# Identity and access management for AWS Resource Access Manager
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. Administrators in IAM control who can be *authenticated* (signed in) and *authorized* (have permissions) to use AWS resources. By using IAM, you create principals, such as roles, users, and groups in your AWS account. You control the permissions that those principals have to perform tasks using AWS resources. You can use IAM for no additional charge. For more information about managing and creating custom IAM policies, see [Managing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html) in the *IAM User Guide*.
**Topics**
+ [How AWS RAM works with IAM](security-iam-policies.md)
+ [AWS managed policies for AWS Resource Access Manager](security-iam-awsmanpol.md)
+ [Using service-linked roles for AWS RAM](using-service-linked-roles.md)
+ [Example IAM policies for AWS RAM](security-iam-policies-examples.md)
+ [Example service control policies for AWS Organizations and AWS RAM](security-scp.md)
+ [Disabling resource sharing with AWS Organizations](security-disable-sharing-with-orgs.md)
# How AWS RAM works with IAM
By default, IAM principals don't have permission to create or modify AWS RAM resources. To allow IAM principals to create or modify resources and perform tasks, you perform one of the following steps. These actions grant permission to use specific resources and API actions.
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
AWS RAM provides several AWS managed policies that you can use that will address the needs of many users. For more information about these, see [AWS managed policies for AWS Resource Access Manager](security-iam-awsmanpol.md).
If you need finer control over the permissions you grant to your users, you can construct your own policies in the IAM console. For information about creating policies and attaching them to your IAM roles and users, see [Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *AWS Identity and Access Management User Guide*.
The following sections provide the AWS RAM specific details for building an IAM permission policy.
**Contents**
+ [Policy structure](#structure)
+ [Effect](#iam-policies-effect)
+ [Action](#iam-policies-action)
+ [Resource](#iam-policies-resource)
+ [Condition](#iam-policies-condition)
## Policy structure
An IAM permission policy is a JSON document that includes the following statements: Effect, Action, Resource, and Condition. An IAM policy typically takes the following form.
```
{
"Statement":[{
"Effect":"",
"Action":"",
"Resource":"",
"Condition":{
"":{
"":""
}
}
}]
}
```
### Effect
The *Effect* statement indicates whether the policy allows or denies a principal permission to perform an action. The possible values include: `Allow` and `Deny`.
### Action
The *Action* statement specifies the AWS RAM API actions for which the policy is allowing or denying permission. For a complete list of the allowed actions, see [ Actions defined by AWS Resource Access Manager](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsresourceaccessmanager.html#awsresourceaccessmanager-actions-as-permissions) in the *IAM User Guide*.
### Resource
The *Resource* statement specifies the AWS RAM resources that are affected by the policy. To specify a resource in the statement, you need to use its unique Amazon Resource Name (ARN). For a complete list of the allowed resources, see [ Resources defined by AWS Resource Access Manager](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsresourceaccessmanager.html#awsresourceaccessmanager-resources-for-iam-policies) in the *IAM User Guide*.
### Condition
*Condition* statements are optional. They can be used to further refine the conditions under which the policy applies. AWS RAM supports the following condition keys:
+ `aws:RequestTag/${TagKey}` – Tests whether the service request includes a tag with the specified tag key exists and has the specified value.
+ `aws:ResourceTag/${TagKey}` – Tests whether the resource acted on by the service request has an attached tag with a tag key that you specify in the policy.
The following example condition checks that the resource referenced in the service request has an attached tag with the key name "Owner" and a value of "Dev Team".
```
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/Owner" : "Dev Team"
}
}
```
+ `aws:TagKeys` – Specifies the tag keys that must be used to create or tag a resource share.
+ `ram:AllowsExternalPrincipals` – Tests whether the resource share in the service request allows sharing with external principals. An external principal is an AWS account outside of your organization in AWS Organizations. If this evaluates to `False`, then you can share this resource share with accounts only in the same organization.
+ `ram:PermissionArn` – Tests whether the permission ARN specified in the service request matches an ARN string that you specify in the policy.
+ `ram:PermissionResourceType` – Tests whether the permission specified in the service request is valid for the resource type that you specify in the policy. Specify resource types using the format shown in the list of [shareable resource types](shareable.md).
