AWS Resource Access Manager

(1)

AWS Resource Access Manager

User Guide

(2)

AWS Resource Access Manager: User Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What is AWS Resource Access Manager?

AWS Resource Access Manager (AWS RAM) helps you securely share the AWS resources that you create in one AWS account with other AWS accounts. If you have multiple AWS accounts, you can create a resource once and use AWS RAM to make that resource usable by those other accounts. If your account is managed by AWS Organizations, then you can share resources with all the other accounts in the organization, or only those accounts contained by one or more specified organizational units (OUs). You can also share with specific AWS accounts by account ID, regardless of whether the account is part of an organization. Some supported resource types (p. 40) also let you share them with specified IAM roles and users.

Contents

• Beneﬁts (p. 1)

• How resource sharing works (p. 2)

• Service quotas (p. 3)

• Accessing AWS RAM (p. 4)

• Pricing (p. 4)

• PCI DSS compliance (p. 4)

Beneﬁts

Why use AWS RAM? It oﬀers the following beneﬁts:

• Reduces your operational overhead – Create a resource once, and then use AWS RAM to share that resource with other accounts. This eliminates the need to provision duplicate resources in every account, which reduces operational overhead.

• Provides security and consistency – Simplify security management for your shared resources by using a single set of policies and permissions. If you were to instead create duplicate resources in all your separate accounts, you would have the task of implementing identical policies and permissions, and then have to keep them identical across all those accounts. Instead, all users of an AWS RAM resource share are managed by a single set of policies and permissions. AWS RAM oﬀers a consistent experience for sharing diﬀerent types of AWS resources.

• Provides visibility and auditability – View the usage details for your shared resources through the integration of AWS RAM with Amazon CloudWatch and AWS CloudTrail. AWS RAM provides comprehensive visibility into shared resources and accounts.

What about cross-account access with resource-based policies?

You can share some types of AWS resources with other AWS accounts by attaching a resource-based permission policy that identiﬁes principals outside of your AWS account. However, sharing a resource by

(6)

How resource sharing works

attaching a policy doesn't take advantage of the additional beneﬁts that AWS RAM provides. By using AWS RAM you get the following features:

• You can share with an organization or an organizational unit (OU) without having to enumerate every one of the AWS account IDs. All principals in the relevant AWS accounts automatically get access to the resources in such a resource share.

• Users can see the resources shared with them directly in the originating AWS service console and API operations as if those resources were directly in the user's account. For example, if you share a Amazon VPC subnet with another account, users in that account can see the subnet in the Amazon VPC console and in the results of Amazon VPC API operations performed in that account. Resources shared by policy aren't visible this way; instead, you have to discover and explicitly refer to the resource by its ARN.

• The owners of a resource can see which principals have access to each individual resource that they have shared.

• If you share resources with an account that isn't part of your organization, then AWS RAM initiates an invitation process. The recipient must accept the invitation before that principal can access the shared resources. Sharing within an organization doesn't require an invitation.

If you have resources that you have shared by using a resource-based permission policy, you can "promote" those resources to fully AWS RAM-managed resources by using the

PromoteResourceShareCreatedFromPolicy API operation, or its CLI equivalent, promote- resource-share-created-from-policy.

How resource sharing works

When you share a resource with another AWS account, you are granting access to principals in that account to the shared resource. Any policies and permissions that apply to the account you shared the resource with also apply to the shared resource. The resources in the share look like they're native resources in the AWS accounts you shared them with.

You can share both global and Regional resources. For more information, see Sharing Regional resources compared to global resources (p. 12).

Sharing your resources

With AWS RAM, you share resources that you own by creating a resource share. To create a resource share, you specify the following:

• The AWS Region in which you want to create the resource share. In the console, you choose from the Region drop-down menu in the upper-right corner of the console. In the AWS CLI, you use the -- region parameter.

• A resource share can contain only Regional resources that are in the same AWS Region as the resource share.

• A resource share can contain global resources only if the resource share is in the designated home Region, US East (N. Virginia), us-east-1.

• A name for the resource share.

• The list of resources that you want to grant access to as part of this resource share.

• The principals to which you grant access to the resource share. Principals can be individual AWS accounts, the accounts in an organization or an organizational unit (OU) in AWS Organizations, or individual AWS Identity and Access Management (IAM) roles or users.

