Amazon managed policies for Amazon RAM - Amazon Resource Access Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon RAM

Amazon Resource Access Manager currently provides several Amazon RAM managed policies, which are described in this topic.

In the preceding list, you can attach the first three policies to your IAM roles, groups, and users to grant permissions. The last policy in the list is reserved for the Amazon RAM service's service-linked role.

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

Amazon managed policy: AWSResourceAccessManagerReadOnlyAccess

You can attach the AWSResourceAccessManagerReadOnlyAccess policy to your IAM identities.

This policy provides read-only permissions to the resource shares that are owned by your Amazon Web Services account.

It does this by granting permission to run any of the Get* or List* operations. It doesn't provide any ability to modify any resource share.

Permissions details

This policy includes the following permissions.

  • ram – Allows principals to view details about resource shares owned by the account.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ram:Get*", "ram:List*" ], "Effect": "Allow", "Resource": "*" } ] }

Amazon managed policy: AWSResourceAccessManagerFullAccess

You can attach the AWSResourceAccessManagerFullAccess policy to your IAM identities.

This policy provides full administrative access to view or modify the resource shares that are owned by your Amazon Web Services account.

It does this by granting permission to run any ram operations.

Permissions details

This policy includes the following permissions.

  • ram – Allows principals to view or modify any information about the resource shares that are owned by the Amazon Web Services account.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ram:*" ], "Effect": "Allow", "Resource": "*" } ] }

Amazon managed policy: AWSResourceAccessManagerResourceShareParticipantAccess

You can attach the AWSResourceAccessManagerResourceShareParticipantAccess policy to your IAM identities.

This policy provides principals the ability to accept or reject resource shares that are shared with this Amazon Web Services account, and to view details about these resource shares. It doesn't provide any ability to modify those resource shares.

It does this by granting permission to run some ram operations.

Permissions details

This policy includes the following permissions.

  • ram – Allows principals to accept or reject resource share invitations and to view details about the resource shares that are shared with the account.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ram:AcceptResourceShareInvitation", "ram:GetResourcePolicies", "ram:GetResourceShareInvitations", "ram:GetResourceShares", "ram:ListPendingInvitationResources", "ram:ListPrincipals", "ram:ListResources", "ram:RejectResourceShareInvitation" ], "Effect": "Allow", "Resource": "*" } ] }

Amazon managed policy: AWSResourceAccessManagerServiceRolePolicy

The Amazon managed policy AWSResourceAccessManagerServiceRolePolicycan be used only with the service-linked role for Amazon RAM. You can't attach, detach, modify, or delete this policy.

This policy provides Amazon RAM with read-only access to your organization's structure. When you enable integration between Amazon RAM and Amazon Organizations, Amazon RAM automatically creates a service-linked role named AWSServiceRoleForResourceAccessManager that the service assumes when it needs to look up information about your organization and its accounts, for example, when you view the organization's structure in the Amazon RAM console.

It does this by granting read-only permission to run the organizations:Describe and organizations:List operations that provide details of the organization's structure and accounts.

Permissions details

This policy includes the following permissions.

  • organizations – Allows principals to view information about the organization's structure, including the organizational units, and the Amazon Web Services accounts they contain.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListChildren", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListRoots" ], "Resource": "*" }, { "Sid": "AllowDeletionOfServiceLinkedRoleForResourceAccessManager", "Effect": "Allow", "Action": [ "iam:DeleteRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/ram.amazonaws.com/*" ] } ] }

Amazon RAM updates to Amazon managed policies

View details about updates to Amazon managed policies for Amazon RAM since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon RAM Document history page.

Change Description Date

Amazon Resource Access Manager started tracking changes

Amazon RAM documented its existing managed policies and started tracking changes.

September 16, 2021