+ `ram:Principal` – Tests whether the ARN of the principal specified in the service request matches an ARN string that you specify in the policy.
+ `ram:RequestedAllowsExternalPrincipals` – Tests whether the service request includes the `allowExternalPrincipals` parameter and whether its argument matches the value you specify in the policy.
+ `ram:RequestedResourceType` – Tests whether the resource type of the resource being acted on matches a resource type string that you specify in the policy. Specify resource types using the format shown in the list of [shareable resource types](shareable.md).
+ `ram:ResourceArn` – Tests whether the ARN of the resource being acted upon by the service request matches an ARN that you specify in the policy.
+ `ram:ResourceShareName` – Tests whether the name of the resource share being acted upon by the service request matches a string that you specify in the policy.
+ `ram:ShareOwnerAccountId` – Tests the account ID number of the resource share being acted upon by the service request matches a string that you specify in the policy.
# AWS managed policies for AWS Resource Access Manager
AWS Resource Access Manager currently provides several AWS RAM managed policies, which are described in this topic.
**Topics**
+ [AWSResourceAccessManagerReadOnlyAccess](#security-iam-managed-policies-AWSResourceAccessManagerReadOnlyAccess)
+ [AWSResourceAccessManagerFullAccess](#security-iam-managed-policies-AWSResourceAccessManagerFullAccess)
+ [AWSResourceAccessManagerResourceShareParticipantAccess](#security-iam-managed-policies-AWSResourceAccessManagerResourceShareParticipantAccess)
+ [AWSResourceAccessManagerServiceRolePolicy](#security-iam-managed-policies-AWSResourceAccessManagerServiceRolePolicy)
+ [Policy updates](#security-iam-awsmanpol-updates)
In the preceding list, you can attach the first three policies to your IAM roles, groups, and users to grant permissions. The last policy in the list is reserved for the AWS RAM service's service-linked role.
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
## AWS managed policy: AWSResourceAccessManagerReadOnlyAccess
You can attach the `AWSResourceAccessManagerReadOnlyAccess` policy to your IAM identities.
This policy provides read-only permissions to the resource shares that are owned by your AWS account.
It does this by granting permission to run any of the `Get*` or `List*` operations. It doesn't provide any ability to modify any resource share.
**Permissions details**
This policy includes the following permissions.
+ `ram` – Allows principals to view details about resource shares owned by the account.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ram:Get*",
"ram:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
## AWS managed policy: AWSResourceAccessManagerFullAccess
You can attach the `AWSResourceAccessManagerFullAccess` policy to your IAM identities.
This policy provides full administrative access to view or modify the resource shares that are owned by your AWS account.
It does this by granting permission to run any `ram` operations.
**Permissions details**
This policy includes the following permissions.
+ `ram` – Allows principals to view or modify any information about the resource shares that are owned by the AWS account.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ram:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
## AWS managed policy: AWSResourceAccessManagerResourceShareParticipantAccess
You can attach the `AWSResourceAccessManagerResourceShareParticipantAccess` policy to your IAM identities.
This policy provides principals the ability to accept or reject resource shares that are shared with this AWS account, and to view details about these resource shares. It doesn't provide any ability to modify those resource shares.
It does this by granting permission to run some `ram` operations.
**Permissions details**
This policy includes the following permissions.
+ `ram` – Allows principals to accept or reject resource share invitations and to view details about the resource shares that are shared with the account.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ram:AcceptResourceShareInvitation",
"ram:GetResourcePolicies",
"ram:GetResourceShareInvitations",
"ram:GetResourceShares",
"ram:ListPendingInvitationResources",
"ram:ListPrincipals",
"ram:ListResources",
"ram:RejectResourceShareInvitation"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
## AWS managed policy: AWSResourceAccessManagerServiceRolePolicy
The AWS managed policy `AWSResourceAccessManagerServiceRolePolicy`can be used only with the service-linked role for AWS RAM. You can't attach, detach, modify, or delete this policy.
This policy provides AWS RAM with read-only access to your organization's structure. When you enable integration between AWS RAM and AWS Organizations, AWS RAM automatically creates a service-linked role named [AWSServiceRoleForResourceAccessManager](https://console.aws.amazon.com/iam/home#/roles/AWSServiceRoleForResourceAccessManager) that the service assumes when it needs to look up information about your organization and its accounts, for example, when you view the organization's structure in the AWS RAM console.