NoteNot all resource types can be shared with IAM roles and users. For information about resources that you can share with these principals, see Shareable AWS resources (p. 40).

(7)

Using shared resources

• The AWS RAM permission to associate with each resource type. This is an AWS managed permission policy that determines what the principals in the other accounts can do with the resources in the resource share.

Your account retains full ownership of the resources that you share.

Using shared resources

When the owner of a resource shares it with your account, you can access the shared resource just as you would if your account owned it. You can access the resource by using the relevant service's console, AWS Command Line Interface (AWS CLI) commands, and API operations. The API operations that principals in your account are allowed to perform vary depending on the resource type and are speciﬁed by the AWS RAM permission attached to the resource share. All IAM policies and service control policies conﬁgured in your account also continue to apply, which enables you to make use of your existing investments in security and governance controls.

When you access a shared resource using that resource's service, you have the same abilities and limitations as the AWS account that owns the resource.

• If the resource is Regional, then you can access it from only the AWS Region in which it exists in the owning account.

• If the resource is global, then you can access it from any AWS Region that the resource's service console and tools support. Note that you can view and manage the resource share and its global resources in the AWS RAM console and tools only in the designated home Region, US East (N. Virginia), us-east-1.

Service quotas

Your AWS account has the following limits related to AWS RAM. You can request an increase for some of these limits. To request a limit increase, contact AWS Support.

Resource Default limit

Maximum number of resource shares per AWS

Region in an account 5,000

Maximum number of shared principals per AWS

Maximum number of shared resources per AWS

Maximum number of pending invitations per sharing account

• This quota applies to only sending accounts who are sharing with accounts that are not part of the same AWS Organization.

• There is no quota to limit how many pending invitations a receiving account can have.

• Invitations are not used when sharing between two accounts that are part of the same AWS Organization and resource sharing within the AWS Organization is enabled.

20

(8)

Accessing AWS RAM

You can work with AWS RAM in any of the following ways:

AWS RAM console

AWS RAM provides a web-based user interface, the AWS RAM console. If you've signed up for an AWS account, you can access the AWS RAM console by signing into the AWS Management Console and choosing AWS RAM from the console home page.

You can also navigate in your browser directly to the AWS RAM console. If you aren't already signed in, then you're asked to do so before the console appears.

AWS CLI and Tools for Windows PowerShell

The AWS CLI and Tools for PowerShell provide direct access to the AWS RAM public API operations.

AWS supports these tools on Windows, macOS, and Linux. For more information about getting started, see the AWS Command Line Interface User Guide, or the AWS Tools for Windows PowerShell User Guide. For more information about the commands for AWS RAM, see the AWS CLI Command Reference or the AWS Tools for Windows PowerShell Cmdlet Reference.

AWS SDKs

AWS provides API commands for a broad set of programming languages. For more information about getting started, see AWS SDKs and Tools Reference Guide.

Query API

If you don't use one of the supported programming languages, then the AWS RAM HTTPS Query API gives you programmatic access to AWS RAM and AWS. With the AWS RAM API, you can issue HTTPS requests directly to the service. When you use the AWS RAM API, you must include code to digitally sign requests using your credentials. For more information, see the AWS RAM API Reference.

Pricing

There are no additional charges for using AWS RAM or for creating resource shares and sharing your resources across accounts. Resource usage charges vary depending on the resource type. For more information about how AWS bills shareable resources, refer to the documentation for the resource's owning service.

PCI DSS compliance

AWS Resource Access Manager (AWS RAM) supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS). For more information about PCI DSS, including how to request a copy of the AWS PCI Compliance Package, see PCI DSS Level 1.

(9)

Sharing your resources

Getting started with AWS RAM

With AWS Resource Access Manager, you can share resources that you own with other individual AWS accounts. If your account is managed by AWS Organizations, you can also share resources with the other accounts in your organization. You can also use resources that were shared with you by other AWS accounts.

If you don't enable sharing within AWS Organizations, you can't share resources with your organization or with the organizational units (OU) in your organization. However, you can still share resources with individual AWS accounts in your organization. For supported resource types (p. 40), you can also share resources with individual AWS Identity and Access Management (IAM) roles or users in your organization.

In this case, these principals are treated as if they were external accounts, rather than as part of your organization. They receive an invitation to join the resource share, and they must accept the invitation to gain access to the shared resources.

