AWS Resource Access Manager FAQs
Page topics
Overview
Open allWhat is AWS Resource Access Manager?
AWS Resource Access Manager (AWS RAM) helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs) in AWS Organizations, and with IAM roles and IAM users for supported resource types. You can use AWS RAM to share resources with other AWS accounts. This eliminates the need to provision and manage resources in every account. When you share a resource with another account, that account is granted access to the resource and any policies and permissions in that account apply to the shared resource.
How can I get started with AWS RAM?
You can get started with AWS RAM by creating a resource share using the AWS RAM console, AWS RAM APIs, AWS CLI, or AWS SDKs. You can easily share resources by adding resources to a resource share, choosing a managed permission to associate with each resource type, and specifying whom you want to have access to the resources.
Resource sharing
Open allCan I stop sharing a resource?
Yes, you can stop sharing a resource by removing it from the resource share or by deleting the resource share.
Managed permissions
Open allWhat are AWS managed permissions and when should I use them?
AWS managed permissions are created and maintained by AWS and grant permissions for many common customer scenarios. Every resource type has a default AWS managed permission. Some resource types provide additional AWS managed permissions from which you can select. For example, when you share the AWS Private Certificate Authority (Private CA) resource type, you can enable specific team members to issue client certificates without granting them the privileges to revoke the certificate. You can then share the same Private CA resource with an administrator using an AWS managed permission with privileges to revoke the certificate. For more information, see AWS managed permissions.
What are customer managed permissions and when should I use them?
Customer managed permissions are permissions that you author and maintain by precisely specifying who can do what under which conditions with resources shared using AWS RAM. For example, when you share Amazon Virtual Private Cloud IP Address Manager (IPAM) pools, which help you manage your IP addresses at scale, you can create and tailor customer managed permissions so that your developers can assign IP addresses but not view the range of IP addresses other developer accounts assign. You can follow the best practice of least privilege, granting only the permissions required to perform tasks on shared resources. For more information, see customer managed permissions.
What are managed permissions?
A managed permission defines which actions can be performed, under which conditions, and by which principals for supported resource types in a resource share. You can associate either an AWS managed permission or a customer managed permission with each resource type in a resource share using AWS RAM. For more information, see Using managed permissions with AWS RAM.
Billing
Open allWill I incur any charges for sharing my resources with other AWS accounts?
No. You can share resources at no additional cost.