# Share AWS resources owned by you
You can use AWS Resource Access Manager (AWS RAM) to share the resources that you specify with the principals that you specify. This section describes how you can create new resource shares, modify existing resource shares, and delete resource shares that you no longer need.
**Topics**
+ [Viewing resource shares you created in AWS RAM](working-with-sharing-view-rs.md)
+ [Creating a resource share in AWS RAM](working-with-sharing-create.md)
+ [Update a resource share in AWS RAM](working-with-sharing-update.md)
+ [Viewing your shared resources in AWS RAM](working-with-sharing-view-sr.md)
+ [Viewing the principals you share resources with in AWS RAM](working-with-sharing-view-principals.md)
+ [Deleting a resource share in AWS RAM](working-with-sharing-delete.md)
# Viewing resource shares you created in AWS RAM
You can view a list of the resource shares that you have created. You can see which resources you're sharing and the principals with whom they're shared.
------
#### [ Console ]
**To view your resource shares**
1. Open the **[Shared by me : Resource shares](https://console.aws.amazon.com/ram/home#OwnedResourceShares:)** page in the AWS RAM console.
1. Because AWS RAM resource shares exist in specific AWS Regions, choose the appropriate AWS Region from the dropdown list in the upper-right corner of the console. To see resource shares that contain global resources, you must set the AWS Region to US East (N. Virginia), (`us-east-1`). For more information about sharing global resources, see [Sharing Regional resources compared to global resources](working-with-regional-vs-global.md).
1. If any of the managed permissions used by the resource shares in the results have a new version of the managed permission that is designated as the default, then the page displays a banner to alert you. You can choose to update all managed permission versions at once by choosing **Review and update all** at the top of the page.
Alternatively, for individual resource shares with one or more new versions of managed permissions, the **Status** column displays **Update available**. Choosing that link begins the process of reviewing the updated managed permission versions and letting you assign them as the versions for the relevant resource types in that one resource share.
1. (Optional) Apply a filter to find specific resource shares. You can apply multiple filters to narrow your search. You can type a keyword, such as part of a resource share name to list only those resource shares that include that text in the name. Choose the text box to see a dropdown list of suggested attribute fields. After you choose one, you can choose from the list of available values for that field. You can add other attributes or keywords until you find the resource you want.
1. Choose the name of the resource share to review. The console displays the following information about the resource share:
+ **Summary** – Lists the resource share name, ID, owner, Amazon Resource Name (ARN), creation date, whether it allows sharing with external accounts, and its current status.
+ **Managed Permissions** – Lists the managed permissions that are attached to this resource share. There can be at most one managed permission per resource type included in the resource share. Each managed permission displays the version of that managed permission that is associated with the resource share. If it is not the default version, then the console displays an **Update to default version** link. If you choose that link, then you are provided with the opportunity to update the resource share to use the default version.
+ **Shared resources** – Lists the individual resources that are included in the resource share. Choose the ID of a resource to open a new browser tab to view the resource in its native service's console.
+ **Shared principals** – Lists the principals with whom the resources are shared.
+ **Tags** – Lists the tag key-value pairs that are attached to the resource share itself; these are not the tags attached to the individual resources included in the resource share.
------
#### [ AWS CLI ]
**To view your resource shares**
You can use the [get-resource-shares](https://docs.aws.amazon.com/cli/latest/reference/ram/get-resource-shares.html) command with the parameter `--resource-owner` set to `SELF` to display details of the resource shares created in your AWS account.
The following example shows the resource shares that are shared in the current AWS Region (`us-east-1`) for the calling AWS account. To get the resource shares created in a different Region, use the `--region ` parameter. To include resource shares that contain global resources, you must specify the Region US East (N. Virginia), `us-east-1`.