Contents

• Sharing your AWS resources (p. 5)

• Using shared AWS resources (p. 10)

Sharing your AWS resources

To share a resource that you own by using AWS RAM, do the following:

• Enable resource sharing within AWS Organizations (p. 5) (optional)

• Create a resource share (p. 6)

Notes

• Sharing a resource makes it available for use by principals outside of the AWS account that created the resource. Sharing doesn't change any permissions or quotas that apply to the resource in the account that created it.

• AWS RAM is a Regional service. The principals that you share with can access resource shares in only the AWS Regions in which thy were created.

• Some resources have special considerations and prerequisites for sharing. For more information, see Shareable AWS resources (p. 40).

Enable resource sharing within AWS Organizations

When your account is managed by AWS Organizations, you can take advantage of that to share resources more easily. With or without Organizations, a user can share with individual accounts. However, if your account is in an organization, then you can share with individual accounts, or with all accounts in the organization or in an OU without having to enumerate each account.

To share resources within an organization, you must ﬁrst use the AWS RAM console or AWS Command Line Interface (AWS CLI) to enable sharing with AWS Organizations. When you share resources in your

(10)

Create a resource share

organization, AWS RAM doesn't send invitations to principals. Principals in your organization gain access to shared resources without exchanging invitations.

If you no longer need to share resources with your entire organization or OUs, you can disable resource sharing. For more information, see Disabling resource sharing with AWS Organizations (p. 99).

Requirements

• Only the management account can enable sharing with AWS Organizations.

• The organization must be enabled for all features. For more information, see Enabling all features in your organization in the AWS Organizations User Guide.

Important

You must enable sharing with AWS Organizations by using the AWS RAM console or the enable-sharing-with-aws-organization AWS CLI command. This ensures that the

AWSServiceRoleForResourceAccessManager service-linked role is created. If you enable trusted access with AWS Organizations by using the AWS Organizations console or the enable- aws-service-access AWS CLI command, the AWSServiceRoleForResourceAccessManager service-linked role isn't created, and you can't share resources within your organization.

Console

To enable resource sharing within AWS Organizations 1. Open the Settings page in the AWS RAM console.

2. Choose Enable sharing with AWS Organizations, and then choose Save settings.

AWS CLI

To enable resource sharing within AWS Organizations

Use the enable-sharing-with-aws-organization command.

This command can be used in any AWS Region, and it enables sharing with AWS Organizations in all Regions in which AWS RAM is supported.

$ aws ram enable-sharing-with-aws-organization { "returnValue": true

}

Create a resource share

To share resources that you own, create a resource share. When you create a resource share, you do the following:

1. Add the resources that you want to share.

2. For each resource type that you include in the share, specify the permission to use for that resource type.

• If only the default permission is available for a resource type, then AWS RAM automatically associates that permission with the resource type and there is no action for you.

• If more than the default AWS RAM managed permission is available for a resource type, then you must choose the permission to associate with that resource type.

(11)

3. Specify the principals that you want to have access to the resources.

Considerations

• The resource types that you can include in a resource share are listed at Shareable AWS resources (p. 40).

• You can share a resource only if you own it. You can't share a resource that's shared with you.

• AWS RAM is a Regional service. When you share a resource with principals in other AWS accounts, they must access each resource from the same AWS Region that it was created in. For supported global resources, you can access those resources from any AWS Region that's supported by that resource's service console and tools. Note that you can view such resource shares and their global resources in the AWS RAM console and tools only in the designated home Region, US East (N. Virginia), us- east-1. For more information about AWS RAM and global resources, see Sharing Regional resources compared to global resources (p. 12).

• If you're part of an organization in AWS Organizations and sharing within your organization is enabled, principals in the organization are automatically granted access to the shared resources without the use of invitations. A principal in an account with whom you share outside of the context of an organization receives an invitation to join the resource share and is granted access to the shared resources only after they accept the invitation.

• After you add an organization or an organization unit (OU) to a resource share, changes to the accounts that are in an OU or accounts that join or leave an organization dynamically aﬀect the resource share. For example, if you add a new account to an OU that has access to a resource share, then the new member account automatically receives access to the shared resources.

