associated with any resource shares. Each customer managed permission can have up to five versions.

When you create or update a resource share, you can attach only the default version of the specified managed permission. For more information, see Updating Amazon managed permissions to a newer version.