Amazon managed policies for Amazon RAM
Amazon Resource Access Manager currently provides several Amazon RAM managed policies, which are described in this topic.
Amazon managed policies
In the preceding list, you can attach the first three policies to your IAM roles, groups, and users to grant permissions. The last policy in the list is reserved for the Amazon RAM service's service-linked role.
An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Service is launched or new API operations become available for existing services.
For more information, see Amazon managed policies in the IAM User Guide.
Amazon managed policy: AWSResourceAccessManagerReadOnlyAccess
You can attach the AWSResourceAccessManagerReadOnlyAccess policy to your
IAM identities.
This policy provides read-only permissions to the resource shares that are owned by your Amazon Web Services account.
It does this by granting permission to run any of the Get* or
List* operations. It doesn't provide any ability to modify any
resource share.
Permissions details
This policy includes the following permissions.
-
ram– Allows principals to view details about resource shares owned by the account.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ram:Get*", "ram:List*" ], "Effect": "Allow", "Resource": "*" } ] }
Amazon managed policy: AWSResourceAccessManagerFullAccess
You can attach the AWSResourceAccessManagerFullAccess policy to your
IAM identities.
This policy provides full administrative access to view or modify the resource shares that are owned by your Amazon Web Services account.
It does this by granting permission to run any ram operations.
Permissions details
This policy includes the following permissions.
-
ram– Allows principals to view or modify any information about the resource shares that are owned by the Amazon Web Services account.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ram:*" ], "Effect": "Allow", "Resource": "*" } ] }
Amazon managed policy: AWSResourceAccessManagerResourceShareParticipantAccess
You can attach the AWSResourceAccessManagerResourceShareParticipantAccess
policy to your IAM identities.
This policy provides principals the ability to accept or reject resource shares that are shared with this Amazon Web Services account, and to view details about these resource shares. It doesn't provide any ability to modify those resource shares.
It does this by granting permission to run some ram operations.
Permissions details
This policy includes the following permissions.
-
ram– Allows principals to accept or reject resource share invitations and to view details about the resource shares that are shared with the account.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ram:AcceptResourceShareInvitation", "ram:GetResourcePolicies", "ram:GetResourceShareInvitations", "ram:GetResourceShares", "ram:ListPendingInvitationResources", "ram:ListPrincipals", "ram:ListResources", "ram:RejectResourceShareInvitation" ], "Effect": "Allow", "Resource": "*" } ] }
Amazon managed policy: AWSResourceAccessManagerServiceRolePolicy
The Amazon managed policy AWSResourceAccessManagerServiceRolePolicycan be
used only with the service-linked role for Amazon RAM. You can't attach, detach, modify, or
delete this policy.
This policy provides Amazon RAM with read-only access to your organization's structure.
When you enable integration between Amazon RAM and Amazon Organizations, Amazon RAM automatically creates a
service-linked role named AWSServiceRoleForResourceAccessManager
It does this by granting read-only permission to run the
organizations:Describe and organizations:List operations
that provide details of the organization's structure and accounts.
Permissions details
This policy includes the following permissions.
-
organizations– Allows principals to view information about the organization's structure, including the organizational units, and the Amazon Web Services accounts they contain.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListChildren", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListRoots" ], "Resource": "*" }, { "Sid": "AllowDeletionOfServiceLinkedRoleForResourceAccessManager", "Effect": "Allow", "Action": [ "iam:DeleteRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/ram.amazonaws.com/*" ] } ] }
Amazon RAM updates to Amazon managed policies
View details about updates to Amazon managed policies for Amazon RAM since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon RAM Document history page.
| Change | Description | Date |
|---|---|---|
|
Amazon Resource Access Manager started tracking changes |
Amazon RAM documented its existing managed policies and started tracking changes. |
September 16, 2021 |