• You can add only the organization your account is a member of, and OUs from that organization to your resource shares. You can't add OUs or organizations from outside your own organization to a resource share as principals. However, you can add individual AWS accounts, IAM users, and IAM roles from outside your organization as principals to a resource share.

Note

Not all resource types can be shared with IAM roles and users. For information about resources that you can share with these principals, see Shareable AWS resources (p. 40).

Console

To create a resource share 1. Open the AWS RAM console.

2. Because AWS RAM resource shares exist in speciﬁc AWS Regions, choose the appropriate AWS Region from the dropdown list in the upper-right corner of the console. To see resource shares that contain global resources, you must set the AWS Region to US East (N. Virginia), (us- east-1). For more information about sharing global resources, see Sharing Regional resources compared to global resources (p. 12). If you want to include global resources in the resource share, then you must choose the designated home Region, US East (N. Virginia), us-east-1.

3. If you're new to AWS RAM, choose Create a resource share from the home page. Otherwise, choose Create resource share from the Shared by me : Resource shares page.

4. In Step 1: Specify resource share details, do the following:

a. For Name, enter a descriptive name for the resource share.

b. Under Resources, choose resources to add to the resource share as follows:

• For Select resource type, choose the type of resource to share. This ﬁlters the list of shareable resources to only those resources of the selected type.

• In the resulting list of resources, select the check boxes next to the individual resources that you want to share. The selected resources move under Selected resources.

(12)

If you're sharing resources that are associated with a speciﬁc availability zone, then using the Availability Zone ID (AZ ID) helps you determine the relative location of these resources across accounts. For more information, see Availability Zone IDs for your AWS resources (p. 37).

c. (Optional) To attach tags to the resource share, under Tags, enter a tag key and value. Add others by choosing Add new tag. Repeat this step as needed. These tags apply to only the resource share itself, not to the resources in the resource share.

5. Choose Next.

6. In Step 2: Associate a permission with each resource type, if more than the default AWS RAM managed permission is available, then you can choose which permission to associate with the resource type. If only the default permission is available, then AWS RAM automatically associates this permission with the resource type. For more information, see Types of AWS RAM managed permissions (p. 87).

To display the actions that the permission allows, expand View the actions that are allowed by this permission.

7. Choose Next.

8. In Step 3: Choose principals to grant access, do the following:

a. By default, Allow sharing with external principals is selected, which means that you can share resources with AWS accounts that are outside of your organization. For supported resource types (p. 40), you can also share resources with IAM roles and users.

To restrict resource sharing to only principals in your organization, choose Allow sharing with principals in your organization only.

b. For Principals, do the following:

• To add the organization, an organizational unit (OU), or an AWS account that is part of an organization, turn on Display organizational structure. This displays a tree view of your organization. Then, select the check box next to each principal that you want to add.

• If you select the organization (the ID begins with o-), then all AWS accounts in the organization can access the resource share.

• If you select an OU (the ID begins with ou-), then all AWS accounts in that OU and its child OUs can access the resource share.

• If you select an individual AWS account, then only that account can access the resource share.

NoteThe Display organizational structure toggle appears only if sharing with AWS Organizations is enabled and you're signed in to the management account for the organization.

You can't use this method to specify an AWS account outside your organization, or an IAM role or IAM user. Instead, you must turn oﬀ Display organizational structure and use the dropdown list and text box to enter the ID or ARN.

• To specify a principal by ID or ARN, including principals that are outside of the

organization, then for each principal, select the principal type. Next, enter the ID (for an AWS account, organization, or OU) or ARN (for an IAM user or role), and then choose Add.

The available principal types and ID and ARN formats are as follows:

• AWS account – To add an AWS account, enter the 12-digit account ID. For example:

123456789012

• Organization – To add all of the AWS accounts in your organization, enter the ID of the organization. For example:

o-abcd1234

(13)

• Organizational unit (OU) – To add an OU, enter the ID of the OU. For example:

ou-abcd-1234efgh

• IAM role – To add an IAM role, enter the ARN of the role. Use the following syntax.

arn:partition:iam::account:role/role-name For example:

arn:aws:iam::123456789012:role/MyS3AccessRole

NoteTo obtain the unique ARN for an IAM role, view the list of roles in the IAM console, use the get-role AWS CLI command or the GetRole API action.

