Shareable Amazon resources

With Amazon Resource Access Manager (Amazon RAM), you can share resources that are created and managed by other Amazon Web Services services. You can share resources with individual Amazon Web Services accounts. You can also share resources with the accounts in an organization or organizational units (OUs) in Amazon Organizations. Some supported resource types also let you share resources with individual Amazon Identity and Access Management (IAM) roles and users.

The following sections list the resource types, grouped by Amazon Web Services service, that you can share by using Amazon RAM. The columns in the tables specify which features each resource type supports:

Can share with IAM users and roles	Yes – you can share resources of this type with individual Amazon Identity and Access Management (IAM) roles and users, in addition to accounts. No – you can share resources of this type with only accounts.
Can share with accounts outside its organization	Yes – you may only share resources of this type with individual accounts, inside or outside of its organization. See Considerations for more information. No – you can share resources of this type with only accounts that are members of the same organization.
Can use customer managed permissions	All resource types supported by Amazon RAM support Amazon managed permissions, but a Yes in this column means that customer managed permissions is also supported for this resource type. Yes – resources of this type support the use of customer managed permissions. No – resources of this type do not support the use of customer managed permissions.
Can share with service principals	Yes – you can share resources of this type with Amazon Web Services services. No – you can't share resources of this type with Amazon Web Services services.

Amazon App Mesh

You can share the following Amazon App Mesh resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Mesh `appmesh:Mesh`	Create and manage a mesh centrally, and share it with other Amazon Web Services accounts or your organization. A shared mesh allows resources created by different Amazon Web Services accounts to communicate with each other in the same mesh. For more information, see Working with shared meshes in the Amazon App Mesh User Guide.	Yes	Yes Can share with any Amazon Web Services account.	No	No

Mesh

appmesh:Mesh

Create and manage a mesh centrally, and share it with other Amazon Web Services accounts or your organization. A shared mesh allows resources created by different Amazon Web Services accounts to communicate with each other in the same mesh. For more information, see Working with shared meshes in the Amazon App Mesh User Guide.

Yes

Can share with any Amazon Web Services account.

Amazon AppSync GraphQL API

You can share the following Amazon AppSync GraphQL API resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
GraphyQL API `appsync:Apis`	Manage Amazon AppSync GraphQL APIs centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple accounts share Amazon AppSync APIs as part of creating a unified Amazon AppSync Merged API which can access data from multiple subschema APIs across different accounts in the same Region. For more information, see Merged APIs in the Amazon AppSync Developer Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No

GraphyQL API

appsync:Apis

Manage Amazon AppSync GraphQL APIs centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple accounts share Amazon AppSync APIs as part of creating a unified Amazon AppSync Merged API which can access data from multiple subschema APIs across different accounts in the same Region. For more information, see Merged APIs in the Amazon AppSync Developer Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Amazon API Gateway

You can share the following Amazon API Gateway resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Domain name `apigateway:Domainnames`	Create and manage domain names centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple accounts invoke your domain names that are mapped to private APIs. For more information, see Custom domain names for private APIs in API Gateway in the Amazon API Gateway Developer Guide.	No	Yes Can share with any Amazon Web Services account.	No	No

Domain name

apigateway:Domainnames

Create and manage domain names centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple accounts invoke your domain names that are mapped to private APIs. For more information, see Custom domain names for private APIs in API Gateway in the Amazon API Gateway Developer Guide.

Yes

Can share with any Amazon Web Services account.

Amazon Application Recovery Controller (ARC)

You can share the following Amazon Application Recovery Controller (ARC) resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
ARC cluster `route53-recovery-control:Cluster`	Create and manage ARC clusters centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple accounts create control panels and routing controls in a single shared cluster, reducing complexity and the total number of clusters an organization requires. For more information, see Sharing clusters across accounts in the Amazon Application Recovery Controller (ARC) Developer Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No

ARC cluster

route53-recovery-control:Cluster

Create and manage ARC clusters centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple accounts create control panels and routing controls in a single shared cluster, reducing complexity and the total number of clusters an organization requires. For more information, see Sharing clusters across accounts in the Amazon Application Recovery Controller (ARC) Developer Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Amazon Aurora

You can share the following Amazon Aurora resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
DB clusters `rds:Cluster`	Create and manage a DB cluster centrally, and share it with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts clone a shared, centrally managed DB cluster. For more information, see Cross-account cloning with Amazon RAM and Amazon Aurora in the Amazon Aurora User Guide.	No	Yes Can share with any Amazon Web Services account.	No	No

DB clusters

rds:Cluster

Create and manage a DB cluster centrally, and share it with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts clone a shared, centrally managed DB cluster. For more information, see Cross-account cloning with Amazon RAM and Amazon Aurora in the Amazon Aurora User Guide.

Yes

Can share with any Amazon Web Services account.

Amazon Backup

You can share the following Amazon Backup resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
BackupVault `backup:BackupVault`	Create and manage logically air-gapped vaults centrally and share them with other Amazon Web Services accounts or your organization. This option lets multiple accounts access and restore backups from the vault(s). For more information, see Overview of logically air gapped vaults in the Amazon Backup Developer Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No

BackupVault

backup:BackupVault

Create and manage logically air-gapped vaults centrally and share them with other Amazon Web Services accounts or your organization. This option lets multiple accounts access and restore backups from the vault(s). For more information, see Overview of logically air gapped vaults in the Amazon Backup Developer Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Amazon Bedrock

You can share the following Amazon Bedrock resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Custom Model `bedrock:CustomModel`	Create and manage custom model centrally, and share it with other Amazon Web Services accounts or your organization. This lets multiple accounts use the same custom model for generative AI applications. For more information, see Share a model for another account in the Amazon Bedrock User Guide.	Yes	No Can share with only Amazon Web Services accounts in its own organization.	Yes	No

Custom Model

bedrock:CustomModel

Create and manage custom model centrally, and share it with other Amazon Web Services accounts or your organization. This lets multiple accounts use the same custom model for generative AI applications. For more information, see Share a model for another account in the Amazon Bedrock User Guide.

