Sharing your AWS resources
Raw Text
AWS
Documentation
AWS RAM
User Guide
Enable resource sharing within AWS Organizations
Create a resource share
To share a resource that you own by using AWS RAM, do the following:
Enable resource sharing within AWS Organizations (optional)
Create a resource share
Notes
Sharing a resource with principals outside of the AWS account that owns the resource doesn't change the permissions or quotas that apply to the resource within the account that created it.
AWS RAM is a Regional service. The principals that you share with can access resource shares in only the AWS Regions in which they were created.
Some resources have special considerations and prerequisites for sharing. For more information, see Shareable AWS resources .
Enable resource sharing within AWS Organizations
When your account is managed by AWS Organizations, you can take advantage of that to share resources more easily. With or without Organizations, a user can share with individual accounts. However, if your account is in an organization, then you can share with individual accounts, or with all accounts in the organization or in an OU without having to enumerate each account.
To share resources within an organization, you must first use the AWS RAM console or AWS Command Line Interface (AWS CLI) to enable sharing with AWS Organizations. When you share resources in your organization, AWS RAM doesn't send invitations to principals. Principals in your organization gain access to shared resources without exchanging invitations.
When you enable resource sharing within your organization, AWS RAM creates a service-linked role called AWSServiceRoleForResourceAccessManager . This role can be assumed by only the AWS RAM service, and grants AWS RAM permission to retrieve information about the organization it is a member of, by using the AWS managed policy AWSResourceAccessManagerServiceRolePolicy .
If you no longer need to share resources with your entire organization or OUs, you can disable resource sharing. For more information, see Disabling resource sharing with AWS Organizations .
Minimum permissions
To run the procedures below, you must sign in as a principal in the organization's management account that has the following permissions:
ram:EnableSharingWithAwsOrganization
iam:CreateServiceLinkedRole
organizations:enableAWSServiceAccess
organizations:DescribeOrganization
Requirements
You can perform these steps only while signed in as a principal in the organization's management account.
The organization must have all features enabled. For more information, see Enabling all features in your organization in the AWS Organizations User Guide .
Important
You must enable sharing with AWS Organizations by using the AWS RAM console or the enable-sharing-with-aws-organization AWS CLI command. This ensures that the AWSServiceRoleForResourceAccessManager service-linked role is created. If you enable trusted access with AWS Organizations by using the AWS Organizations console or the enable-aws-service-access AWS CLI command, the AWSServiceRoleForResourceAccessManager service-linked role isn't created, and you can't share resources within your organization.
To enable resource sharing within your organization
Open the Settings page in the AWS RAM console.
Choose Enable sharing with AWS Organizations , and then choose Save settings .
To enable resource sharing within your organization
Use the enable-sharing-with-aws-organization command.
This command can be used in any AWS Region, and it enables sharing with AWS Organizations in all Regions in which AWS RAM is supported.
{
Create a resource share
To share resources that you own, create a resource share. When you create a resource share, you do the following:
Add the resources that you want to share.
For each resource type that you include in the share, specify the permission to use for that resource type. If only the default permission is available for a resource type, then AWS RAM automatically associates that permission with the resource type and there is no action for you. If more than the default AWS RAM managed permission is available for a resource type, then you must choose the permission to associate with that resource type. Note If the selected managed permission has multiple versions, then AWS RAM automatically attaches the default version. You can attach only the version that is designated as the default.
Specify the principals that you want to have access to the resources.
Considerations
If you later need to delete an AWS resource that you included in a share, AWS recommends that you first either remove the resource from any resource share that includes it, or delete the resource share.
The resource types that you can include in a resource share are listed at Shareable AWS resources .
You can share a resource only if you own it. You can't share a resource that's shared with you.
AWS RAM is a Regional service. When you share a resource with principals in other AWS accounts, those principals must access each resource from the same AWS Region that it was created in. For supported global resources, you can access those resources from any AWS Region that's supported by that resource's service console and tools. Note that you can view such resource shares and their global resources in the AWS RAM console and tools only in the designated home Region, US East (N. Virginia), us-east-1 . For more information about AWS RAM and global resources, see Sharing Regional resources compared to global resources .