• IAM user – To add an IAM user, enter the ARN of the user. Use the following syntax.

arn:partition:iam::account:user/user-name For example:

arn:aws:iam::123456789012:user/JohnDoe Note

To obtain the unique ARN for an IAM user, view the list of users in the IAM console, use the get-user AWS CLI command or the GetUser API action.

c. For Selected principals, verify that the principals you speciﬁed appear in the list.

9. Choose Next.

10. In Step 4: Review and create, review the conﬁguration details for your resource share. To change the conﬁguration for any step, choose the link that corresponds to the step you want to go back to and make the required changes.

11. After you ﬁnish reviewing the resource share, choose Create resource share.

It can take a few minutes for the resource and principal associations to complete. Allow this process to complete before you try to use the resource share.

12. You can add and remove resources and principals or apply custom tags to your resource share at any time. You can change permission for resource types that are included in your resource share, for those types that support more than the default permission. You can delete your resource share when you no longer want to share the resources. For more information, see Share AWS resources owned by you (p. 14).

AWS CLI

To create a resource share

Use the create-resource-share command. The following command creates a resource share that is shared with all of the AWS accounts in the organization. The share contains an AWS License Manager license conﬁguration, and it grants the default permissions for that resource type.

$ aws ram create-resource-share \ --region us-east-1 \

--name MyLicenseConfigShare \

--permission-arns arn:aws:ram::aws:permission/

AWSRAMDefaultPermissionLicenseConfiguration \

--resource-arns arn:aws:license-manager:us-east-1:123456789012:license- configuration:lic-abc123 \

--principals arn:aws:organizations::123456789012:organization/o-1234abcd {

"resourceShare": {

(14)

Using shared resources

"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource- share/12345678-abcd-09876543",

"name": "MyLicenseConfigShare", "owningAccountId": "123456789012", "allowExternalPrincipals": true, "status": "ACTIVE",

"creationTime": "2021-09-14T20:42:40.266000-07:00", "lastUpdatedTime": "2021-09-14T20:42:40.266000-07:00"

} }

Using shared AWS resources

To start using resources that were shared with your account using AWS Resource Access Manager, complete the following tasks.

Tasks

• Respond to the resource share invitation (p. 10)

• Use the resources that are shared with you (p. 11)

Respond to the resource share invitation

If you receive an invitation to join a resource share, you must accept it to gain access to the shared resources. If you're part of an organization in AWS Organizations and sharing in your organization is enabled, principals in your organization are automatically granted access to the shared resources. Those principals don't receive invitations.

Console

To respond to invitations

1. Open the Shared with me : Resource shares page in the AWS RAM console.

NoteA resource share is visible in only the AWS Region in which it was created. If an expected resource share doesn't appear in the console, you might need to switch to a diﬀerent AWS Region using the drop-down control in the upper-right corner.

2. Review the list of resource shares to which you have been granted access.

The Status column indicates your current participation status for the resource share. The Pending status indicates that you have been added to a resource share, but you have not yet accepted or rejected the invitation.

3. To respond to the resource share invitation, select the resource share ID and choose Accept resource share to accept the invitation, or Reject resource share to decline the invitation. If you reject the invitation, you don't get access to the resources. If you accept the invitation, you gain access to the resources.

AWS CLI

To start, get a list of the resource share invitations that are available to you. The following example command was run in the us-west-2 Region, and shows one resource share is available in the PENDING state.

$ aws ram get-resource-share-invitations

(15)

Use the resources that are shared with you

{

"resourceShareInvitations": [ {

"resourceShareInvitationArn": "arn:aws:ram:us-west-2:111122223333:resource- share-invitation/1234abcd-ef12-9876-5432-aaaaaa111111",

"resourceShareName": "MyNewResourceShare",

"resourceShareArn": "arn:aws:ram:us-west-2:111122223333:resource- share/1234abcd-ef12-9876-5432-bbbbbb222222",

"senderAccountId": "111122223333", "receiverAccountId": "444455556666",

"invitationTimestamp": "2021-09-15T15:00:32.568000-07:00", "status": "PENDING"

} ] }

You can use the Amazon Resource Name (ARN) of the invitation from the previous command as a parameter in the next command to accept that invitation.

