What is Amazon Resource Access Manager?
Amazon Resource Access Manager (Amazon RAM) helps you securely share your resources across Amazon Web Services accounts, within your organization or organizational units (OUs), and with Amazon Identity and Access Management (IAM) roles and users for supported resource types. If you have multiple Amazon Web Services accounts, you can create a resource once and use Amazon RAM to make that resource usable by those other accounts. If your account is managed by Amazon Organizations, you can share resources with all the other accounts in the organization or only those accounts contained by one or more specified organizational units (OUs). You can also share with specific Amazon Web Services accounts by account ID, regardless of whether the account is part of an organization. Some supported resource types also let you share them with specified IAM roles and users.
Contents
Benefits of Amazon RAM
Why use Amazon RAM? It offers the following benefits:
-
Reduces your operational overhead – Create a resource once, and then use Amazon RAM to share that resource with other accounts. This eliminates the need to provision duplicate resources in every account, which reduces operational overhead. Within the account that owns the resource, Amazon RAM simplifies granting access to every role and user in that account without having to use identity-based permission policies.
-
Provides security and consistency – Simplify security management for your shared resources by using a single set of policies and permissions. If you were to instead create duplicate resources in all your separate accounts, you would have the task of implementing identical policies and permissions, and then have to keep them identical across all those accounts. Instead, all users of an Amazon RAM resource share are managed by a single set of policies and permissions. Amazon RAM offers a consistent experience for sharing different types of Amazon resources.
-
Provides visibility and auditability – View the usage details for your shared resources through the integration of Amazon RAM with Amazon CloudWatch and Amazon CloudTrail. Amazon RAM provides comprehensive visibility into shared resources and accounts.
What about cross-account access with resource-based policies?
You can share some types of Amazon resources with other Amazon Web Services accounts by attaching a resource-based policy that identifies Amazon Identity and Access Management (IAM) principals (IAM roles and users) outside of your Amazon Web Services account. However, sharing a resource by attaching a policy doesn't take advantage of the additional benefits that Amazon RAM provides. By using Amazon RAM you get the following features:
-
You can share with an organization or an organizational unit (OU) without having to enumerate every one of the Amazon Web Services account IDs.
-
Users can see the resources shared with them directly in the originating Amazon Web Services service console and API operations as if those resources were directly in the user's account. For example, if you use Amazon RAM to share an Amazon VPC subnet with another account, users in that account can see the subnet in the Amazon VPC console and in the results of Amazon VPC API operations performed in that account. Resources shared by attaching a resource-based policy aren't visible this way; instead, you have to discover and explicitly refer to the resource by its Amazon Resource Name (ARN).
-
The owners of a resource can see which principals have access to each individual resource that they have shared.
-
If you share resources with an account that isn't part of your organization, then Amazon RAM initiates an invitation process. The recipient must accept the invitation before that principal can access the shared resources. After you turn on the ability to share within your organization, sharing with accounts in the organization doesn't require invitations.
If you have resources that you have shared by using a resource-based permission policy, you can promote those resources to fully Amazon RAM managed resources by doing either of the following:
-
Use the PromoteResourceShareCreatedFromPolicy API operation.
-
Use the API operation's equivalent, which is the Amazon Command Line Interface (Amazon CLI) promote-resource-share-created-from-policy command.
How resource sharing works
When you share a resource in the owning account with another Amazon Web Services account, the consuming account, you are granting access for principals in the consuming account to the shared resource. Any policies and permissions that apply to roles and users in the consuming account also apply to the shared resource. The resources in the share look like they're native resources in the Amazon Web Services accounts you shared them with.
You can share both global and Regional resources. For more information, see Sharing Regional resources compared to global resources.
Sharing your resources
With Amazon RAM, you share resources that you own by creating a resource share. To create a resource share, you specify the following:
-
The Amazon Web Services Region in which you want to create the resource share. In the console, you choose from the Region dropdown menu in the upper-right corner of the console. In the Amazon CLI, you use the
--region
parameter.-
A resource share can contain only Regional resources that are in the same Amazon Web Services Region as the resource share.
-
A resource share can contain global resources only if the resource share is in the designated home Region for global resources, US East (N. Virginia),
us-east-1
.
-
-
A name for the resource share.