If the account you're sharing from is part of an organization in AWS Organizations and sharing within your organization is enabled, any principals in the organization that you share with are automatically granted access to the resource shares without the use of invitations. A principal in an account with whom you share outside of the context of an organization receives an invitation to join the resource share and is granted access to the shared resources only after they accept the invitation.
If the sharing is between accounts or principals that are part of an organization, then any changes to organization membership dynamically affect access to the resource share. If you add an AWS account to the organization or an OU that has access to a resource share, then that new member account automatically gets access to the resource share. The administrator of the account you shared with can then grant individual principals in that account access to the resources in that share. If you remove an account from the organization or an OU that has access to a resource share, then any principals in that account automatically lose access to resources that were accessed through that resource share. If you shared directly with a member account or with IAM roles or users in the member account and then remove that account from the organization, then any principals in that account lose access to the resources that were accessed through that resource share. Important When you share with an organization or an OU, and that scope includes the account that owns the resource share, all principals in the sharing account automatically get access to the resources in the share. The access granted is defined by the managed permissions associated with the share. This is because the resource-based policy that AWS RAM attaches to each resource in the share uses "Principal": "*" . For more information, see Implications of using "Principal": "*" in a resource-based policy . Principals in the other consuming accounts don't immediately get access to the share's resources. The other accounts' administrators must first attach identity-based permission policies to the appropriate principals. Those policies must grant Allow access to the ARNs of individual resources in the resource share. The permissions in those policies can't exceed those specified in the AWS RAM managed permission associated with the resource share.
You can add only the organization your account is a member of, and OUs from that organization to your resource shares. You can't add OUs or organizations from outside your own organization to a resource share as principals. However, you can add individual AWS accounts or, for supported services, IAM roles and users from outside your organization as principals to a resource share. Note Not all resource types can be shared with IAM roles and users. For information about resources that you can share with these principals, see Shareable AWS resources .
For the following resource types you have seven days to accept the invitation to join the share for the following resource types. If you don't accept the invitation before it expires, the invitation is automatically declined. Important For shared resource types not on the following list, you have 12 hours to accept the invitation to join the resource share. If you try to accept the invitation after 12 hours, RAM fails to process the invitation and the originating account must share the resources again to generate a new invitation. Amazon Aurora β DB clusters Amazon EC2 β capacity reservations and dedicated hosts AWS License Manager β License configurations AWS Outposts β Local gateway route tables, outposts, and sites Amazon RouteΒ 53 β Forwarding rules Amazon VPC β Customer-owned IPv4 addresses, prefix lists, subnets, traffic mirror targets, transit gateways, transit gateway multicast domains
To create a resource share
Open the AWS RAM console .
Because AWS RAM resource shares exist in specific AWS Regions, choose the appropriate AWS Region from the dropdown list in the upper-right corner of the console. To see resource shares that contain global resources, you must set the AWS Region to US East (N. Virginia), ( us-east-1 ). For more information about sharing global resources, see Sharing Regional resources compared to global resources . If you want to include global resources in the resource share, then you must choose the designated home Region, US East (N. Virginia), us-east-1 .
If you're new to AWS RAM, choose Create a resource share from the home page. Otherwise, choose Create resource share from the Shared by me : Resource shares page.
In Step 1: Specify resource share details , do the following: For Name , enter a descriptive name for the resource share. Under Resources , choose resources to add to the resource share as follows: For Select resource type , choose the type of resource to share. This filters the list of shareable resources to only those resources of the selected type. In the resulting list of resources, select the check boxes next to the individual resources that you want to share. The selected resources move under Selected resources . If you're sharing resources that are associated with a specific availability zone, then using the Availability Zone ID (AZ ID) helps you determine the relative location of these resources across accounts. For more information, see Availability Zone IDs for your AWS resources . (Optional) To attach tags to the resource share, under Tags , enter a tag key and value. Add others by choosing Add new tag . Repeat this step as needed. These tags apply to only the resource share itself, not to the resources in the resource share.
Choose Next .