```
$ aws ram get-resource-shares \
--resource-owner SELF
{
"resourceShares": [
{
"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource-share/2ebe77d7-4156-4a93-87a4-228568d04425",
"name": "MySubnetShare",
"owningAccountId": "123456789012",
"allowExternalPrincipals": true,
"status": "ACTIVE",
"creationTime": "2021-09-10T15:38:54.449000-07:00",
"lastUpdatedTime": "2021-09-10T15:38:54.449000-07:00",
"featureSet": "STANDARD"
},
{
"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource-share/818d71dd-7512-4f71-99c6-2ae57aa010bc",
"name": "MyLicenseConfigShare",
"owningAccountId": "123456789012",
"allowExternalPrincipals": true,
"status": "ACTIVE",
"creationTime": "2021-09-14T20:42:40.266000-07:00",
"lastUpdatedTime": "2021-09-14T20:42:40.266000-07:00",
"featureSet": "STANDARD"
}
]
}
```
------
# Creating a resource share in AWS RAM
To share resources that you own, create a resource share. Here's an overview of the process:
1. Add the resources that you want to share.
1. For each resource type that you include in the share, specify the [managed permission](getting-started-terms-and-concepts.md#term-managed-permission) to use for that resource type.
+ You can choose from one of the available AWS managed permissions, an existing customer managed permission, or create a new customer managed permission.
+ AWS managed permissions are created by AWS to cover standard use cases.
+ Customer managed permissions allow you to tailor your own managed permissions to meet your security and business needs.
**Note**
If the selected managed permission has multiple versions, then AWS RAM automatically attaches the default version. You can attach ***only*** the version that is designated as the default.
1. Specify the principals that you want to have access to the resources.
**Considerations**
+ If you later need to delete an AWS resource that you included in a share, we recommend that you first either remove the resource from any resource share that includes it, or delete the resource share.
+ The resource types that you can include in a resource share are listed at [Shareable AWS resources](shareable.md).
+ You can share a resource only if you [own](getting-started-terms-and-concepts.md#term-sharing-account) it. You can't share a resource that's shared with you.
+ AWS RAM is a Regional service. When you share a resource with principals in other AWS accounts, those principals must access each resource from the same AWS Region that it was created in. For supported global resources, you can access those resources from any AWS Region that's supported by that resource's service console and tools. You can view such resource shares and their global resources in the AWS RAM console and tools only in the designated home Region, US East (N. Virginia), `us-east-1`. For more information about AWS RAM and global resources, see [Sharing Regional resources compared to global resources](working-with-regional-vs-global.md).
+ If the account you're sharing from is part of an organization in AWS Organizations and sharing within your organization is enabled, any principals in the organization that you share with are automatically granted access to the resource shares without the use of invitations. A principal in an account with whom you share outside of the context of an organization receives an invitation to join the resource share and is granted access to the shared resources only after they accept the invitation.
+ If you share with a service principal, you can't associate any other principals with the resource share.
+ If the sharing is between accounts or principals that are part of an organization, then any changes to organization membership dynamically affect access to the resource share.
+ If you add an AWS account to the organization or an OU that has access to a resource share, then that new member account automatically gets access to the resource share. The administrator of the account you shared with can then grant individual principals in that account access to the resources in that share.
+ If you remove an account from the organization or an OU that has access to a resource share, then any principals in that account automatically lose access to resources that were accessed through that resource share.
+ If you shared directly with a member account or with IAM roles or users in the member account and then remove that account from the organization, then any principals in that account lose access to the resources that were accessed through that resource share.
**Important**
When you share with an organization or an OU, and that scope includes the account that owns the resource share, all principals in the sharing account automatically get access to the resources in the share. The access granted is defined by the managed permissions associated with the share. This is because the resource-based policy that AWS RAM attaches to each resource in the share uses `"Principal": "*"`. For more information, see [Implications of using "Principal": "\$1" in a resource-based policy](getting-started-terms-and-concepts.md#term-principal-star).