It does this by granting read-only permission to run the `organizations:Describe` and `organizations:List` operations that provide details of the organization's structure and accounts.
**Permissions details**
This policy includes the following permissions.
+ `organizations` – Allows principals to view information about the organization's structure, including the organizational units, and the AWS accounts they contain.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListChildren",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListRoots"
],
"Resource": "*"
},
{
"Sid": "AllowDeletionOfServiceLinkedRoleForResourceAccessManager",
"Effect": "Allow",
"Action": [
"iam:DeleteRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/ram.amazonaws.com/*"
]
}
]
}
```
------
## AWS RAM updates to AWS managed policies
View details about updates to AWS managed policies for AWS RAM since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS RAM Document history page.
| Change | Description | Date |
| --- | --- | --- |
| AWS Resource Access Manager started tracking changes | AWS RAM documented its existing managed policies and started tracking changes. | September 16, 2021 |
# Using service-linked roles for AWS RAM
AWS Resource Access Manager uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to the AWS RAM service. Service-linked roles are predefined by AWS and include all the permissions that AWS RAM needs to call other AWS services on your behalf.
A service-linked role makes configuring AWS RAM easier because you don’t have to manually add the necessary permissions. AWS RAM defines the permissions of its service-linked roles, and unless defined otherwise, only AWS RAM can assume its service-linked roles. The defined permissions include both a trust policy and a permissions policy, and that permissions policy cannot be attached to any other IAM entity.
For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
## Service-Linked Role Permissions for AWS RAM
AWS RAM uses the service-linked role named `AWSServiceRoleForResourceAccessManager` when you enable sharing with AWS Organizations. This role grants permissions to the AWS RAM service to view organization details, such as the list of member accounts and which organizational units each account is in.
This service-linked role trusts the following service to assume the role:
+ `ram.amazonaws.com`
The role permissions policy named AWSResourceAccessManagerServiceRolePolicy is attached to this service-linked role, and allows AWS RAM to complete the following actions on the specified resources:
+ Actions: read-only actions that retrieve details about your organization's structure. For the complete list of actions, you can view the policy in the IAM console: [AWSResourceAccessManagerServiceRolePolicy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/aws-service-role/AWSResourceAccessManagerServiceRolePolicy$jsonEditor).
For a principal to turn on AWS RAM sharing within your organization, that principal (an IAM entity such as a user, group, or role), must have permission to create a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating a Service-Linked Role for AWS RAM
You don't need to manually create a service-linked role. When you turn on AWS RAM sharing within your organization in the AWS Management Console, or run the [EnableSharingWithAwsOrganization](https://docs.aws.amazon.com/ram/latest/APIReference/API_EnableSharingWithAwsOrganization.html) in your account using the AWS CLI or an AWS API, AWS RAM creates the service-linked role for you.
Call `enable-sharing-with-aws-organizations` to create the service linked role in your account.
If you delete this service-linked role, then AWS RAM no longer has permissions to view the details of your organization's structure.
## Editing a service-linked role for AWS RAM
AWS RAM does not allow you to edit the AWSResourceAccessManagerServiceRolePolicy service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a Service-Linked Role for AWS RAM
You can use the IAM console, the AWS CLI or the AWS API to manually delete the service-linked role.
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the `AWSResourceAccessManagerServiceRolePolicy` service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for AWS RAM Service-Linked Roles
AWS RAM supports using service-linked roles in all of the Regions where the service is available. For more information, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*.
# Example IAM policies for AWS RAM
This topic includes examples of IAM policies for AWS RAM that demonstrate sharing specific resources and resource types and restricting sharing.
**Topics**
+ [Allow sharing of specific resources](#owner-share-specific-resources)
+ [Allow sharing of specific resource types](#owner-share-resource-types)
+ [Restrict sharing with external AWS accounts](#control-access-owner-external)
## Example 1: Allow sharing of specific resources
You can use an IAM permission policy to restrict principals to associating only specific resources with resource shares.
For example, the following policy limits principals to sharing only the resolver rule with the specified Amazon Resource Name (ARN). The operator `StringEqualsIfExists` allows a request if either the request doesn't include a `ResourceArn` parameter, or if it does include that parameter, that its value exactly matches the specified ARN.