-
The list of resources that you want to grant access to as part of this resource share.
-
The principals to which you grant access to the resource share. Principals can be individual Amazon Web Services accounts, the accounts in an organization or an organizational unit (OU) in Amazon Organizations, or individual Amazon Identity and Access Management (IAM) roles or users.
Note
Not all resource types can be shared with IAM roles and users. For information about resources that you can share with these principals, see Shareable Amazon resources.
-
A managed permission to associate with each resource type that you include in a resource share. The managed permission determines what the principals in the other accounts can do with the resources in the resource share.
The behavior of the permission depends on the type of principal:
-
If the principal is in a different account from the one that owns the resource, then the permissions attached to the resource share are the maximum permissions available to be granted to roles and users in those accounts. The administrator of those accounts must then grant individual roles and users access to the shared resource with IAM identity-based policies. The permissions granted in those policies can't exceed those defined in permissions attached to the resource share.
-
The resource owning account retains full ownership of the resources that it shares.
Using shared resources
When the owner of a resource shares it with your account, you can access the shared resource just as you would if your account owned it. You can access the resource by using the relevant service's console, Amazon CLI commands, and API operations. The API operations that principals in your account are allowed to perform vary depending on the resource type and are specified by the Amazon RAM permission attached to the resource share. All IAM policies and service control policies configured in your account also continue to apply, which enables you to make use of your existing investments in security and governance controls.
When you access a shared resource using that resource's service, you have the same abilities and limitations as the Amazon Web Services account that owns the resource.
-
If the resource is Regional, then you can access it from only the Amazon Web Services Region in which it exists in the owning account.
-
If the resource is global, then you can access it from any Amazon Web Services Region that the resource's service console and tools support. You can view and manage the resource share and its global resources in the Amazon RAM console and tools only in the designated home Region, US East (N. Virginia),
us-east-1
.
Accessing Amazon RAM
You can work with Amazon RAM in any of the following ways:
- Amazon RAM console
-
Amazon RAM provides a web-based user interface, the Amazon RAM console. If you've signed up for an Amazon Web Services account, you can access the Amazon RAM console by signing into the Amazon Web Services Management Console
and choosing Amazon RAM from the console home page. You can also navigate in your browser directly to the Amazon RAM console
. If you aren't already signed in, then you're asked to do so before the console appears. - Amazon CLI and Tools for Windows PowerShell
-
The Amazon CLI and Amazon Tools for PowerShell provide direct access to the Amazon RAM public API operations. Amazon supports these tools on Windows, macOS, and Linux. For more information about getting started, see the Amazon Command Line Interface User Guide, or the Amazon Tools for Windows PowerShell User Guide. For more information about the commands for Amazon RAM, see the Amazon CLI Command Reference or the Amazon Tools for Windows PowerShell Cmdlet Reference.
- Amazon SDKs
-
Amazon provides API commands for a broad set of programming languages. For more information about getting started, see the Amazon SDKs and Tools Reference Guide.
- Query API
-
If you don't use one of the supported programming languages, then the Amazon RAM HTTPS Query API gives you programmatic access to Amazon RAM and Amazon. With the Amazon RAM API, you can issue HTTPS requests directly to the service. When you use the Amazon RAM API, you must include code to digitally sign requests using your credentials. For more information, see the Amazon RAM API Reference.
Pricing for Amazon RAM
There are no additional charges for using Amazon RAM or for creating resource shares and sharing your resources across accounts. Resource usage charges vary depending on the resource type. For more information about how Amazon bills shareable resources, see the documentation for the resource's owning service.
Compliance and international standards
PCI DSS
Amazon RAM supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS).
For more information about PCI DSS, including how to request a copy of the Amazon
PCI Compliance Package, see PCI DSS Level 1
SOC and ISO
Amazon RAM can be used for workloads subject to Service Organization Control (SOC)
compliance and International Organization for Standardization (ISO) ISO 9001, ISO
27001, ISO 27017, ISO 27018, and ISO 27701 standards. Customers in finance,
healthcare, and other regulated sectors can get insights into the security processes
and controls that protect customer data which can be found in the SOC reports, and
Amazon ISO and CSA STAR certificates in Amazon Artifact
For more information about SOC compliance, see SOC
For more information about ISO compliance, see ISO 9001