In Step 2: Associate a permission with each resource type , if more than the default AWS RAM managed permission is available, then you can choose which permission to associate with the resource type. If only the default permission is available, then AWS RAM automatically associates this permission with the resource type. For more information, see Types of AWS RAM managed permissions . Note If the selected permission has multiple versions, then AWS RAM automatically attaches the default version. You can attach only the version designated as the default. To display the actions that the permission allows, expand Actions allowed by this permission .
Choose Next .
In Step 3: Choose principals to grant access , do the following: By default, Allow sharing with anyone is selected, which means that, for those resource types that support it, you can share resources with AWS accounts that are outside of your organization. This doesn't affect resource types that can be shared only within an organization, such as Amazon VPC subnets. You can also share some supported resource types with IAM roles and users. To restrict resource sharing to only accounts and principals in your organization, choose Allow sharing only within your organization . For Principals , do the following: To add the organization, an organizational unit (OU), or an AWS account that is part of an organization, turn on Display organizational structure . This displays a tree view of your organization. Then, select the check box next to each principal that you want to add. Important When you share with an organization or an OU, and that scope includes the account that owns the resource share, all principals in the sharing account automatically get access to the resources in the share. The access granted is defined by the managed permissions associated with the share. This is because the resource-based policy that AWS RAM attaches to each resource in the share uses "Principal": "*" . For more information, see Implications of using "Principal": "*" in a resource-based policy . Principals in the other consuming accounts don't immediately get access to the share's resources. The other accounts' administrators must first attach identity-based permission policies to the appropriate principals. Those policies must grant Allow access to the ARNs of individual resources in the resource share. The permissions in those policies can't exceed those specified in the AWS RAM managed permission associated with the resource share. If you select the organization (the ID begins with o- ), then principals in all AWS accounts in the organization can access the resource share. If you select an OU (the ID begins with ou- ), then princiapals in all AWS accounts in that OU and its child OUs can access the resource share. If you select an individual AWS account, then only principals in that account can access the resource share. Note The Display organizational structure toggle appears only if sharing with AWS Organizations is enabled and you're signed in to the management account for the organization. You can't use this method to specify an AWS account outside your organization, or an IAM role or user. Instead, you must turn off Display organizational structure and use the dropdown list and text box to enter the ID or ARN. To specify a principal by ID or ARN, including principals that are outside of the organization, then for each principal, select the principal type. Next, enter the ID (for an AWS account, organization, or OU) or ARN (for an IAM role or user), and then choose Add . The available principal types and ID and ARN formats are as follows: AWS account β To add an AWS account, enter the 12-digit account ID. For example: 123456789012 Organization β To add all of the AWS accounts in your organization, enter the ID of the organization. For example: o-abcd1234 Organizational unit (OU) β To add an OU, enter the ID of the OU. For example: ou-abcd-1234efgh IAM role β To add an IAM role, enter the ARN of the role. Use the following syntax: arn: partition :iam:: account :role/ role-name For example: arn:aws:iam::123456789012:role/MyS3AccessRole Note To obtain the unique ARN for an IAM role, view the list of roles in the IAM console , use the get-role AWS CLI command or the GetRole API action. IAM user β To add an IAM user, enter the ARN of the user. Use the following syntax: arn: partition :iam:: account :user/ user-name For example: arn:aws:iam::123456789012:user/bob Note To obtain the unique ARN for an IAM user, view the list of users in the IAM console , use the get-user AWS CLI command or the GetUser API action. For Selected principals , verify that the principals you specified appear in the list.
Choose Next .
In Step 4: Review and create , review the configuration details for your resource share. To change the configuration for any step, choose the link that corresponds to the step you want to go back to and make the required changes.
After you finish reviewing the resource share, choose Create resource share . It can take a few minutes for the resource and principal associations to complete. Allow this process to complete before you try to use the resource share.
You can add and remove resources and principals or apply custom tags to your resource share at any time. You can change permission for resource types that are included in your resource share, for those types that support more than the default permission. You can delete your resource share when you no longer want to share the resources. For more information, see Share AWS resources owned by you .