For more information about when and why to use `...IfExists` operators, see [...IfExists condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_IfExists) in the *IAM User Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["ram:CreateResourceShare", "ram:AssociateResourceShare"],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"ram:ResourceArn": "arn:aws:route53resolver:us-west-2:123456789012:resolver-rule/rslvr-rr-5328a0899aexample"
}
}
}]
}
```
------
## Example 2: Allow sharing of specific resource types
You can use an IAM policy to limit principals to associating only specific resource types with resource shares.
The actions, `AssociateResourceShare` and `CreateResourceShare`, can accept principals and `resourceArns` as independent input parameters. Therefore, AWS RAM authorizes each principal and resource independently, so there could be multiple [request contexts](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic_policy-eval-reqcontext.html). This means when a principal is being associated to a AWS RAM resource share, the `ram:RequestedResourceType` condition key is not present in the request context. Similarly, when a resource is being associated to a AWS RAM resource share, the `ram:Principal` condition key is not present in the request context. Therefore, to allow `AssociateResourceShare` and `CreateResourceShare` when associating principals to the AWS RAM resource share, you can use the [`Null` condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Null).
For example, the following policy limits principals to sharing only Amazon Route 53 resolver rules and allows them to associate any principal to that share.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Sid": "AllowOnlySpecificResourceType",
"Effect": "Allow",
"Action": ["ram:CreateResourceShare", "ram:AssociateResourceShare"],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:RequestedResourceType": "route53resolver:ResolverRule"
}
}
},
{
"Sid": "AllowAssociatingPrincipals",
"Effect": "Allow",
"Action": ["ram:CreateResourceShare", "ram:AssociateResourceShare"],
"Resource": "*",
"Condition": {
"Null": {
"ram:Principal": "false"
}
}
}
]
}
```
------
## Example 3: Restrict sharing with external AWS accounts
You can use an IAM policy to prevent principals from sharing resources with AWS accounts that are outside of its AWS organization.
For example, the following IAM policy prevents principals from adding external AWS accounts to resource shares.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ram:CreateResourceShare",
"Resource": "*",
"Condition": {
"Bool": {
"ram:RequestedAllowsExternalPrincipals": "false"
}
}
}]
}
```
------
# Example service control policies for AWS Organizations and AWS RAM
AWS RAM supports service control policies (SCPs). SCPs are policies that you attach to elements in an organization to manage permissions within that organization. An SCP applies to all AWS accounts [under the element to which you attach the SCP](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_policies_inheritance_auth.html). SCPs offer central control over the maximum available permissions for all accounts in your organization. They can help you to ensure your AWS accounts stay within your organization’s access control guidelines. For more information, see [ Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_type-auth.html) in the *AWS Organizations User Guide*.
## Prerequisites
To use SCPs, you must first do the following:
+ Enable all features in your organization. For more information, see [Enabling all features in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html) in the *AWS Organizations User Guide*
+ Enable SCPs for use within your organization. For more information, see [Enabling and disabling policy types](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html) in the *AWS Organizations User Guide*
+ Create the SCPs that you need. For more information about creating SCPs, see [ Creating and updating SCPs](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp-create.html) in the *AWS Organizations User Guide*.
## Example Service Control Policies
**Contents**
+ [Example 1: Prevent external sharing](#example-one)
+ [Example 2: Prevent users from accepting resource share invitations from external accounts outside your organization](#example-two)
+ [Example 3: Allow specific accounts to share specific resource types](#example-three)
+ [Example 4: Prevent sharing with the entire organization or with organizational units](#example-four)
+ [Example 5: Allow sharing with only specific principals](#example-five)
+ [Example 6: Prevent resource shares with RetainSharingOnAccountLeaveOrganization enabled](#example-six)
The following examples show how you can control various aspects of resource sharing in an organization.
### Example 1: Prevent external sharing
The following SCP prevents users from creating resource shares that allow sharing with principals that are outside of the sharing user's organization.
