Posted On: Apr 25, 2023

Amazon Resource Access Manager (Amazon RAM) now supports customer managed permissions so you can author and administer fine-grained resource access controls for supported resource types. Amazon RAM helps you securely share your resources across Amazon Web Services accounts, within your organization or organizational units (OUs), and with Amazon Identity and Access Management (IAM) roles and users. With customer managed permissions, you can apply the principles of least privilege, or the minimum permissions required to perform a task.

You can now define the granularity of your customer managed permissions by precisely specifying who can do what under which conditions for the resource types included in your resource share. For example, as a cloud security admin, you can author tailored customer managed permissions for Amazon Virtual Private Cloud IP Address Manager (IPAM) pools, which help you manage your IP addresses at scale. Then the network admin can share the IPAM pools using the tailored permissions so that developers can assign IP addresses but not view the range of IP addresses other developer accounts assign. For granting access to sensitive actions such as viewing the IP address range in an IPAM pool, you can add conditions such as requiring the actions are performed by users authenticated using multi-factor authentication.

Customer managed permissions are now available in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. 

To learn more about customer managed permissions, see the Amazon RAM User Guide. To get started with using Amazon RAM to share resources, visit the Amazon RAM Console