Posted On: Apr 25, 2023

AWS Resource Access Manager (AWS RAM) now supports customer managed permissions so you can author and maintain fine-grained resource access controls for supported resource types. AWS RAM helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs), and with AWS Identity and Access Management (IAM) roles and users. With customer managed permissions, you can apply the principles of least privilege, or the minimum permissions required to perform a task.

You can now define the granularity of your customer managed permissions by precisely specifying who can do what under which conditions for the resource types included in your resource share. For example, as a cloud security admin, you can author tailored customer managed permissions for Amazon Virtual Private Cloud IP Address Manager (IPAM) pools, which help manage your IP addresses at scale. Then the network admin can share the IPAM pools using the tailored permissions so that developers can assign IP addresses but not view the range of IP addresses other developer accounts assign. For granting access to sensitive actions such as viewing the IP address range in an IPAM pool, you can add conditions such as requiring the actions are performed by users authenticated using multi-factor authentication.

Customer managed permissions are now available in all AWS Regions where AWS RAM is supported, including the AWS GovCloud (US) Regions.

To learn more about customer managed permissions, see the AWS RAM User Guide. To get started with using AWS RAM to share resources, visit the AWS RAM Console.