Yes

Can share with only Amazon Web Services accounts in its own organization.

Yes

Amazon Billing View Service

You can share the following Amazon Billing View Service resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Billing View `billing:billingview`	Create and manage custom billing views centrally, and share them with other Amazon Web Services accounts or your organization. This lets application and business unit owners access business unit-level Amazon spend from a member account. For more information, see Controlling cost management data access with Billing View in the Amazon Cost Management User Guide.	No	No Can share with only Amazon Web Services accounts in its own organization.	Yes	No

Billing View

billing:billingview

Create and manage custom billing views centrally, and share them with other Amazon Web Services accounts or your organization. This lets application and business unit owners access business unit-level Amazon spend from a member account. For more information, see Controlling cost management data access with Billing View in the Amazon Cost Management User Guide.

Can share with only Amazon Web Services accounts in its own organization.

Yes

Amazon CloudHSM

You can share the following Amazon CloudHSM resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Amazon CloudHSM Backup `cloudhsm:Backup`	Manage Amazon CloudHSM Backups centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts and users view information about the Backup and use it to restore a Amazon CloudHSM Cluster. For more information, see Managing Amazon CloudHSM backups in the Amazon CloudHSM User Guide.	Yes	Yes	Yes	No

Amazon CloudHSM Backup

cloudhsm:Backup

Manage Amazon CloudHSM Backups centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts and users view information about the Backup and use it to restore a Amazon CloudHSM Cluster. For more information, see Managing Amazon CloudHSM backups in the Amazon CloudHSM User Guide.

Yes

Amazon CodeBuild

You can share the following Amazon CodeBuild resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Project `codebuild:Project`	Create a project, and use it to run builds. Share the project with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts and users view information about a project and analyze its builds. For more information, see Working with shared projects in the Amazon CodeBuild User Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No
Report group `codebuild:ReportGroup`	Create a report group, and use it to create reports when you build a project. Share the report group with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts and users view the report group and its reports, and the test case results for each report. A report can be viewed for 30 days after it's created, and then it expires and is no longer available to view. For more information, see Working with shared projects in the Amazon CodeBuild User Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No

Project

codebuild:Project

Create a project, and use it to run builds. Share the project with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts and users view information about a project and analyze its builds. For more information, see Working with shared projects in the Amazon CodeBuild User Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Report group

codebuild:ReportGroup

Create a report group, and use it to create reports when you build a project. Share the report group with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts and users view the report group and its reports, and the test case results for each report. A report can be viewed for 30 days after it's created, and then it expires and is no longer available to view. For more information, see Working with shared projects in the Amazon CodeBuild User Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Amazon CodeConnections

You can share the following CodeConnections resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Code Connections `codeconnections:Connection`	Manage the reuse of code connections in multiple accounts. In other words, sharing code connections reduces the administrator burden and need for administrator access in every account that requires a code connection. For more information, see Share connections with Amazon Web Services accounts in the Developer Tools Console User Guide.	No	Yes Can share with any Amazon Web Services account.	Yes	No

Code Connections

codeconnections:Connection

Manage the reuse of code connections in multiple accounts. In other words, sharing code connections reduces the administrator burden and need for administrator access in every account that requires a code connection. For more information, see Share connections with Amazon Web Services accounts in the Developer Tools Console User Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Amazon DataZone

You can share the following DataZone resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
DataZone Domain `datazone:Domain`	Create and manage domains centrally, and share it with other Amazon Web Services accounts or your organization. This lets multiple accounts create Amazon DataZone domains. For more information, see What is Amazon DataZone in the Amazon DataZone User Guide.	No	Yes Can share with any Amazon Web Services account.	No	No

DataZone Domain

datazone:Domain

Create and manage domains centrally, and share it with other Amazon Web Services accounts or your organization. This lets multiple accounts create Amazon DataZone domains. For more information, see What is Amazon DataZone in the Amazon DataZone User Guide.

Yes

Can share with any Amazon Web Services account.

Amazon EC2

You can share the following Amazon EC2 resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Capacity reservations `ec2:CapacityReservation`	Create and manage capacity reservations centrally, and share the reserved capacity with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts launch their Amazon EC2 instances into centrally managed reserved capacity. For more information, see Working with shared Capacity Reservations in the Amazon EC2 User Guide. Important If you don't meet all of the prerequisites for sharing a capacity reservation, then the sharing operation can fail. If this happens and a user attempts to launch an Amazon EC2 instance into that capacity reservation, it launches as an on-demand instance that can accrue higher costs. We recommend that you verify that you can access the shared capacity reservation by attempting to view it in the Amazon EC2 console. You can also monitor for failed resource shares so that you can take corrective action before users launch instances in ways that raise your costs. For more information, see Example: Alerting on resource share failures.	No	Yes Can share with any Amazon Web Services account.	No	No
Dedicated hosts `ec2:DedicatedHost`	Allocate and manage Amazon EC2 dedicated hosts centrally, and share the host's instance capacity with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts launch their Amazon EC2 instances on to centrally managed dedicated hosts. For more information, see Working with shared Dedicated Hosts in the Amazon EC2 User Guide.	No	Yes Can share with any Amazon Web Services account.	No	No
Placement groups `ec2:PlacementGroup`	Share the placement groups you own across your Amazon Web Services accounts, both within and outside your organization. You can launch Amazon EC2 instances from any of the accounts you share with into a shared placement group. For more information, see, Share a placement group in the Amazon EC2 User Guide.	Yes	Yes Can share with any Amazon Web Services account.	No	No

Capacity reservations

ec2:CapacityReservation

Create and manage capacity reservations centrally, and share the reserved capacity with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts launch their Amazon EC2 instances into centrally managed reserved capacity. For more information, see Working with shared Capacity Reservations in the Amazon EC2 User Guide.

Important

If you don't meet all of the prerequisites for sharing a capacity reservation, then the sharing operation can fail. If this happens and a user attempts to launch an Amazon EC2 instance into that capacity reservation, it launches as an on-demand instance that can accrue higher costs. We recommend that you verify that you can access the shared capacity reservation by attempting to view it in the Amazon EC2 console. You can also monitor for failed resource shares so that you can take corrective action before users launch instances in ways that raise your costs. For more information, see Example: Alerting on resource share failures.