To create a resource share
Use the create-resource-share command. The following command creates a resource share that is shared with all of the AWS accounts in the organization. The share contains an AWS License Manager license configuration, and it grants the default permissions for that resource type.
us-east-1
us-east-1
{
{
us-east-1
Document Conventions
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Single Line Text
AWS. Documentation. AWS RAM. User Guide. Enable resource sharing within AWS Organizations. Create a resource share. To share a resource that you own by using AWS RAM, do the following: Enable resource sharing within AWS Organizations (optional) Create a resource share. Notes. Sharing a resource with principals outside of the AWS account that owns the resource doesn't change the permissions or quotas that apply to the resource within the account that created it. AWS RAM is a Regional service. The principals that you share with can access resource shares in only the AWS Regions in which they were created. Some resources have special considerations and prerequisites for sharing. For more information, see Shareable AWS resources . Enable resource sharing within AWS Organizations. When your account is managed by AWS Organizations, you can take advantage of that to share resources more easily. With or without Organizations, a user can share with individual accounts. However, if your account is in an organization, then you can share with individual accounts, or with all accounts in the organization or in an OU without having to enumerate each account. To share resources within an organization, you must first use the AWS RAM console or AWS Command Line Interface (AWS CLI) to enable sharing with AWS Organizations. When you share resources in your organization, AWS RAM doesn't send invitations to principals. Principals in your organization gain access to shared resources without exchanging invitations. When you enable resource sharing within your organization, AWS RAM creates a service-linked role called AWSServiceRoleForResourceAccessManager . This role can be assumed by only the AWS RAM service, and grants AWS RAM permission to retrieve information about the organization it is a member of, by using the AWS managed policy AWSResourceAccessManagerServiceRolePolicy . If you no longer need to share resources with your entire organization or OUs, you can disable resource sharing. For more information, see Disabling resource sharing with AWS Organizations . Minimum permissions. To run the procedures below, you must sign in as a principal in the organization's management account that has the following permissions: ram:EnableSharingWithAwsOrganization. iam:CreateServiceLinkedRole. organizations:enableAWSServiceAccess. organizations:DescribeOrganization. Requirements. You can perform these steps only while signed in as a principal in the organization's management account. The organization must have all features enabled. For more information, see Enabling all features in your organization in the AWS Organizations User Guide . Important. You must enable sharing with AWS Organizations by using the AWS RAM console or the enable-sharing-with-aws-organization AWS CLI command. This ensures that the AWSServiceRoleForResourceAccessManager service-linked role is created. If you enable trusted access with AWS Organizations by using the AWS Organizations console or the enable-aws-service-access AWS CLI command, the AWSServiceRoleForResourceAccessManager service-linked role isn't created, and you can't share resources within your organization. To enable resource sharing within your organization. Open the Settings page in the AWS RAM console. Choose Enable sharing with AWS Organizations , and then choose Save settings . To enable resource sharing within your organization. Use the enable-sharing-with-aws-organization command. This command can be used in any AWS Region, and it enables sharing with AWS Organizations in all Regions in which AWS RAM is supported. { Create a resource share. To share resources that you own, create a resource share. When you create a resource share, you do the following: Add the resources that you want to share. For each resource type that you include in the share, specify the permission to use for that resource type. If only the default permission is available for a resource type, then AWS RAM automatically associates that permission with the resource type and there is no action for you. If more than the default AWS RAM managed permission is available for a resource type, then you must choose the permission to associate with that resource type. Note If the selected managed permission has multiple versions, then AWS RAM automatically attaches the default version. You can attach only the version that is designated as the default. Specify the principals that you want to have access to the resources. Considerations. If you later need to delete an AWS resource that you included in a share, AWS recommends that you first either remove the resource from any resource share that includes it, or delete the resource share. The resource types that you can include in a resource share are listed at Shareable AWS resources . You can share a resource only if you own it. You can't share a resource that's shared with you. AWS RAM is a Regional service. When you share a resource with principals in other AWS accounts, those principals must access each resource from the same AWS Region that it was created in. For supported global resources, you can access those resources from any AWS Region that's supported by that resource's service console and tools. Note that you can view such resource shares and their global resources in the AWS RAM console and tools only in the designated home Region, US East (N. Virginia), us-east-1 . For more information about AWS RAM and global resources, see Sharing Regional resources compared to global