Example IAM policies for Amazon RAM
This topic includes examples of IAM policies for Amazon RAM that demonstrate sharing specific resources and resource types and restricting sharing.
Examples of IAM policies
Example 1: Allow sharing of specific resources
You can use an IAM permission policy to restrict principals to associating only specific resources with resource shares.
For example, the following policy limits principals to sharing only the
resolver rule with the specified Amazon Resource Name (ARN). The operator
StringEqualsIfExists
allows a request if either the request doesn't
include a ResourceArn
parameter, or if it does include that parameter, that
its value exactly matches the specified ARN.
For more
information about when and why to use ...IfExists
operators, see ...IfExists condition operators in the
IAM User Guide.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ram:CreateResourceShare", "ram:AssociateResourceShare"], "Resource": "*", "Condition": { "StringEqualsIfExists": { "ram:ResourceArn": "arn:aws:route53resolver:us-west-2:123456789012:resolver-rule/rslvr-rr-5328a0899aexample" } } }] }
Example 2: Allow sharing of specific resource types
You can use an IAM policy to limit principals to associating only specific resource types with resource shares.
For example, the following policy limits principals to sharing only resolver rules.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["ram:CreateResourceShare", "ram:AssociateResourceShare"], "Resource": "*", "Condition": { "StringEqualsIfExists": { "ram:RequestedResourceType": "route53resolver:ResolverRule" } } }] }
Example 3: Restrict sharing with external Amazon Web Services accounts
You can use an IAM policy to prevent principals from sharing resources with Amazon Web Services accounts that are outside of its Amazon organization.
For example, the following IAM policy prevents principals from adding external Amazon Web Services accounts to resource shares.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ram:CreateResourceShare", "Resource": "*", "Condition": { "Bool": { "ram:RequestedAllowsExternalPrincipals": "false" } } }] }