Yes

Can share with any Amazon Web Services account.

Dedicated hosts

ec2:DedicatedHost

Allocate and manage Amazon EC2 dedicated hosts centrally, and share the host's instance capacity with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts launch their Amazon EC2 instances on to centrally managed dedicated hosts. For more information, see Working with shared Dedicated Hosts in the Amazon EC2 User Guide.

Yes

Can share with any Amazon Web Services account.

Placement groups

ec2:PlacementGroup

Share the placement groups you own across your Amazon Web Services accounts, both within and outside your organization. You can launch Amazon EC2 instances from any of the accounts you share with into a shared placement group. For more information, see, Share a placement group in the Amazon EC2 User Guide.

Yes

Can share with any Amazon Web Services account.

EC2 Image Builder

You can share the following EC2 Image Builder resources by using Amazon RAM.

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Components `imagebuilder:Component`	Create and manage components centrally, and share them with other Amazon Web Services accounts or your organization. Manage who can use predefined build and test components in their image recipes. For more information, see Share EC2 Image Builder resources in the EC2 Image Builder User Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No
Container recipes `imagebuilder:ContainerRecipe`	Create and manage your container recipes centrally, and share them with other Amazon Web Services accounts or your organization. This allows you to manage who can use predefined documents to duplicate container image builds. For more information, see Share EC2 Image Builder resources in the EC2 Image Builder User Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No
Images `imagebuilder:Image`	Create and manage your golden images centrally, and share them with other Amazon Web Services accounts or your organization. Manage who can use images created with EC2 Image Builder across your organization. For more information, see Share EC2 Image Builder resources in the EC2 Image Builder User Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No
Image recipes `imagebuilder:ImageRecipe`	Create and manage your image recipes centrally, and share them with other Amazon Web Services accounts or your organization. This allows you to manage who can use predefined documents to duplicate AMI builds. For more information, see Share EC2 Image Builder resources in the EC2 Image Builder User Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No

Elastic Load Balancing

You can share the following Elastic Load Balancing resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Trust stores `elasticloadbalancing:TrustStore`	Create and manage Elastic Load Balancing trust stores centrally, and share them with other Amazon Web Services accounts or your organization. Security admins can maintain a single or smaller number of trust stores and enable Mutual TLS configurations across Application Load Balancers. For more information, see Share your Elastic Load Balancing trust store for Application Load Balancers in the User Guide for Application Load Balancers.	Yes	Yes	No	No

Trust stores

elasticloadbalancing:TrustStore

Create and manage Elastic Load Balancing trust stores centrally, and share them with other Amazon Web Services accounts or your organization. Security admins can maintain a single or smaller number of trust stores and enable Mutual TLS configurations across Application Load Balancers. For more information, see Share your Elastic Load Balancing trust store for Application Load Balancers in the User Guide for Application Load Balancers.

Yes

Amazon End User Messaging SMS

You can share the following Amazon End User Messaging SMS resource by using Amazon RAM.

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Opt-out list `sms-voice:OptOutList`	Create an opt-out list and share it with other Amazon Web Services accounts in your organization. You can share the opt-out list so the other applications can opt out user's phone numbers from different Amazon Web Services accounts or they can check the status of the user's phone number. For more information, see Working with shared resources in the in Amazon End User Messaging SMS User Guide.	No	Yes Can share with any Amazon Web Services account.	Yes	No
Phone number `sms-voice:PhoneNumber`	Create and manage phone numbers to share them with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts send messages using the shared phone number. For more information, see Working with shared resources in the in Amazon End User Messaging SMS User Guide.	No	Yes Can share with any Amazon Web Services account.	Yes	Yes
Pool `sms-voice:Pool`	Create and manage pools to share them with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts send messages using the shared pool. For more information, see Working with shared resources in the in Amazon End User Messaging SMS User Guide.	No	Yes Can share with any Amazon Web Services account.	Yes	Yes
Sender ID `sms-voice:SenderId`	Create and manage sender IDs and share them with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts send messages using the shared sender ID. For more information, see Working with shared resources in the in Amazon End User Messaging SMS User Guide.	No	Yes Can share with any Amazon Web Services account.	Yes	Yes

Amazon FSx for OpenZFS

You can share the following Amazon FSx for OpenZFS resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
FSx Volume `fsx:Volume`	Create and manage FSx for OpenZFS volumes centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple accounts perform data replication using OpenZfs snapshots under shared volumes through FSx APIs `CreateVolume` or `CopySnapshotAndUpdateVolume`. For more information, see On-demand data replication in the Amazon FSx for OpenZFS User Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No

FSx Volume

fsx:Volume

Create and manage FSx for OpenZFS volumes centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple accounts perform data replication using OpenZfs snapshots under shared volumes through FSx APIs CreateVolume or CopySnapshotAndUpdateVolume. For more information, see On-demand data replication in the Amazon FSx for OpenZFS User Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Amazon Glue

You can share the following Amazon Glue resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Data catalogs `glue:Catalog`	Manage a central data catalog, and share metadata about databases and tables with Amazon Web Services accounts or your organization. This enables users to run queries on data across multiple accounts. For more information, see Sharing Data Catalog Tables and Databases Across Amazon Accounts in the Amazon Lake Formation Developer Guide.	No	Yes Can share with any Amazon Web Services account.	No	No
Databases `glue:Database`	Create and manage data catalog databases centrally, and share them with Amazon Web Services accounts or your organization. Databases are collections of data catalog tables. This enables users to run queries and extract, transform, and load (ETL) jobs that can join and query data across multiple accounts. For more information, see Sharing Data Catalog Tables and Databases Across Amazon Accounts in the Amazon Lake Formation Developer Guide.	No	Yes Can share with any Amazon Web Services account.	No	No
Tables `glue:Table`	Create and manage data catalog tables centrally, and share them with Amazon Web Services accounts or your organization. Data catalog tables contain metadata about data tables in Amazon S3, JDBC data sources, Amazon Redshift, streaming sources, and other data stores. This enables users to run queries and ETL jobs that can join and query data across multiple accounts. For more information, see Sharing Data Catalog Tables and Databases Across Amazon Accounts in the Amazon Lake Formation Developer Guide.	No	Yes Can share with any Amazon Web Services account.	No	No

Data catalogs

glue:Catalog

Manage a central data catalog, and share metadata about databases and tables with Amazon Web Services accounts or your organization. This enables users to run queries on data across multiple accounts. For more information, see Sharing Data Catalog Tables and Databases Across Amazon Accounts in the Amazon Lake Formation Developer Guide.