Principals in the other consuming accounts don't immediately get access to the share's resources. The other accounts' administrators must first attach identity-based permission policies to the appropriate principals. Those policies must grant `Allow` access to the ARNs of individual resources in the resource share. The permissions in those policies can't exceed those specified in the managed permission associated with the resource share.
+ You can add only the organization your account is a member of, and OUs from that organization to your resource shares. You can't add OUs or organizations from outside your own organization to a resource share as principals. However, you can add individual AWS accounts or, for supported services, IAM roles and users from outside your organization as principals to a resource share.
**Note**
Not all resource types can be shared with IAM roles and users. For information about resources that you can share with these principals, see [Shareable AWS resources](shareable.md).
+ For the following resource types you have seven days to accept the invitation to join the share for the following resource types. If you don't accept the invitation before it expires, the invitation is automatically declined.
**Important**
For shared resource types **not** on the following list, you have **12 hours** to accept the invitation to join the resource share. After 12 hours, the invitation expires and the end user principal in the resource share is disassociated. The invitation can no longer be accepted by end users.
+ Amazon Aurora – DB clusters
+ Amazon EC2 – capacity reservations and dedicated hosts
+ AWS License Manager – License configurations
+ AWS Outposts – Local gateway route tables, outposts, and sites
+ Amazon Route 53 – Forwarding rules
+ Amazon VPC – Customer-owned IPv4 addresses, prefix lists, subnets, traffic mirror targets, transit gateways, transit gateway multicast domains
------
#### [ Console ]
**To create a resource share**
1. Open the [AWS RAM console](https://console.aws.amazon.com/ram/home).
1. Because AWS RAM resource shares exist in specific AWS Regions, choose the appropriate AWS Region from the dropdown list in the upper-right corner of the console. To see resource shares that contain global resources, you must set the AWS Region to US East (N. Virginia), (`us-east-1`). For more information about sharing global resources, see [Sharing Regional resources compared to global resources](working-with-regional-vs-global.md). If you want to include global resources in the resource share, then you must choose the designated home Region, US East (N. Virginia), `us-east-1`.
1. If you're new to AWS RAM, choose **Create a resource share** from the home page. Otherwise, choose **Create resource share** from the **[Shared by me : Resource shares](https://console.aws.amazon.com/ram/home#OwnedResourceShares:)** page.
1. In **Step 1: Specify resource share details**, do the following:
1. For **Name**, enter a descriptive name for the resource share. The name can contain alphabetic characters, numbers, spaces, periods (.), and hyphens (-). It must be fewer than 256 characters.
1. Under **Resources**, choose resources to add to the resource share as follows:
+ For **Select resource type**, choose the type of resource to share. This filters the list of shareable resources to only those resources of the selected type.
+ In the resulting list of resources, select the checkboxes next to the individual resources that you want to share. The selected resources move under **Selected resources**.
If you're sharing resources that are associated with a specific availability zone, then using the Availability Zone ID (AZ ID) helps you determine the relative location of these resources across accounts. For more information, see [Availability Zone IDs for your AWS resources](working-with-az-ids.md).
1. (Optional) To [attach tags](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) to the resource share, under **Tags**, enter a tag key and value. Add others by choosing **Add new tag**. Repeat this step as needed. These tags apply to only the resource share itself, not to the resources in the resource share.
1. Choose **Next**.
1. In **Step 2: Associate a managed permission with each resource type**, you can choose to associate a managed permission created by AWS with the resource type, choose an existing customer managed permission, or you can create your own customer managed permission for supported resource types. For more information, see [Types of managed permissions](security-ram-permissions.md#permissions-types).
Choose **Create customer managed permission** to construct a customer managed permission that meets the requirements of your sharing use case. For more information see [Create a customer managed permission](create-customer-managed-permissions.md#create_cmp). After completing the process, choose ![\[Refresh icon\]](http://docs.aws.amazon.com/ram/latest/userguide/images/refresh_icon.PNG) and then you can select your new customer managed permission from the **Managed permissions** dropdown list.
