Our AI writing assistant, WriteUp, can assist you in easily writing any text. Click here to experience its capabilities.

Sharing your AWS resources

View Original View Raw

Summary

This article outlines how to share AWS resources with other accounts or principals. It explains how to enable sharing within AWS Organizations, create a resource share, add the resources to be shared, and specify the permissions associated with that resource type. It also explains how to add the organization, OUs, individual AWS accounts, IAM roles, and IAM users as principals to the resource share, and the considerations to take into account when sharing resources. Finally, it explains how to create a resource share using the AWS RAM console or the create-resource-share AWS CLI command.

Q&As

What is AWS RAM used for?
AWS RAM is used for sharing resources within AWS Organizations and with individual accounts.

What are the minimum permissions required to run the procedures for sharing resources?
The minimum permissions required to run the procedures for sharing resources are ram:EnableSharingWithAwsOrganization, iam:CreateServiceLinkedRole, organizations:enableAWSServiceAccess, and organizations:DescribeOrganization.

How long do users have to accept the invitation to join a resource share?
For shared resource types not on the following list, users have 12 hours to accept the invitation to join the resource share. For the following resource types, users have seven days to accept the invitation to join the share: Amazon Aurora – DB clusters, Amazon EC2 – capacity reservations and dedicated hosts, AWS License Manager – License configurations, AWS Outposts – Local gateway route tables, outposts, and sites, Amazon Route 53 – Forwarding rules, and Amazon VPC – Customer-owned IPv4 addresses, prefix lists, subnets, traffic mirror targets, transit gateways, transit gateway multicast domains.

What is the implications of using "Principal": "*" in a resource-based policy for resource sharing?
When you share with an organization or an OU, and that scope includes the account that owns the resource share, all principals in the sharing account automatically get access to the resources in the share. The access granted is defined by the managed permissions associated with the share. This is because the resource-based policy that AWS RAM attaches to each resource in the share uses "Principal": "*".

What is the designated home Region for sharing global resources?
The designated home Region for sharing global resources is US East (N. Virginia), us-east-1.

AI Comments

👍 This article provides a comprehensive overview of all the steps needed to share resources within AWS Organizations. The article is well-written and easy to understand, with clear instructions and helpful examples.

👎 The article is overly long and contains too much technical jargon for the average user to understand. It would be helpful to have more visuals and simplified explanations for certain topics.

AI Discussion

Me: It's about sharing AWS resources and how to enable resource sharing within AWS Organizations, create a resource share, and the considerations and requirements for doing so.

Friend: That's really interesting. It looks like there's a lot of steps that need to be taken to ensure that the resource sharing is done right. What are the implications of this article?

Me: Well, the article outlines the considerations and requirements to ensure that the resource sharing is done properly. It also mentions that some resources have special considerations and prerequisites for sharing, so it's important to be aware of those before sharing. Additionally, it's important to note that when you enable resource sharing within your organization, AWS RAM creates a service-linked role called AWSServiceRoleForResourceAccessManager, which grants AWS RAM permission to retrieve information about the organization it is a member of. Finally, when you share with an organization or OU, and that scope includes the account that owns the resource share, all principals in the sharing account automatically get access to the resources in the share.

Action items

Create an AWS Organizations account and enable resource sharing within it.
Use the AWS RAM console or AWS Command Line Interface (AWS CLI) to enable sharing with AWS Organizations.
Create a resource share and add the resources that you want to share, specify the permission to use for each resource type, and specify the principals that you want to have access to the resources.

Technical terms

AWS RAM: Amazon Web Services Resource Access Manager (AWS RAM) is a service that enables customers to share their AWS resources with any AWS account or within their AWS Organizations.
Enable resource sharing within AWS Organizations: This is a feature of AWS RAM that allows customers to share resources with all accounts in their AWS Organizations, or with specific organizational units (OUs) within their organization.
Create a resource share: This is the process of creating a resource share in AWS RAM. This involves adding the resources to be shared, specifying the permission to use for each resource type, and specifying the principals that should have access to the resources.
AWS CLI: The AWS Command Line Interface (AWS CLI) is a unified tool to manage your AWS services.
AWS Organizations: AWS Organizations is a service that enables customers to centrally manage and govern their AWS accounts.
AWSServiceRoleForResourceAccessManager: This is a service-linked role created by AWS RAM when resource sharing within an organization is enabled. This role grants AWS RAM permission to retrieve information about the organization it is a member of.
AWSResourceAccessManagerServiceRolePolicy: This is an AWS managed policy that grants permission to the AWSServiceRoleForResourceAccessManager service-linked role.
Shareable AWS resources: This is a list of AWS resources that can be shared using AWS RAM.
Identity-based permission policies: These are policies that are attached to individual principals in an AWS account. These policies grant Allow access to the ARNs of individual resources in the resource share.