Yes

Can share with any Amazon Web Services account.

Databases

glue:Database

Create and manage data catalog databases centrally, and share them with Amazon Web Services accounts or your organization. Databases are collections of data catalog tables. This enables users to run queries and extract, transform, and load (ETL) jobs that can join and query data across multiple accounts. For more information, see Sharing Data Catalog Tables and Databases Across Amazon Accounts in the Amazon Lake Formation Developer Guide.

Yes

Can share with any Amazon Web Services account.

Tables

glue:Table

Create and manage data catalog tables centrally, and share them with Amazon Web Services accounts or your organization. Data catalog tables contain metadata about data tables in Amazon S3, JDBC data sources, Amazon Redshift, streaming sources, and other data stores. This enables users to run queries and ETL jobs that can join and query data across multiple accounts. For more information, see Sharing Data Catalog Tables and Databases Across Amazon Accounts in the Amazon Lake Formation Developer Guide.

Yes

Can share with any Amazon Web Services account.

Amazon License Manager

You can share the following Amazon License Manager resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
License configurations `license-manager:LicenseConfiguration`	Create and manage license configurations centrally, and share them with other Amazon Web Services accounts or your organization. This lets you enforce centrally managed licensing rules that are based on the terms of your enterprise agreements across multiple Amazon Web Services accounts. For more information, see License configurations in License Manager in the License Manager User Guide.	No	Yes Can share with any Amazon Web Services account.	No	No

License configurations

license-manager:LicenseConfiguration

Create and manage license configurations centrally, and share them with other Amazon Web Services accounts or your organization. This lets you enforce centrally managed licensing rules that are based on the terms of your enterprise agreements across multiple Amazon Web Services accounts. For more information, see License configurations in License Manager in the License Manager User Guide.

Yes

Can share with any Amazon Web Services account.

Amazon Web Services Marketplace

You can share the following Amazon Web Services Marketplace resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Marketplace Catalog Entity `aws-marketplace:Entity`	Create, manage, and share entities across Amazon Web Services accounts or in your organization in Amazon Web Services Marketplace. For more information, see Resource sharing in Amazon RAM in the Amazon Marketplace Catalog API Reference.	Yes	Yes Can share with any Amazon Web Services account.	No	No

Marketplace Catalog Entity

aws-marketplace:Entity

Create, manage, and share entities across Amazon Web Services accounts or in your organization in Amazon Web Services Marketplace. For more information, see Resource sharing in Amazon RAM in the Amazon Marketplace Catalog API Reference.

Yes

Can share with any Amazon Web Services account.

Amazon Migration Hub Refactor Spaces

You can share the following Amazon Migration Hub Refactor Spaces resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Refactor Spaces Environment `refactor-spaces:Environment`	Create a Refactor Spaces environment, and use it to contain your Refactor Spaces applications. Share the environment with other Amazon Web Services accounts or all of the accounts in your organization. This lets multiple Amazon Web Services accounts and users view information about the environment and the applications in it. For more information, see Sharing Refactor Spaces environments using Amazon RAM in the Amazon Migration Hub Refactor Spaces User Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No

Refactor Spaces Environment

refactor-spaces:Environment

Create a Refactor Spaces environment, and use it to contain your Refactor Spaces applications. Share the environment with other Amazon Web Services accounts or all of the accounts in your organization. This lets multiple Amazon Web Services accounts and users view information about the environment and the applications in it. For more information, see Sharing Refactor Spaces environments using Amazon RAM in the Amazon Migration Hub Refactor Spaces User Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Amazon Network Firewall

You can share the following Amazon Network Firewall resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Firewall policies `network-firewall:FirewallPolicy`	Create and manage firewall policies centrally, and share them with other Amazon Web Services accounts or your organization. This enables multiple accounts in an organization to share a common set of network monitoring, protection, and filtering behaviors. For more information, see Sharing firewall policies and rule groups in the Amazon Network Firewall Developer Guide.	Yes	Yes Can share with any Amazon Web Services account.	No	No
Rule groups `network-firewall:StatefulRuleGroup` `network-firewall:StatelessRuleGroup`	Create and manage stateless and stateful rule groups centrally, and share them with other Amazon Web Services accounts or your organization. This enables multiple accounts in an organization in Amazon Organizations to share a set of criteria for inspecting and handling network traffic. For more information, see Sharing firewall policies and rule groups in the Amazon Network Firewall Developer Guide.	Yes	Yes Can share with any Amazon Web Services account.	No	No

Firewall policies

network-firewall:FirewallPolicy

Create and manage firewall policies centrally, and share them with other Amazon Web Services accounts or your organization. This enables multiple accounts in an organization to share a common set of network monitoring, protection, and filtering behaviors. For more information, see Sharing firewall policies and rule groups in the Amazon Network Firewall Developer Guide.

Yes

Can share with any Amazon Web Services account.

Rule groups

network-firewall:StatefulRuleGroup

network-firewall:StatelessRuleGroup

Create and manage stateless and stateful rule groups centrally, and share them with other Amazon Web Services accounts or your organization. This enables multiple accounts in an organization in Amazon Organizations to share a set of criteria for inspecting and handling network traffic. For more information, see Sharing firewall policies and rule groups in the Amazon Network Firewall Developer Guide.

Yes

Can share with any Amazon Web Services account.