**Note**
If the selected managed permission has multiple versions, then AWS RAM automatically attaches the default version. You can attach ***only*** the version designated as the default.
To display the actions that the managed permission allows, expand **View the policy template for this managed permission**.
1. Choose **Next**.
1. In **Step 3: Grant access to principals**, do the following:
1. By default, **Allow sharing with anyone** is selected, which means that, for those resource types that support it, you can share resources with AWS accounts that are outside of your organization. This doesn't affect resource types that can be shared *only* within an organization, such as Amazon VPC subnets. You can also share some [supported resource types](shareable.md) with IAM roles and users.
To restrict resource sharing to only accounts and principals in your organization, choose **Allow sharing only within your organization**.
1. For **Principals**, do the following:
+ To add the organization, an organizational unit (OU), or an AWS account that is part of an organization, turn on **Display organizational structure**. This displays a tree view of your organization. Then, select the checkbox next to each principal that you want to add.
**Important**
When you share with an organization or an OU, and that scope includes the account that owns the resource share, all principals in the sharing account automatically get access to the resources in the share. The access granted is defined by the managed permissions associated with the share. This is because the resource-based policy that AWS RAM attaches to each resource in the share uses `"Principal": "*"`. For more information, see [Implications of using "Principal": "\$1" in a resource-based policy](getting-started-terms-and-concepts.md#term-principal-star).
Principals in the other consuming accounts don't immediately get access to the share's resources. The other accounts' administrators must first attach identity-based permission policies to the appropriate principals. Those policies must grant `Allow` access to the ARNs of individual resources in the resource share. The permissions in those policies can't exceed those specified in the managed permission associated with the resource share.
+ If you select the organization (the ID begins with `o-`), then principals in all AWS accounts in the organization can access the resource share.
+ If you select an OU (the ID begins with `ou-`), then principals in all AWS accounts in that OU and its child OUs can access the resource share.
+ If you select an individual AWS account, then only principals in that account can access the resource share.
**Note**
The **Display organizational structure **toggle appears only if sharing with AWS Organizations is enabled and you're signed in to the management account for the organization.
You can't use this method to specify an AWS account outside your organization, or an IAM role or user. Instead, you must turn off **Display organizational structure** and use the drop down list and text box to enter the ID or ARN.
+ To specify a principal by ID or ARN, including principals that are outside of the organization, then for each principal, select the principal type. Next, enter the ID (for an AWS account, organization, or OU) or ARN (for an IAM role or user), and then choose **Add**. The available principal types and ID and ARN formats are as follows:
+ **AWS account** – To add an AWS account, enter the 12-digit account ID. For example:
`123456789012`
+ **Organization** – To add all of the AWS accounts in your organization, enter the ID of the organization. For example:
`o-abcd1234`
+ **Organizational unit (OU)** – To add an OU, enter the ID of the OU. For example:
`ou-abcd-1234efgh`
+ **IAM role** – To add an IAM role, enter the ARN of the role. Use the following syntax:
`arn:partition:iam::account:role/role-name`
For example:
`arn:aws:iam::123456789012:role/MyS3AccessRole`
**Note**
To obtain the unique ARN for an IAM role, [view the list of roles in the IAM console](https://console.aws.amazon.com/iamv2/home?#/roles), use the [get-role](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html) AWS CLI command or the [GetRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRole.html) API action.
+ **IAM user** – To add an IAM user, enter the ARN of the user. Use the following syntax:
`arn:partition:iam::account:user/user-name`
For example:
`arn:aws:iam::123456789012:user/bob`
**Note**
To obtain the unique ARN for an IAM user, [view the list of users in the IAM console](https://console.aws.amazon.com/iamv2/home?#/users), use the [https://docs.aws.amazon.com/cli/latest/reference/iam/get-user.html](https://docs.aws.amazon.com/cli/latest/reference/iam/get-user.html) AWS CLI command, or the [https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUser.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUser.html) API action.