AWS RAM authorizes APIs separately for each principal and resource listed in the call.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:CreateResourceShare",
"ram:UpdateResourceShare"
],
"Resource": "*",
"Condition": {
"Bool": {
"ram:RequestedAllowsExternalPrincipals": "true"
}
}
}
]
}
```
------
### Example 2: Prevent users from accepting resource share invitations from external accounts outside your organization
The following SCP blocks any principal in an affected account from accepting an invitation to use a resource share. Resource shares that are shared to other accounts in the same organization as the sharing account don't generate invitations and are therefore not affected by this SCP.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "ram:AcceptResourceShareInvitation",
"Resource": "*"
}
]
}
```
------
### Example 3: Allow specific accounts to share specific resource types
The following SCP allows *only* accounts `111111111111` and `222222222222` to create new resource shares that share Amazon EC2 prefix lists or to associate prefix lists with existing resource shares.
AWS RAM authorizes APIs separately for each principal and resource listed in the call.
The operator `StringEqualsIfExists` allows a request if either the request doesn't include a resource type parameter, or if it does include that parameter, that its value exactly matches the specified resource type. If you're including a principal you must have `...IfExists`.
For more information about when and why to use `...IfExists` operators, see [...IfExists condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_IfExists) in the *IAM User Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:AssociateResourceShare",
"ram:CreateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalAccount": [
"111111111111",
"222222222222"
]
},
"StringEqualsIfExists": {
"ram:RequestedResourceType": "ec2:PrefixList"
}
}
}
]
}
```
------
### Example 4: Prevent sharing with the entire organization or with organizational units
The following SCP prevents users from creating resource shares that share resources with an entire organization or with any organizational units. Users *can* share with individual AWS accounts in the organization, or with IAM roles or users.
AWS RAM authorizes APIs separately for each principal and resource listed in the call.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:CreateResourceShare",
"ram:AssociateResourceShare"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ram:Principal": [
"arn:aws:organizations::*:organization/*",
"arn:aws:organizations::*:ou/*"
]
}
}
}
]
}
```
------
### Example 5: Allow sharing with only specific principals
The following example SCP allows users to share resources with *only* organization `o-12345abcdef,` organizational unit `ou-98765fedcba`, and AWS account `111111111111`.
If you're using an `"Effect": "Deny"` element with a negated condition operator, like `StringNotEqualsIfExists`, the request is still denied even if the condition key is not present. Use a `Null` condition operator to check if a condition key is absent at the time of authorization.
AWS RAM authorizes APIs separately for each principal and resource listed in the call.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:AssociateResourceShare",
"ram:CreateResourceShare"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"ram:Principal": [
"arn:aws:organizations::123456789012:organization/o-12345abcdef",
"arn:aws:organizations::123456789012:ou/o-12345abcdef/ou-98765fedcba",
"111111111111"
]
},
"Null": {
"ram:Principal": "false"
}
}
}
]
}
```
------
### Example 6: Prevent resource shares with RetainSharingOnAccountLeaveOrganization enabled
The following SCP prevents users from creating or modifying resource shares when the `ram:RetainSharingOnAccountLeaveOrganization` condition key is set to `true`.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:CreateResourceShare",
"ram:AssociateResourceShare",
"ram:DisassociateResourceShare"
],
"Resource": "*",
"Condition": {
"Bool": {
"ram:RetainSharingOnAccountLeaveOrganization": "true"
}
}
}
]
}
```
# Disabling resource sharing with AWS Organizations
If you previously enabled sharing with AWS Organizations and you no longer need to share resources with your entire organization or organizational units (OUs), you can disable sharing. When you disable sharing with AWS Organizations, all organizations or OUs are removed from the resource shares that you have created and they lose access to the shared resources. External accounts (accounts added to the resource share via invitation) will not be impacted, and will continue to be associated with the resource share.
**To disable sharing with AWS Organizations**
1. Disable trusted access to AWS Organizations using the AWS Organizations [disable-aws-service-access](https://docs.aws.amazon.com/cli/latest/reference/organizations/disable-aws-service-access.html) AWS CLI command.
```
$ aws organizations disable-aws-service-access --service-principal ram.amazonaws.com
```
**Important**
When you disable trusted access to AWS Organizations, principals within your organizations are removed from all resource shares and lose access to those shared resources.
1. Use the IAM console, the AWS CLI, or the IAM API operations to delete the **AWSServiceRoleForResourceAccessManager** service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.