We use machine learning technology to do auto-translation. Click "English" on top navigation bar to check Chinese version.
Configure fine-grained access to your resources shared using Amazon Web Services Resource Access Manager
You can use
When you share your resources by using Amazon Web Services RAM, you can specify the actions that an account can perform and the access conditions on the shared resource. Amazon Web Services RAM provides
This blog post walks you through how to use customer managed permissions to tailor your resource access to meet your business and security needs. Customer managed permissions help you follow the
Considerations
Before you start, review the
Solution overview
Many Amazon Web Services customers share infrastructure services to accounts in an organization from a
You’ll use a networking account that owns an IPAM pool to share the pool with the accounts in a Development OU. You’ll do this by creating a resource share and a customer managed permission through Amazon Web Services RAM. In this example, shown in Figure 1, both the networking account and the Development OU are in the same organization. The accounts in the Development OU only need the permissions that are required to allocate a classless inter-domain routing (CIDR) range and not to view the IPAM pool details. You’ll further refine access to the shared IPAM pool so that only
Prerequisites
For this walkthrough, you must have the following prerequisites:
- An
Amazon Web Services account (the networking account) withan IPAM pool already provisioned . For this example, create an IPAM pool in a networking account named ipam-vpc-pool-use1-dev . Because you share resources across accounts in the same Amazon Web Services Region using Amazon Web Services RAM, provision the IPAM pool in the same Region where your development accounts will access the pool. - An Amazon Web Services OU with the associated development accounts to share the IPAM pool with. In this example, these accounts are in your Development OU.
- An IAM role or user with permissions to perform
IPAM andAmazon Web Services RAM operations in the networking account and the development accounts.
Share your IPAM pool with your Development OU with least privilege permissions
In this section, you share an IPAM pool from your networking account to the accounts in your Development OU and grant least-privilege permissions. To do that, you create a resource share that contains your IPAM pool, your customer managed permission for the IPAM pool, and the OU principal you want to share the IPAM pool with. A resource share contains resources you want to share, the principals you want to share the resources with, and the managed permissions that grant resource access to the account receiving the resources. You can add the IPAM pool to an existing resource share, or you can create a new resource share. Depending on your workflow, you can start creating a resource share either in the Amazon VPC IPAM or in the Amazon Web Services RAM console.
To initiate a new resource share from the Amazon VPC IPAM console
- Sign in to the
Amazon Web Services Management Console as your networking account. For Features , selectAmazon VPC IP Address Manager console. - Select ipam-vpc-pool-use1-dev , which was provisioned as part of the prerequisites.
- On the IPAM pool detail page, choose the Resource sharing tab.
- Choose Create resource share .
Alternatively, you can initiate a new resource share from the Amazon Web Services RAM console.
To initiate a new resource share from the Amazon Web Services RAM console
- Sign in to the
Amazon Web Services Management Console as your networking account. For Services , selectResource Access Manager console. - Choose Create resource share .
Next, specify the resource share details, including the name, the resource type, and the specific resource you want to share. Note that the steps of the resource share creation process are located on the left side of the Amazon Web Services RAM console.
To specify the resource share details
- For Name , enter ipam-shared-dev-pool .
- For Select resource type , choose IPAM pools .
- For Resources , select the Amazon Resource Name (ARN) of the IPAM pool you want to share from a list of the IPAM pool ARNs you own.
- Choose Next .
Configure customer managed permissions
In this example, the accounts in the Development OU need the permissions required to allocate a CIDR range, but not the permissions to view the IPAM pool details. The existing Amazon Web Services managed permission grants both read and write permissions. Therefore, you need to create a customer managed permission to refine the resource access permissions for your accounts in the Development OU. With a customer managed permission, you can select and tailor the actions that the development accounts can perform on the IPAM pool, such as write-only actions.
In this section, you create a customer managed permission, configure the managed permission name, select the resource type, and choose the actions that are allowed with the shared resource.
To create and author a customer managed permission
- On the Associate managed permissions page, choose Create customer managed permission. This will bring up a new browser tab with a Create a customer managed permission page.
- On the Create a customer managed permission page, enter my-ipam-cmp for the Customer managed permission name .
- Confirm the Resource type as ec2:IpamPool .
- On the Visual editor tab of the Policy template section, select the Write checkbox only. This will automatically check all the available write actions.
- Choose Create customer managed permission .
Now that you’ve created your customer managed permission, you must associate it to your resource share.
To associate your customer managed permission
- Go back to the previous Associate managed permissions page. This is most likely located in a separate browser tab.
- Choose the refresh icon .
- Select my-ipam-cmp from the dropdown menu.
- Review the policy template, and then choose Next .
Next, select the IAM roles, IAM users, Amazon Web Services accounts, Amazon Web Services OUs, or organization you want to share your IPAM pool with. In this example, you share the IPAM pool with an OU in your account.
To grant access to principals
- On the Grant access to principals page, select Allow sharing only with your organization .