+ **Service principal** – To add a service principal, choose **Service principal** from the **Select principal type** dropbox. Enter the AWS service principal's name. Use the following syntax:
+ `service-id.amazonaws.com`
For example:
`pca-connector-ad.amazonaws.com`
1. For **Selected principals**, verify that the principals you specified appear in the list.
1. Choose **Next**.
1. In **Step 4: Review and create**, review the configuration details for your resource share. To change the configuration for any step, choose the link that corresponds to the step you want to go back to and make the required changes.
1. After you finish reviewing the resource share, choose **Create resource share**.
It can take a few minutes for the resource and principal associations to complete. Allow this process to complete before you try to use the resource share.
1. You can add and remove resources and principals or apply custom tags to your resource share at any time. You can change the managed permission for resource types that are included in your resource share, for those types that support more than the default managed permission. You can delete your resource share when you no longer want to share the resources. For more information, see [Share AWS resources owned by you](working-with-sharing.md).
------
#### [ AWS CLI ]
**To create a resource share**
Use the [https://docs.aws.amazon.com/cli/latest/reference/ram/create-resource-share.html](https://docs.aws.amazon.com/cli/latest/reference/ram/create-resource-share.html) command. The following command creates a resource share that is shared with all of the AWS accounts in the organization. The share contains an AWS License Manager license configuration, and it grants the default managed permissions for that resource type.
**Note**
If you want to use a customer managed permission with a resource type in this resource share, you can either use an existing customer managed permission or create a new customer managed permission. Make note of the ARN for the customer managed permission, and then create the resource share. For more information, see [Create a customer managed permission](create-customer-managed-permissions.md#create_cmp).
```
$ aws ram create-resource-share \
--region us-east-1 \
--name MyLicenseConfigShare \
--permission-arns arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLicenseConfiguration \
--resource-arns arn:aws:license-manager:us-east-1:123456789012:license-configuration:lic-abc123 \
--principals arn:aws:organizations::123456789012:organization/o-1234abcd
{
"resourceShare": {
"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource-share/12345678-abcd-09876543",
"name": "MyLicenseConfigShare",
"owningAccountId": "123456789012",
"allowExternalPrincipals": true,
"status": "ACTIVE",
"creationTime": "2021-09-14T20:42:40.266000-07:00",
"lastUpdatedTime": "2021-09-14T20:42:40.266000-07:00"
}
}
```
------
# Update a resource share in AWS RAM
You can update a resource share in AWS RAM at any time in the following ways:
+ You can add principals, resources, or tags to a resource share that you created.
+ For resource types that support more than the default AWS managed permission, you can choose which managed permission applies to resources of each type.
+ When a managed permission attached to the resource share has a new default version, you can update the managed permission to use the new version.
+ You can revoke access to shared resources by removing principals or resources from a resource share. If you revoke access, principals no longer have access to the shared resources.
**Note**
Principals with whom you share resources can leave your resource share if the share is empty or contains only resource types that support leaving a resource share. If the resource share contains resource types that don't support leaving, a message appears to inform principals that they must contact the share owner. In this case, you, as the owner of the resource share, must remove the principals from your resource share. For a list of resource types that don't support this action, see [Prerequisites for leaving a resource share](working-with-shared-leave.md#working-with-shared-leave-prerequisites).
------
#### [ Console ]
**To update a resource share**
1. Navigate to the **[Shared by me : Resource shares](https://console.aws.amazon.com/ram/home#OwnedResourceShares:)** page in the AWS RAM console.
1. Because AWS RAM resource shares exist in specific AWS Regions, choose the appropriate AWS Region from the dropdown list in the upper-right corner of the console. To see resource shares that contain global resources, you must set the AWS Region to US East (N. Virginia), (`us-east-1`). For more information about sharing global resources, see [Sharing Regional resources compared to global resources](working-with-regional-vs-global.md).