Amazon Outposts

You can share the following Amazon Outposts resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Outposts `outposts:Outpost`	Create and manage Outposts centrally, and share them with other Amazon Web Services accounts in your organization. This lets multiple accounts create subnets and EBS volumes on your shared, centrally managed Outposts. For more information, see Working with shared Amazon Outposts resources in the Amazon Outposts User Guide.	No	No Can share with only Amazon Web Services accounts in its own organization.	Yes	No
Local gateway route table `ec2:LocalGatewayRouteTable`	Create and manage VPC associations to a local gateway centrally, and share them with other Amazon Web Services accounts in your organization. This lets multiple accounts create VPC associations to a local gateway, and view route table and virtual interface configuration. For more information, see Shareable Outpost resources in the Amazon Outposts User Guide.	No	No Can share with only Amazon Web Services accounts in its own organization.	No	No
Sites `outposts:Site`	Create and manage Outpost sites and share them with other Amazon Web Services accounts in your organization. This lets multiple accounts create and manage Outposts at the shared site and supports split control between the Outpost resources and the site. For more information, see Working with shared Amazon Outposts resources in the Amazon Outposts User Guide.	No	Yes Can share with any Amazon Web Services account.	No	No

Outposts

outposts:Outpost

Create and manage Outposts centrally, and share them with other Amazon Web Services accounts in your organization. This lets multiple accounts create subnets and EBS volumes on your shared, centrally managed Outposts. For more information, see Working with shared Amazon Outposts resources in the Amazon Outposts User Guide.

Can share with only Amazon Web Services accounts in its own organization.

Yes

Local gateway route table

ec2:LocalGatewayRouteTable

Create and manage VPC associations to a local gateway centrally, and share them with other Amazon Web Services accounts in your organization. This lets multiple accounts create VPC associations to a local gateway, and view route table and virtual interface configuration. For more information, see Shareable Outpost resources in the Amazon Outposts User Guide.

Can share with only Amazon Web Services accounts in its own organization.

Sites

outposts:Site

Create and manage Outpost sites and share them with other Amazon Web Services accounts in your organization. This lets multiple accounts create and manage Outposts at the shared site and supports split control between the Outpost resources and the site. For more information, see Working with shared Amazon Outposts resources in the Amazon Outposts User Guide.

Yes

Can share with any Amazon Web Services account.

Amazon S3 on Outposts

You can share the following Amazon S3 on Outposts resource by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
S3 on Outpost `s3-outposts:Outpost`	Create and manage Amazon S3 buckets, access points, and endpoints on the Outpost. This lets multiple accounts create and manage Outposts at the shared site and supports split control between the Outpost resources and the site. For more information, see Working with shared Amazon Outposts resources in the Amazon Outposts User Guide.	No	No Can share with only Amazon Web Services accounts in its own organization.	Yes	No

S3 on Outpost

s3-outposts:Outpost

Create and manage Amazon S3 buckets, access points, and endpoints on the Outpost. This lets multiple accounts create and manage Outposts at the shared site and supports split control between the Outpost resources and the site. For more information, see Working with shared Amazon Outposts resources in the Amazon Outposts User Guide.

Can share with only Amazon Web Services accounts in its own organization.

Yes

Amazon Private Certificate Authority

You can share the following Amazon Private CA resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Private certificate authority (CA) `acm-pca:CertificateAuthority`	Create and manage private certificate authorities (CAs) for your organization’s internal public key infrastructure (PKI), and share those CAs with other Amazon Web Services accounts or your organization. This lets Amazon Certificate Manager users in other accounts issue X.509 certificates signed by your shared CA. For more information, see Controlling access to a private CA in the Amazon Private Certificate Authority User Guide.	Yes	Yes Can share with any Amazon Web Services account.	No	Yes

Private certificate authority (CA)

acm-pca:CertificateAuthority

Create and manage private certificate authorities (CAs) for your organization’s internal public key infrastructure (PKI), and share those CAs with other Amazon Web Services accounts or your organization. This lets Amazon Certificate Manager users in other accounts issue X.509 certificates signed by your shared CA. For more information, see Controlling access to a private CA in the Amazon Private Certificate Authority User Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Amazon Resource Explorer

You can share the following Amazon Resource Explorer resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Views `resource-explorer-2:View`	Create and configure Resource Explorer views centrally, and share them with other Amazon Web Services accounts in your organization. This lets roles and users in multiple Amazon Web Services accounts search for and discover the resources accessible through the view. For more information, see Sharing Resource Explorer views in the Amazon Resource Explorer User Guide.	No	No Can share with only Amazon Web Services accounts in its own organization.	No	No

Views

resource-explorer-2:View

Create and configure Resource Explorer views centrally, and share them with other Amazon Web Services accounts in your organization. This lets roles and users in multiple Amazon Web Services accounts search for and discover the resources accessible through the view. For more information, see Sharing Resource Explorer views in the Amazon Resource Explorer User Guide.

Can share with only Amazon Web Services accounts in its own organization.

Amazon Resource Groups

You can share the following Amazon Resource Groups resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Resource groups `resource-groups:Group`	Create and manage a host resource group centrally, and share it with other Amazon Web Services accounts in your organization. This lets multiple Amazon Web Services accounts share a group of Amazon EC2 Dedicated Hosts created using Amazon License Manager. For more information, see Host resource groups in Amazon License Manager in the Amazon License Manager User Guide.	No	Yes Can share with any Amazon Web Services account.	No	No

Resource groups

resource-groups:Group

Create and manage a host resource group centrally, and share it with other Amazon Web Services accounts in your organization. This lets multiple Amazon Web Services accounts share a group of Amazon EC2 Dedicated Hosts created using Amazon License Manager. For more information, see Host resource groups in Amazon License Manager in the Amazon License Manager User Guide.

Yes

Can share with any Amazon Web Services account.

Amazon Route 53

You can share the following Amazon Route 53 resources by using Amazon RAM.