$ aws ram accept-resource-share-invitation \

--resource-share-invitation-arn arn:aws:ram:us-west-2:111122223333:resource-share- invitation/1234abcd-ef12-9876-5432-aaaaaa111111

{ "resourceShareInvitation": {

"resourceShareInvitationArn": "arn:aws:ram:us-west-2:111122223333:resource- share-invitation/1234abcd-ef12-9876-5432-aaaaaa111111",

"resourceShareName": "MyNewResourceShare",

"resourceShareArn": "arn:aws:ram:us-west-2:111122223333:resource- share/1234abcd-ef12-9876-5432-bbbbbb222222",

"senderAccountId": "111122223333", "receiverAccountId": "444455556666",

"invitationTimestamp": "2021-09-15T15:14:12.580000-07:00", "status": "ACCEPTED"

} }

The output shows that the status has changed to ACCEPTED. The resources that are included in that resource share are now available to principals in the accepting account.

Use the resources that are shared with you

After you accept the invitation to join a resource share, you can perform speciﬁc actions on the shared resources. These actions vary by resource type. For more information, see Shareable AWS resources (p. 40). The resources are available directly in each resource's service console and API/CLI operations. If the resource is regional, then you must use the correct AWS Region in the service console or API/CLI command. If the resource is global, then you must use the designated home Region, US East (N. Virginia), us-east-1 To view the resource in AWS RAM, you must open the AWS RAM console to the AWS Region that the resource share was created in.

(16)

Regional and global resources

Working with shared AWS resources

You can use AWS Resource Access Manager (AWS RAM) to share AWS resources that you own and access AWS resources that are shared with you.

Contents

• Sharing Regional resources compared to global resources (p. 12)

• What are the diﬀerences between Regional and global resources? (p. 12)

• Resource shares and their Regions (p. 13)

• Share AWS resources owned by you (p. 14)

• Viewing resource shares you created in AWS RAM (p. 14)

• Creating a resource share in AWS RAM (p. 16)

• Update a resource share in AWS RAM (p. 19)

• Viewing your shared resources in AWS RAM (p. 23)

• Viewing the principals you share resources with in AWS RAM (p. 24)

• Viewing AWS RAM managed permissions (p. 25)

• Updating AWS RAM managed permissions to a newer version (p. 28)

• Deleting a resource share in AWS RAM (p. 29)

• Access AWS resources shared with you (p. 30)

• Accepting and rejecting resource share invitations (p. 30)

• Viewing resource shares shared with you (p. 32)

• Viewing resources shared with you (p. 33)

• View principals sharing with you (p. 34)

• Leaving a resource share (p. 35)

• Prerequisites for leaving a resource share (p. 35)

• How to leave a resource share (p. 36)

• Availability Zone IDs for your AWS resources (p. 37)

Sharing Regional resources compared to global resources

This topic discusses the diﬀerences in how AWS Resource Access Manager (AWS RAM) works with Regional and global resources.

What are the diﬀerences between Regional and global resources?

Regional resources

Most resources that you can share with AWS RAM are Regional. You create them in a speciﬁed AWS Region, and then they exist in that Region. To see or interact with those resources, you must direct your operations to that Region. For example, to create an Amazon Elastic Compute Cloud

(17)

Resource shares and their Regions

(Amazon EC2) instance with the AWS Management Console, you choose the AWS Region that you want to create the instance in. If you use the AWS Command Line Interface (AWS CLI) to create the instance, then you include the --region parameter. The AWS SDKs each have their own equivalent mechanism to specify the Region that the operation uses.

There are several reasons for using Regional resources. One good reason is to ensure that the resources, and the service endpoints that you use to access them, are as close to the customer as possible. This improves performance by minimizing latency. Another reason is to provide an isolation boundary. This lets you create independent copies of resources in multiple Regions to distribute the load and improve scalability. At the same time, it isolates the resources from each other to improve availability.

If you specify a diﬀerent AWS Region in the console or in an AWS CLI command, then you can no longer see or interact with the resources you could see in the previous Region.

When you look at the Amazon Resource Name (ARN) for a Regional resource, the Region that contains the resource is speciﬁed as the fourth ﬁeld in the ARN. For example, an Amazon EC2 instance is a Regional resource. Such resources have ARNs that looks similar to the following sample for a VPC that exists in the us-east-1 Region.

arn:aws:ec2:us-east-1:123456789012:instance/i-0a6f30921424d3eee

Global resources

Some AWS services support resources that you can access globally, meaning that you can use the resource from anywhere. You don't specify an AWS Region in a global service's console. To access a global resource, you don't specify a --region parameter when using the service's AWS CLI and AWS SDK operations.

