Q: What is Amazon Resource Access Manager?
A: Amazon Resource Access Manager (RAM) helps you securely share your resources across Amazon Web Services accounts, within your organization or organizational units (OUs) in Amazon Web Services Organizations, and with IAM roles and IAM users for supported resource types. You can use Amazon RAM to share resources with other Amazon Web Services accounts. This eliminates the need to provision and manage resources in every account. When you share a resource with another account, that account is granted access to the resource and any policies and permissions in that account apply to the shared resource.
Q: What types of Amazon Web Services resources can I share by using Amazon RAM?
A: For information about the resource types that you can share by using Amazon RAM, see shareable Amazon Web Services resources in the Amazon Resource Access Manager User Guide.
Q: How can I get started with Amazon RAM?
A: You can get started with Amazon RAM by creating a resource share using the Amazon Web Services RAM console, Amazon RAM APIs, Amazon Web Services CLI, or Amazon Web Services SDKs. You can easily share resources by adding resources to a resource share, choosing a managed permission to associate with each resource type, and specifying whom you want to have access to the resources.
Q: Who can I share resources with?
A: You can share resources with any Amazon Web Services account. If you are part of an organization in Amazon Web Services Organizations and sharing within your organization is enabled, you can also share resources with OUs or your entire organization. For supported resource types, you can also share resources with IAM roles and IAM users. If you share resources with accounts that are outside of your organization, those accounts receive an invitation to join the resource share. After they accept the invitation, they can start using the shared resources.
Q: What is an Amazon RAM managed permission?
A: Amazon RAM managed permissions define what actions can be performed on shared resources. When you create a resource share, you associate a managed permission with each resource type in the resource share. Every resource type has a default managed permission. Some resource types provide additional managed permissions from which you can select. For example, for resource types that support FullAccess (Read and Write access) and ReadOnly managed permissions, when you share the resources with an administrator, you can grant FullAccess to the administrator. You can then share the resources with other team members with the ReadOnly managed permission to follow the security best practice of granting least privilege, or the minimum permissions required for access to shared resources.
Q: How can I view resources that have been shared with my account?
A: You can view resources that are shared with your account in the Amazon RAM console or by using the Amazon RAM APIs, Amazon Web Services CLI, or Amazon Web Services SDKs. The resources that are shared with your account also appear in the respective resource console pages and the respective List/Describe APIs for those resource types. For example, when an Amazon Route 53 Resolver rule is shared with an account, that rule appears on the Resolver page of the Amazon Route53 console along with the other rules owned by that Amazon Web Services account. In addition, if you use the Amazon Route 53 ListResolverRules API action, the shared rule is also returned in the response.
Q: Will I incur any charges for sharing my resources with other Amazon Web Services accounts?
A: No. You can share resources at no additional cost.
Q: How can I control access to resources shared with me?
A: You can specify IAM policies to control access to resources shared with you.
Q: Can I stop sharing a resource?
A: Yes, you can stop sharing a resource by removing it from the resource share or by deleting the resource share.
Q: How can I monitor changes to resource shares?
A: All calls to Amazon RAM APIs are logged in Amazon CloudTrail. In addition, Amazon CloudWatch Events are triggered whenever there are changes to resource shares. For more information, see Logging and monitoring in Amazon RAM, in the Amazon Resource Access Manager User Guide.