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Route 53 Resolver DNS Firewall rule groups `route53resolver:FirewallRuleGroup`	Create and manage Route 53 Resolver DNS Firewall rule groups centrally, and share them with other Amazon Web Services accounts or your organization. This enables multiple accounts to share a set of criteria for inspecting and handling outbound DNS queries that go through Route 53 Resolver. For more information, see Sharing Route 53 Resolver DNS Firewall rule groups between Amazon Web Services accounts in the Amazon Route 53 Developer Guide.	Yes	Yes Can share with any Amazon Web Services account.	No	No
Route 53 Profiles `route53profiles:Profile`	Create and manage Route 53 Profiles centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple accounts apply the DNS configurations specified in the Route 53 Profiles to multiple VPCs. For more information, see Amazon Route 53 Profiles in the Amazon Route 53 Developer Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No
Resolver rules `route53resolver:ResolverRule`	Create and manage Resolver rules centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple accounts forward DNS queries from their virtual private clouds (VPCs) to the target IP addresses defined in shared, centrally managed Resolver rules. For more information, see Sharing Resolver rules with other Amazon Web Services accounts and using shared rules in the Amazon Route 53 Developer Guide.	No	Yes Can share with any Amazon Web Services account.	No	No
Query logs `route53resolver:ResolverQueryLogConfig`	Create and manage query logs centrally, and share them with other Amazon Web Services accounts or your organization. This enables multiple Amazon Web Services accounts to log DNS queries that originate in their VPCs to a centrally managed query log. For more information, see Sharing Resolver query logging configurations with other Amazon Web Services accounts in the Amazon Route 53 Developer Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No

Amazon Simple Storage Service

You can share the following Amazon Simple Storage Service resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Access Grants `s3:AccessGrants`	Create and manage S3 Access Grants Instance centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple accounts view and delete shared resources. For more information, see S3 Access Grants Cross-account Access in the Amazon Simple Storage Service User Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	Yes

Access Grants

s3:AccessGrants

Create and manage S3 Access Grants Instance centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple accounts view and delete shared resources. For more information, see S3 Access Grants Cross-account Access in the Amazon Simple Storage Service User Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Amazon SageMaker AI

You can share the following Amazon SageMaker AI resources by using Amazon RAM.

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
SageMaker AI Catalog `sagemaker:SagemakerCatalog`	For discoverability – allows account owners to grant discoverability permissions to other accounts, for all feature group resources in the SageMaker AI catalog. Once granted access, users of those accounts can view the feature groups that have been shared with them from the catalog. For more information, see Cross-account feature group discoverability and access in the Amazon SageMaker AI Developer Guide. Note Discoverability and access are separate permissions in SageMaker AI.	No	Yes Can share with any Amazon Web Services account.	Yes	No
SageMaker AI Feature group `sagemaker:FeatureGroup`	For access – allows account owners to grant access permissions to other accounts, for select feature group resources. Once granted access, users of those accounts can use the feature groups that have been shared with them. For more information, see Cross-account feature group discoverability and access in the Amazon SageMaker AI Developer Guide. Note Discoverability and access are separate permissions in SageMaker AI.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No
SageMaker AI JumpStart `sagemaker:Hub`	With Amazon SageMaker AI JumpStart, you can create and manage `sagemaker:Hub` centrally, and share them with other Amazon Web Services accounts in the same organization. For more information, see Control foundation model access using private curated hubs in Amazon SageMaker AI JumpStart in the Amazon SageMaker AI Developer Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No
Lineage group `sagemaker:LineageGroup`	Amazon SageMaker AI lets you create lineage groups of your pipeline metadata to get a deeper understanding of its history and relationships. Share the lineage group with other Amazon Web Services accounts or the accounts in your organization. This lets multiple Amazon Web Services accounts and users view information about the lineage group and query the tracking entities within it. For more information, see Cross-Account Lineage Tracking in the Amazon SageMaker AI Developer Guide.	Yes	Yes Can share with any Amazon Web Services account.	No	No
SageMaker AI Model Cards `sagemaker:ModelCard`	Amazon SageMaker AI creates Model Cards to document critical details about your machine learning (ML) models in a single place for streamlined governance and reporting. Share your Model Cards with other Amazon Web Services accounts or the accounts in your organization to achieve a multi-account strategy for your machine learning operations. This allows Amazon Web Services accounts to share the model cards access for their ML activities to other accounts. For more information, see Amazon SageMaker AI Model Cards in the Amazon SageMaker AI Developer Guide.	Yes	Yes Can share with any Amazon Web Services account.	No	No
SageMaker AI Model Registry Model Package Group `sagemaker:model-package-group`	With Amazon SageMaker AI Model Registry, you can create and manage `sagemaker:model-package-group` centrally, and share them with other Amazon Web Services accounts to register model versions. For more information, see Amazon SageMaker AI Model Registry in the Amazon SageMaker AI Developer Guide.	Yes	Yes	Yes	No
SageMaker AI pipeline `sagemaker:Pipeline`	With Amazon SageMaker AI Model Building Pipelines, you can create, automate, and manage end-to-end machine learning workflows at scale. Share your pipelines with other Amazon Web Services accounts or the accounts in your organization to achieve a multi-account strategy for your machine learning operations. This lets multiple Amazon Web Services accounts and users view information about a pipeline and its executions with optional access to start, stop, and retry pipelines from other accounts. For more information, see Cross-Account Support for SageMaker AI Pipelines in the Amazon SageMaker AI Developer Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No

Amazon Service Catalog AppRegistry

You can share the following Amazon Service Catalog AppRegistry resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Application `servicecatalog:Applications`	Create an application, and use it to track the resources belonging to that application throughout your Amazon environment. Share the application with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts and users view information about the application and associated resources with it locally. For more information, see Creating applications in the Service Catalog User Guide.	No	No Can share with only Amazon Web Services accounts in its own organization.	Yes	No
Attribute Group `servicecatalog:AttributeGroups`	Create an attribute group, and use it to store meta-data relating to your applications. Share the attribute groups with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts and users view information about the attribute groups. For more information, see Creating attribute groups in the Service Catalog User Guide.	No	No Can share with only Amazon Web Services accounts in its own organization.	Yes	No

Application

servicecatalog:Applications

Create an application, and use it to track the resources belonging to that application throughout your Amazon environment. Share the application with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts and users view information about the application and associated resources with it locally. For more information, see Creating applications in the Service Catalog User Guide.