resources . If the account you're sharing from is part of an organization in AWS Organizations and sharing within your organization is enabled, any principals in the organization that you share with are automatically granted access to the resource shares without the use of invitations. A principal in an account with whom you share outside of the context of an organization receives an invitation to join the resource share and is granted access to the shared resources only after they accept the invitation. If the sharing is between accounts or principals that are part of an organization, then any changes to organization membership dynamically affect access to the resource share. If you add an AWS account to the organization or an OU that has access to a resource share, then that new member account automatically gets access to the resource share. The administrator of the account you shared with can then grant individual principals in that account access to the resources in that share. If you remove an account from the organization or an OU that has access to a resource share, then any principals in that account automatically lose access to resources that were accessed through that resource share. If you shared directly with a member account or with IAM roles or users in the member account and then remove that account from the organization, then any principals in that account lose access to the resources that were accessed through that resource share. Important When you share with an organization or an OU, and that scope includes the account that owns the resource share, all principals in the sharing account automatically get access to the resources in the share. The access granted is defined by the managed permissions associated with the share. This is because the resource-based policy that AWS RAM attaches to each resource in the share uses "Principal": "*" . For more information, see Implications of using "Principal": "*" in a resource-based policy . Principals in the other consuming accounts don't immediately get access to the share's resources. The other accounts' administrators must first attach identity-based permission policies to the appropriate principals. Those policies must grant Allow access to the ARNs of individual resources in the resource share. The permissions in those policies can't exceed those specified in the AWS RAM managed permission associated with the resource share. You can add only the organization your account is a member of, and OUs from that organization to your resource shares. You can't add OUs or organizations from outside your own organization to a resource share as principals. However, you can add individual AWS accounts or, for supported services, IAM roles and users from outside your organization as principals to a resource share. Note Not all resource types can be shared with IAM roles and users. For information about resources that you can share with these principals, see Shareable AWS resources . For the following resource types you have seven days to accept the invitation to join the share for the following resource types. If you don't accept the invitation before it expires, the invitation is automatically declined. Important For shared resource types not on the following list, you have 12 hours to accept the invitation to join the resource share. If you try to accept the invitation after 12 hours, RAM fails to process the invitation and the originating account must share the resources again to generate a new invitation. Amazon Aurora β DB clusters Amazon EC2 β capacity reservations and dedicated hosts AWS License Manager β License configurations AWS Outposts β Local gateway route tables, outposts, and sites Amazon RouteΒ 53 β Forwarding rules Amazon VPC β Customer-owned IPv4 addresses, prefix lists, subnets, traffic mirror targets, transit gateways, transit gateway multicast domains. To create a resource share. Open the AWS RAM console . Because AWS RAM resource shares exist in specific AWS Regions, choose the appropriate AWS Region from the dropdown list in the upper-right corner of the console. To see resource shares that contain global resources, you must set the AWS Region to US East (N. Virginia), ( us-east-1 ). For more information about sharing global resources, see Sharing Regional resources compared to global resources . If you want to include global resources in the resource share, then you must choose the designated home Region, US East (N. Virginia), us-east-1 . If you're new to AWS RAM, choose Create a resource share from the home page. Otherwise, choose Create resource share from the Shared by me : Resource shares page. In Step 1: Specify resource share details , do the following: For Name , enter a descriptive name for the resource share. Under Resources , choose resources to add to the resource share as follows: For Select resource type , choose the type of resource to share. This filters the list of shareable resources to only those resources of the selected type. In the resulting list of resources, select the check boxes next to the individual resources that you want to share. The selected resources move under Selected resources . If you're sharing resources that are associated with a specific availability zone, then using the Availability Zone ID (AZ ID) helps you determine the relative location of these resources across accounts. For more information, see Availability Zone IDs for your AWS resources . (Optional) To attach tags to the resource share, under Tags , enter a tag key and value. Add others by choosing Add new tag . Repeat this step as needed. These tags apply to only the resource share itself, not to the resources in the resource share. Choose Next . In Step 2: Associate a permission with each resource type , if more than the default AWS RAM managed permission is available, then you can choose which permission to associate with the resource type. If only the