Posted On: Jun 15, 2021
AWS Resource Access Manager (RAM) helps you securely share your resources across AWS accounts within your organization or organizational units (OUs) in AWS Organizations, and now also with IAM roles and IAM users for supported resource types. Also with this release, AWS RAM now provides additional managed permissions that you can use to define access to shared resources. In addition to the default managed permission defined for each shareable resource type, you now have more flexibility to choose which permissions to grant to whom for resource types that support additional managed permissions.
AWS RAM managed permissions define what actions can be performed on shared resources. For example, when you share the AWS Certificate Manager Private Certificate Authority (ACM PCA) resource type, you can enable specific team members to issue client certificates without granting them the privileges to revoke the certificate. You can then share the same ACM PCA resource with an administrator using a managed permission with privileges to revoke the certificate. This follows the best practice of granting least privilege, or the minimum permissions required for access to shared resources.
With this launch, you also have additional flexibility to define who has access to shared resources. In addition to sharing resources with your entire organization or OUs in AWS Organizations, and with any AWS account, you can now also share resources with IAM roles and IAM users for supported resource types.
To learn more about managed permissions and support for IAM roles and IAM users, see the AWS Resource Access Manager User Guide. To get started with using AWS RAM to share resources, visit the AWS Resource Access Manager Console. To view a list of available managed permissions, navigate to the Permissions Library in the AWS RAM Console.