Can share with only Amazon Web Services accounts in its own organization.

Yes

Attribute Group

servicecatalog:AttributeGroups

Create an attribute group, and use it to store meta-data relating to your applications. Share the attribute groups with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts and users view information about the attribute groups. For more information, see Creating attribute groups in the Service Catalog User Guide.

Can share with only Amazon Web Services accounts in its own organization.

Yes

Amazon Systems Manager Incident Manager

You can share the following Amazon Systems Manager Incident Manager resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Contacts `ssm-contacts:Contact`	Create and manage contacts and escalation plans centrally, and share the contact details with other Amazon Web Services accounts or your organization. This lets many Amazon Web Services accounts view engagements occurring during an incident. Note Currently, the ability to add a contact that's shared from another account to an incident response plan is not supported. For more information, see Working with shared contacts and response plans in the Amazon Systems Manager Incident Manager User Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No
Response plans `ssm-incidents:ResponsePlan`	Create and manage response plans centrally, and share them with other Amazon Web Services accounts or your organization. This lets those Amazon Web Services accounts connect Amazon CloudWatch alarms and Amazon EventBridge event rules to response plans, automatically creating an incident when it’s detected. The incident also has access to the metrics of these other Amazon Web Services accounts. For more information, see Working with shared contacts and response plans in the Amazon Systems Manager Incident Manager User Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No

Contacts

ssm-contacts:Contact

Create and manage contacts and escalation plans centrally, and share the contact details with other Amazon Web Services accounts or your organization. This lets many Amazon Web Services accounts view engagements occurring during an incident.

Note

Currently, the ability to add a contact that's shared from another account to an incident response plan is not supported.

For more information, see Working with shared contacts and response plans in the Amazon Systems Manager Incident Manager User Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Response plans

ssm-incidents:ResponsePlan

Create and manage response plans centrally, and share them with other Amazon Web Services accounts or your organization. This lets those Amazon Web Services accounts connect Amazon CloudWatch alarms and Amazon EventBridge event rules to response plans, automatically creating an incident when it’s detected. The incident also has access to the metrics of these other Amazon Web Services accounts. For more information, see Working with shared contacts and response plans in the Amazon Systems Manager Incident Manager User Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Amazon Systems Manager

You can share the following Amazon Systems Manager resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Deny-access policy `ssm:Document`	Create an approval policy for just-in-time node access with Systems Manager. A deny-access policy explicitly prevents the auto-approval of access requests to the nodes you specify. Share the deny-access policy with other Amazon Web Services accounts or your organization. This ensures your deny-access policy for just-in-time node access applies to all accounts in your organization. For more information, see Just-in-time node access using Systems Manager in the Amazon Systems Manager User Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No
Parameter `ssm:Parameter`	Create a parameter, and use it to store configuration data that you can reference in your scripts, commands, SSM documents, and configuration and automation workflows. Share the parameter with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts and users view information about the string and improve security by separating your data from your code. For more information, see Working with shared parameters in the Amazon Systems Manager User Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No

Deny-access policy

ssm:Document

Create an approval policy for just-in-time node access with Systems Manager. A deny-access policy explicitly prevents the auto-approval of access requests to the nodes you specify. Share the deny-access policy with other Amazon Web Services accounts or your organization. This ensures your deny-access policy for just-in-time node access applies to all accounts in your organization. For more information, see Just-in-time node access using Systems Manager in the Amazon Systems Manager User Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Parameter

ssm:Parameter

Create a parameter, and use it to store configuration data that you can reference in your scripts, commands, SSM documents, and configuration and automation workflows. Share the parameter with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts and users view information about the string and improve security by separating your data from your code. For more information, see Working with shared parameters in the Amazon Systems Manager User Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Amazon VPC

You can share the following Amazon Virtual Private Cloud (Amazon VPC) resources by using Amazon RAM.

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Customer-owned IPv4 addresses `ec2:CoipPool`	During the Amazon Outposts installation process, Amazon creates an address pool, known as a customer-owned IP address pool, based on information that you provide about your on-premises network. Customer-owned IP addresses provide local, or external connectivity to resources in your Outposts subnets through your on-premises network. You can assign these addresses to resources on your Outpost, such as EC2 instances, using Elastic IP addresses or using the subnet setting that automatically assigns customer-owned IP addresses. For more information, see Customer-owned IP addresses in the Amazon Outposts User Guide.	No	No Can share with only Amazon Web Services accounts in its own organization.	No	No
IP Address Manager (IPAM) pools `ec2:IpamPool`	Share Amazon VPC IPAM pools centrally with other Amazon Web Services accounts, IAM roles or users, or an entire organization or organizational unit (OU) in Amazon Organizations. This lets those principals allocate CIDRs from the pool to Amazon resources, such as VPCs, in their respective accounts. For more information, see Share an IPAM pool using Amazon RAM in the Amazon VPC IP Address Manager User Guide.	Yes	Yes Can share with any Amazon Web Services account.	Yes	No
IP Address Manager (IPAM) resource discoveries `ec2:IpamResourceDiscovery`	Share resource discoveries with other Amazon Web Services accounts. A resource discovery is an Amazon VPC IPAM component that enables IPAM to manage and monitor resources that belong to the owning account. For more information, see Work with resource discoveries in the Amazon VPC IPAM User Guide.	No	Yes Can share with any Amazon Web Services account.	No	No
Prefix lists `ec2:PrefixList`	Create and manage prefix lists centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts reference prefix lists in their resources, such as VPC security groups and subnet route tables. For more information, see Working with shared prefix lists in the Amazon VPC User Guide.	No	Yes Can share with any Amazon Web Services account.	No	No
Subnets `ec2:Subnet`	Create and manage subnets centrally, and share them with Amazon Web Services accounts within your organization. This lets multiple Amazon Web Services accounts launch their application resources into centrally managed VPCs. These resources include Amazon EC2 instances, Amazon Relational Database Service (RDS) databases, Amazon Redshift clusters, and Amazon Lambda functions. For more information, see Working with VPC sharing in the Amazon VPC User Guide. Note To include a subnet when you create a resource share, you must have the `ec2:DescribeSubnets` and `ec2:DescribeVpcs` permissions, in addition to `ram:CreateResourceShare`. Default subnets are not shareable. You can share only subnets you create yourself.	No	No Can share with only Amazon Web Services accounts in its own organization.	No	No
Security groups `ec2:SecurityGroup`	Create and manage security groups centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts associate the security group with their Elastic network interfaces. For more information, see Share a security group in the Amazon VPC User Guide.	Yes	No Can share with only Amazon Web Services accounts in its own organization.	Yes	No
Traffic mirror targets `ec2:TrafficMirrorTarget`	Create and manage traffic mirror targets centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts send mirrored network traffic from traffic mirror sources in their accounts to a shared, centrally managed traffic mirror target. For more information, see Cross-account traffic mirroring targets in the Traffic Mirroring Guide.	No	Yes Can share with any Amazon Web Services account.	No	No
Transit gateways `ec2:TransitGateway`	Create and manage transit gateways centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts route traffic between their VPCs and on-premises networks through a shared, centrally managed transit gateway. For more information, see Sharing a transit gateway in the Amazon VPC Transit Gateways. Note To include a transit gateway when you create a resource share, you must have the `ec2:DescribeTransitGateway` permission in addition to `ram:CreateResourceShare`.	No	Yes Can share with any Amazon Web Services account.	No	No
Transit gateway multicast domains `ec2:TransitGatewayMulticastDomain`	Create and manage transit gateway multicast domains centrally, and share them with other Amazon Web Services accounts or your organization. This lets multiple Amazon Web Services accounts register and deregister group members or group sources in the multicast domain. For more information, see Working with shared multicast domains in the Transit Gateways Guide.	No	Yes Can share with any Amazon Web Services account.	No	No
Amazon Verified Access group `ec2:VerifiedAccessGroup`	Create and manage Amazon Verified Access groups centrally, and then share them with other Amazon Web Services accounts or your organization. This lets applications in multiple accounts use a single, shared set of Amazon Verified Access endpoints. For more information, see Share your Amazon Verified Access group through Amazon Resource Access Manager in the Amazon Verified Access User Guide.	Yes	Yes Can share with any Amazon Web Services account.	No	No