Global resources support cases where it's critical that only one instance of a particular resource can exist at a time. In such scenarios, replication or synchronization between copies in diﬀerent Regions isn't adequate. Having to access a single global endpoint, with the possible increase in latency, is considered acceptable to ensure that any changes are instantaneously visible to consumers of the resource. For example, when you create an AWS Cloud WAN core network as a global resource, it's consistent to all users. It appears as a single, contiguous global network across all Regions.

The Amazon Resource Name (ARN) for a global resource doesn't include a Region. The fourth ﬁeld of such an ARN is empty, such as the following sample ARN for a Cloud WAN core network.

arn:aws:networkmanager::123456789012:core-network/core-network-0514d38fa6f796cea

Resource shares and their Regions

AWS RAM is a Regional service, and a resource share is Regional. Therefore, a resource share can contain resources from the same AWS Region as the resource share, and any supported global resources. The Region in which you create the resource share is the resource share's home Region.

Important

Currently, you can create resource shares with global resources only in the designated home Region US East (N. Virginia) Region, us-east-1. Although you can create the resource share only in that single home Region, any shared global resource appears as a standard global resource when viewed in that service's console or CLI and SDK operations. The restriction to the home Region applies only to the resource share, not the resources it contains.

To share a Regional resource that you created in the us-west-2 Region, you must conﬁgure the AWS RAM console to use us-west-2 and create the resource share there. You can't create a resource share

(18)

Resources owned by you

that includes Regional resources from different AWS Regions. This means that to share resources from both us-west-2 and eu-north-1, you must create two different resource shares. You can't combine resources from two different Regions into a single resource share.

To share a global resource in the AWS RAM console, you must conﬁgure the AWS RAM console to use the designated home Region, US East (N. Virginia) us-east-1. Then, create the resource share in the designated home Region. You can mix global resources in a resource share only with resources from the us-east-1 Region.

Even though the global resource is viewable in an AWS RAM resource share in only the designated home Region, it's still a global resource after you share it. You can access it in the shared AWS accounts from any Region from which you could access it in the original AWS account.

Considerations

• To create a resource share in the AWS RAM console, you must use the Region that contains the resources that you want to share. If you want to include a global resource, then you must use the designated home Region to create the share. For example, to share an AWS Cloud WAN core network, you must create the resource share in the us-east-1 Region.

• To view or modify a resource share in the AWS RAM console, you must use the Region that contains the resource share. Similarly, the AWS RAM AWS CLI and SDK operations let you interact with only resource shares that are in the Region that you specify in your operation. To view or modify resource shares that contain global resources, you must use the designated home Region, US East (N. Virginia), us-east-1.

• To view a Regional resource in the AWS RAM console to include it in a resource share, you must use the Region that contains the Regional resource.

• To view a global resource in the AWS RAM console to include it in a resource share, you must use the designated home Region, US East (N. Virginia), us-east-1.

• You can create a resource share with both Regional and global resources in only the designated home Region, US East (N. Virginia), us-east-1.

Share AWS resources owned by you

You can use AWS Resource Access Manager (AWS RAM) to share the resources that you specify with the principals that you specify. This section describes how you can create new resource shares, modify existing resource shares, and delete resource shares that you no longer need.

Topics

• Viewing resource shares you created in AWS RAM (p. 14)

• Creating a resource share in AWS RAM (p. 16)

• Update a resource share in AWS RAM (p. 19)

• Viewing your shared resources in AWS RAM (p. 23)

• Viewing the principals you share resources with in AWS RAM (p. 24)

• Viewing AWS RAM managed permissions (p. 25)

• Updating AWS RAM managed permissions to a newer version (p. 28)

• Deleting a resource share in AWS RAM (p. 29)

Viewing resource shares you created in AWS RAM

You can view a list of the resource shares that you have created. You can see which resources you're sharing and the principals with whom they're shared.

(19)

Viewing resource shares you created

Console

To view your resource shares

1. Open the Shared by me : Resource shares page in the AWS RAM console.

2. Because AWS RAM resource shares exist in speciﬁc AWS Regions, choose the appropriate AWS Region from the dropdown list in the upper-right corner of the console. To see resource shares that contain global resources, you must set the AWS Region to US East (N. Virginia), (us- east-1). For more information about sharing global resources, see Sharing Regional resources compared to global resources (p. 12).