default permission is available, then AWS RAM automatically associates this permission with the resource type. For more information, see Types of AWS RAM managed permissions . Note If the selected permission has multiple versions, then AWS RAM automatically attaches the default version. You can attach only the version designated as the default. To display the actions that the permission allows, expand Actions allowed by this permission . Choose Next . In Step 3: Choose principals to grant access , do the following: By default, Allow sharing with anyone is selected, which means that, for those resource types that support it, you can share resources with AWS accounts that are outside of your organization. This doesn't affect resource types that can be shared only within an organization, such as Amazon VPC subnets. You can also share some supported resource types with IAM roles and users. To restrict resource sharing to only accounts and principals in your organization, choose Allow sharing only within your organization . For Principals , do the following: To add the organization, an organizational unit (OU), or an AWS account that is part of an organization, turn on Display organizational structure . This displays a tree view of your organization. Then, select the check box next to each principal that you want to add. Important When you share with an organization or an OU, and that scope includes the account that owns the resource share, all principals in the sharing account automatically get access to the resources in the share. The access granted is defined by the managed permissions associated with the share. This is because the resource-based policy that AWS RAM attaches to each resource in the share uses "Principal": "*" . For more information, see Implications of using "Principal": "*" in a resource-based policy . Principals in the other consuming accounts don't immediately get access to the share's resources. The other accounts' administrators must first attach identity-based permission policies to the appropriate principals. Those policies must grant Allow access to the ARNs of individual resources in the resource share. The permissions in those policies can't exceed those specified in the AWS RAM managed permission associated with the resource share. If you select the organization (the ID begins with o- ), then principals in all AWS accounts in the organization can access the resource share. If you select an OU (the ID begins with ou- ), then princiapals in all AWS accounts in that OU and its child OUs can access the resource share. If you select an individual AWS account, then only principals in that account can access the resource share. Note The Display organizational structure toggle appears only if sharing with AWS Organizations is enabled and you're signed in to the management account for the organization. You can't use this method to specify an AWS account outside your organization, or an IAM role or user. Instead, you must turn off Display organizational structure and use the dropdown list and text box to enter the ID or ARN. To specify a principal by ID or ARN, including principals that are outside of the organization, then for each principal, select the principal type. Next, enter the ID (for an AWS account, organization, or OU) or ARN (for an IAM role or user), and then choose Add . The available principal types and ID and ARN formats are as follows: AWS account β To add an AWS account, enter the 12-digit account ID. For example: 123456789012 Organization β To add all of the AWS accounts in your organization, enter the ID of the organization. For example: o-abcd1234 Organizational unit (OU) β To add an OU, enter the ID of the OU. For example: ou-abcd-1234efgh IAM role β To add an IAM role, enter the ARN of the role. Use the following syntax: arn: partition :iam:: account :role/ role-name For example: arn:aws:iam::123456789012:role/MyS3AccessRole Note To obtain the unique ARN for an IAM role, view the list of roles in the IAM console , use the get-role AWS CLI command or the GetRole API action. IAM user β To add an IAM user, enter the ARN of the user. Use the following syntax: arn: partition :iam:: account :user/ user-name For example: arn:aws:iam::123456789012:user/bob Note To obtain the unique ARN for an IAM user, view the list of users in the IAM console , use the get-user AWS CLI command or the GetUser API action. For Selected principals , verify that the principals you specified appear in the list. Choose Next . In Step 4: Review and create , review the configuration details for your resource share. To change the configuration for any step, choose the link that corresponds to the step you want to go back to and make the required changes. After you finish reviewing the resource share, choose Create resource share . It can take a few minutes for the resource and principal associations to complete. Allow this process to complete before you try to use the resource share. You can add and remove resources and principals or apply custom tags to your resource share at any time. You can change permission for resource types that are included in your resource share, for those types that support more than the default permission. You can delete your resource share when you no longer want to share the resources. For more information, see Share AWS resources owned by you . To create a resource share. Use the create-resource-share command. The following command creates a resource share that is shared with all of the AWS accounts in the organization. The share contains an AWS License Manager license configuration, and it grants the default permissions for that resource type. us-east-1. us-east-1. { { us-east-1. Document Conventions. Thanks for letting us know we're doing a good job! If you've got a moment, please tell us what we did right so we can do more of it. Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better.