Amazon VPC Lattice

You can share the following Amazon VPC Lattice resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Amazon VPC Lattice resource configuration `vpc-lattice:ResourceConfiguration`	Create a resource configuration in Amazon VPC Lattice to share VPC resources across accounts and VCPs. In the resource configuration, you identify who can access that resource and specify the resource gateway through which you want to share the resource. Consumers can access the VPC resource through a resource VPC endpoint that they create in Amazon PrivateLink. For more information, see Access VPC resources through Amazon PrivateLink in the Amazon PrivateLink User Guide and Resource configuration for VPC resources in the VPC Lattice User Guide.	No	Yes Can share with any Amazon Web Services account.	Yes	No
Amazon VPC Lattice service `vpc-lattice:Service`	Create and manage Amazon VPC Lattice services centrally, and share them with individual Amazon Web Services accounts or your organization. This allows service owners to connect, secure, and observe service-to-service communication in a multi-account environment. For more information, see Working with shared resources in the VPC Lattice User Guide.	No	Yes Can share with any Amazon Web Services account.	Yes	No
Amazon VPC Lattice service network `vpc-lattice:ServiceNetwork`	Create and manage Amazon VPC Lattice service networks centrally, and share them with individual Amazon Web Services accounts or your organization. This allows service network owners to connect, secure, and observe service-to-service communication in a multi-account environment. For more information, see Working with shared resources in the Amazon VPC Lattice User Guide.	No	Yes Can share with any Amazon Web Services account.	Yes	No

Amazon VPC Lattice resource configuration

vpc-lattice:ResourceConfiguration

Create a resource configuration in Amazon VPC Lattice to share VPC resources across accounts and VCPs. In the resource configuration, you identify who can access that resource and specify the resource gateway through which you want to share the resource. Consumers can access the VPC resource through a resource VPC endpoint that they create in Amazon PrivateLink. For more information, see Access VPC resources through Amazon PrivateLink in the Amazon PrivateLink User Guide and Resource configuration for VPC resources in the VPC Lattice User Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Amazon VPC Lattice service

vpc-lattice:Service

Create and manage Amazon VPC Lattice services centrally, and share them with individual Amazon Web Services accounts or your organization. This allows service owners to connect, secure, and observe service-to-service communication in a multi-account environment. For more information, see Working with shared resources in the VPC Lattice User Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Amazon VPC Lattice service network

vpc-lattice:ServiceNetwork

Create and manage Amazon VPC Lattice service networks centrally, and share them with individual Amazon Web Services accounts or your organization. This allows service network owners to connect, secure, and observe service-to-service communication in a multi-account environment. For more information, see Working with shared resources in the Amazon VPC Lattice User Guide.

Yes

Can share with any Amazon Web Services account.

Yes

Amazon Cloud WAN

You can share the following Amazon Cloud WAN resources by using Amazon RAM.

Resource type and code Use case Can share with IAM users and roles Can share with accounts outside its organization Can use customer managed permissions Can share with service principals

Resource type and code	Use case	Can share with IAM users and roles	Can share with accounts outside its organization	Can use customer managed permissions	Can share with service principals
Cloud WAN core network `networkmanager:CoreNetwork`	Create and manage a Cloud WAN core network centrally, and share it with other Amazon Web Services accounts. This lets multiple Amazon Web Services accounts access and provision hosts on a single Cloud WAN core network. For more information, see Share a core network in the Amazon Cloud WAN User Guide.	Yes	Yes Can share with any Amazon Web Services account.	No	No

Cloud WAN core network

networkmanager:CoreNetwork

Create and manage a Cloud WAN core network centrally, and share it with other Amazon Web Services accounts. This lets multiple Amazon Web Services accounts access and provision hosts on a single Cloud WAN core network. For more information, see Share a core network in the Amazon Cloud WAN User Guide.

Yes

Can share with any Amazon Web Services account.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Availability Zone IDs

Managing permissions in Amazon RAM