- For Select principal type , choose Organizational unit (OU) .
- Enter the Development OU’s ID.
- Select Add , and then choose Next .
- Choose Create resource share to complete creation of your resource share.
Verify the customer managed permissions
Now let’s verify that the customer managed permission is working as expected. In this section, you verify that the development account cannot view the details of the IPAM pool and that you can use that same account to create a VPC with the IPAM pool.
To verify that an account in your Development OU can’t view the IPAM pool details
- Sign in to the
Amazon Web Services Management Console as an account in your Development OU. For Features , selectAmazon VPC IP Address Manager console. - In the left navigation pane, choose Pools .
- Select ipam-shared-dev-pool . You won’t be able to view the IPAM pool details.
To verify that an account in your Development OU can create a new VPC with the IPAM pool
- Sign in to the
Amazon Web Services Management Console as an account in your Development OU. For Services , selectVPC console. - On the VPC dashboard , choose Create VPC .
- On the Create VPC page, select VPC only .
- For name , enter my-dev-vpc .
- Select IPAM-allocated IPv4 CIDR block .
- Choose the ARN of the IPAM pool that’s shared with your development account.
- For Netmask , select /24 256 IPs .
- Choose Create VPC . You’ve successfully created a VPC with the IPAM pool shared with your account in your Development OU.
Update customer managed permissions
You can create a new version of your customer managed permission to rescope and update the access granularity of your resources that are shared using Amazon Web Services RAM. For example, you can add a condition in your customer managed permissions so that only IAM users or roles tagged with a particular principal tag can access and perform the actions allowed on resources shared using Amazon Web Services RAM. If you need to update your customer managed permission — for example, after testing or as your business and security needs evolve — you can create and save a new version of the same customer managed permission rather than creating an entirely new customer management permission. For example, you might want to adjust your access configurations to read-only actions for your development accounts and to rescope to read-write actions for your testing accounts. The new version of the permission won’t apply automatically to your existing resource shares, and you must explicitly apply it to those shares for it to take effect.
To create a version of your customer managed permission
- Sign in to the
Amazon Web Services Management Console as your networking account. For Services , selectResource Access Manager console. - In the left navigation pane, choose Managed permissions library .
- For Filter by text , enter my-ipam-cmp and select my-ipam-cmp . You can also select the Any type dropdown menu and then select Customer managed to narrow the list of managed permissions to only your customer managed permissions.
- On the my-ipam-cmp page, choose Create version .
- You can make the customer managed permission more fine-grained by adding a condition. On the Create a customer managed permission for my-ipam-cmp page, under the Policy template section, choose JSON editor .
- Add a condition with aws:PrincipalTag that allows only the users or roles tagged with team = networking to access the shared IPAM pool.
"Condition": { "StringEquals": { "aws:PrincipalTag/team": "networking" } }
- Choose Create version . This new version will be automatically set as the default version of your customer managed permission. As a result, new resource shares that use the customer managed permission will use the new version.
Note: Now that you have the new version of your customer managed permission, you must explicitly apply it to your existing resource shares for it to take effect.
To apply the new version of the customer managed permission to existing resource shares
- On the my-ipam-cmp page, under the Managed permission versions , select Version 1 .
- Choose the Associated resource shares tab.
- Find ipam-shared-dev-pool and next to the current version number, select Update to default version . This will update your ipam-shared-dev-pool resource share with the new version of your my-ipam-cmp customer managed permission.
To verify your updated customer managed permission, see the Verify the customer managed permissions section earlier in this post. Make sure that you sign in with an IAM role or user tagged with team = networking, and then repeat the steps of that section to verify your updated customer managed permission. If you use an IAM role or user that is not tagged with team = networking , you won’t be able to allocate a CIDR from the IPAM pool and you won’t be able to create the VPC.
Cleanup
To remove the resources created by the preceding example:
- Delete the resource share from the Amazon Web Services RAM console.
- Deprovision the CIDR from the IPAM pool.
- Delete the IPAM pool you created.
Summary
This blog post presented an example of using customer managed permissions in Amazon Web Services RAM. Amazon Web Services RAM brings simplicity, consistency, and confidence when sharing your resources across accounts. In the example, you used Amazon Web Services RAM to share an IPAM pool to accounts in a Development OU, configured fine-grained resource access controls, and followed the best practice of least privilege by granting only the permissions required for the accounts in the Development OU to perform a specific task with the shared IPAM pool. In the example, you also created a new version of your customer managed permission to rescope the access granularity of your resources that are shared using Amazon Web Services RAM.
To learn more about Amazon Web Services RAM and customer managed permissions, see the
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post,
Want more Amazon Web Services Security news? Follow us on
The mentioned AWS GenAI Services service names relating to generative AI are only available or previewed in the Global Regions. Amazon Web Services China promotes AWS GenAI Services relating to generative AI solely for China-to-global business purposes and/or advanced technology introduction.