Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Error: "AccessDeniedException"

PDF
RSS
Focus mode
Error: "AccessDeniedException" - AWS Resource Access Manager
ScenarioCauseSolution

Scenario

You get an Access Denied exception when trying to share a resource or view a resource share.

Cause

You can receive this error if you attempt to create a resource share when you don't have the required permissions. This can be caused by insufficient permissions in policies attached to your AWS Identity and Access Management (IAM) principal. It can also happen because of restrictions in place from an AWS Organizations service control policy (SCP) that affects your AWS account.

Solution

To provide access, add permissions to your users, groups, or roles:

To resolve the error, you need to ensure the permissions are granted by Allow statements in the permission policy used by the principal that makes the request. In addition, the permissions must not be blocked by your organization’s SCPs.

To create a resource share, you need the following two permissions:

  • ram:CreateResourceShare

  • ram:AssociateResourceShare

To view a resource share, you need the following permission:

  • ram:GetResourceShares

To attach permissions to a resource share, you need the following permission:

  • resourceOwningService:PutPolicyAction

    This is a placeholder. You must replace it with the "PutPolicy" permission (or equivalent) for the service that owns the resource that you want to share. For example, if you are sharing a Route 53 resolver rule, then the required permission would be: route53resolver:PutResolverRulePolicy. If you want to allow the creation of a resource share that contains multiple resource types, then you must include the relevant permission for each resource type that you want to permit.

The following example shows what such an IAM permission policy might look like.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ram:CreateResourceShare", 
                "ram:AssociateResourceShare",
                "ram:GetResourceShares",
                "resourceOwningService:PutPolicyAction"
            ],
            "Resource": "*"
        }
    ]
}

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.