3. (Optional) Apply a filter to find specific resource shares. You can apply multiple filters to narrow your search. You can type a keyword, such as part of a resource share name to list only those resource shares that include that text in the name. Choose the text box to see a dropdown list of suggested attribute fields. After you choose one, you can choose from the list of available values for that field. You can add other attributes or keywords until you find the resource you want.

4. Choose the name of the resource share to review. The console displays the following information about the resource share:

• Summary – Lists the resource share name, ID, owner, Amazon Resource Name (ARN), creation date, whether it allows sharing with external accounts, and its current status.

• Permissions – Lists the AWS RAM managed permissions that are attached to this resource share. There can be at most one permission per resource type included in the resource share.

• Shared resources – Lists the individual resources that are included in the resource share.

Choose the ID of a resource to open a new browser tab to view the resource in its native service's console.

• Shared principals – Lists the principals with whom the resources are shared.

• Tags – Lists the tag key-value pairs that are attached to the resource share itself; these are not the tags attached to the individual resources included in the resource share.

AWS CLI

To view your resource shares

You can use the get-resource-shares command with the parameter --resource-owner set to SELF to display details of the resource shares created in your AWS account.

The following example shows the resource shares that are shared in the current AWS Region (us- east-1) for the calling AWS account. To get the resource shares created in a diﬀerent Region, use the --region <region-code> parameter. To get resource shares that include global resources, you must specify the Region US East (N. Virginia), us-east-1.

$ aws ram get-resource-shares \ --resource-owner SELF { "resourceShares": [ {

"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource- share/2ebe77d7-4156-4a93-87a4-228568d04425",

"name": "MySubnetShare",

"owningAccountId": "123456789012", "allowExternalPrincipals": true, "status": "ACTIVE",

"creationTime": "2021-09-10T15:38:54.449000-07:00", "lastUpdatedTime": "2021-09-10T15:38:54.449000-07:00", "featureSet": "STANDARD"

}, {

(20)

Creating a resource share

"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource- share/818d71dd-7512-4f71-99c6-2ae57aa010bc",

"creationTime": "2021-09-14T20:42:40.266000-07:00", "lastUpdatedTime": "2021-09-14T20:42:40.266000-07:00", "featureSet": "STANDARD"

} ] }

Creating a resource share in AWS RAM

To share resources that you own, create a resource share. When you create a resource share, you do the following:

1. Add the resources that you want to share.

2. For each resource type that you include in the share, specify the permission to use for that resource type.

• If only the default permission is available for a resource type, then AWS RAM automatically associates that permission with the resource type and there is no action for you.

• If more than the default AWS RAM managed permission is available for a resource type, then you must choose the permission to associate with that resource type.

3. Specify the principals that you want to have access to the resources.

Considerations

• The resource types that you can include in a resource share are listed at Shareable AWS resources (p. 40).

• You can share a resource only if you own it. You can't share a resource that's shared with you.

• AWS RAM is a Regional service. When you share a resource with principals in other AWS accounts, they must access each resource from the same AWS Region that it was created in. For supported global resources, you can access those resources from any AWS Region that's supported by that resource's service console and tools. Note that you can view such resource shares and their global resources in the AWS RAM console and tools only in the designated home Region, US East (N. Virginia), us- east-1. For more information about AWS RAM and global resources, see Sharing Regional resources compared to global resources (p. 12).

• If you're part of an organization in AWS Organizations and sharing within your organization is enabled, principals in the organization are automatically granted access to the shared resources without the use of invitations. A principal in an account with whom you share outside of the context of an organization receives an invitation to join the resource share and is granted access to the shared resources only after they accept the invitation.

• After you add an organization or an organization unit (OU) to a resource share, changes to the accounts that are in an OU or accounts that join or leave an organization dynamically aﬀect the resource share. For example, if you add a new account to an OU that has access to a resource share, then the new member account automatically receives access to the shared resources.

• You can add only the organization your account is a member of, and OUs from that organization to your resource shares. You can't add OUs or organizations from outside your own organization to a resource share as principals. However, you can add individual AWS accounts, IAM users, and IAM roles from outside your organization as principals to a resource share.

(21)