1. Select the resource share and then choose **Modify**.
1. In **Step 1: Specify resource share details**, review the resource share details, and if required, update any of the following:
1. (Optional) To change the name of the resource share, edit **Name**.
1. (Optional) To add a resource to the resource share, under **Resources**, choose the type of resource and then select the checkbox next to the resource to add it to the resource share. Global resources appear only if you set the Region to US East (N. Virginia), (`us-east-1`) in the AWS Management Console.
1. (Optional) To remove a resource from the resource share, locate the resource under **Selected resources**, and then choose the **X** next to the resource's ID.
1. (Optional) To add a tag to the resource share, under **Tags**, enter a tag key and value in the empty text boxes. To add more than one tag key and value pair, choose **Add new tag**. You can add up to 50 tags.
1. To remove a tag from the resource share, under **Tags**, locate the tag and choose **Remove** next to it.
1. Choose **Next**.
1. (Optional) In **Step 2: Associate a managed permission with each resource type**, you can choose to associate a managed permission created by AWS with the resource type, choose an existing customer managed permission, or you can create your own customer managed permission. For more information, see [Types of managed permissions](security-ram-permissions.md#permissions-types).
You can also choose **Create customer managed permission** to construct a customer managed permission that meets the requirements of your sharing use case. For more information, see [Create a customer managed permission](create-customer-managed-permissions.md#create_cmp). After completing the process, choose ![\[Refresh icon\]](http://docs.aws.amazon.com/ram/latest/userguide/images/refresh_icon.PNG), and then you can select your new customer managed permission from the **Managed permission** dropdown list.
To display the actions that the managed permission allows, expand **View the policy template for this managed permission**.
1. If the version of the managed permission currently assigned to the resource share isn't the current default version, then you can update to the default version by choosing **Update to default version**.
**Note**
Until you save your changes to the resource share after the final step, you can cancel the version update by choosing **Revert to previous version**. However, for AWS managed permissions, after you save the resource share, the change is final and you can no longer return to the previous version.
1. Choose **Next**.
1. In **Step 3: Choose principals that are allowed to access**, review the selected principals, and if required, update any of the following:
1. (Optional) To change whether sharing is enabled with principals inside or outside your organization, choose one of the following options:
+ To share resources with AWS accounts or individual IAM roles or users that are outside of your organization, choose **Allow sharing with external principals**.
+ To restrict resource sharing to only principals in your organization in AWS Organizations, choose **Allow sharing with principals in your organization only**.
1. For **Principals**, do the following:
+ (Optional) To add an organization, organizational unit (OU), or member AWS account inside your organization, turn on **Display organizational structure** to display a tree view of your organization. Then select the checkbox next to each principal that you want to add.
**Important**
When you share with an organization or an OU, and that scope includes the account that owns the resource share, all principals in the sharing account automatically get access to the resources in the share. The access granted is defined by the managed permissions associated with the share. This is because the resource-based policy that AWS RAM attaches to each resource in the share uses `"Principal": "*"`. For more information, see [Implications of using "Principal": "\$1" in a resource-based policy](getting-started-terms-and-concepts.md#term-principal-star).
Principals in the other consuming accounts don't immediately get access to the share's resources. The other accounts' administrators must first attach identity-based permission policies to the appropriate principals. Those policies must grant `Allow` access to the ARNs of individual resources in the resource share. The permissions in those policies can't exceed those specified in the managed permission associated with the resource share.
**Note**
The **Display organizational structure **toggle appears only if sharing with AWS Organizations is enabled and you are signed in as a principal in the organization's management account.
You can't use this method to specify an AWS account outside your organization, or an IAM role or user. Instead, you must add these principals by entering their identifiers, which are shown in the text box below the **Display organizational structure** switch. See the next bullet point.
+ (Optional) To add a principal by its identifier, choose the principal type from the dropdown list, and then enter the ID or ARN for the principal. Finally, choose **Add**.
If you select an individual AWS account, then only that account can access the resource share. You can choose either of the following options.
+ **Another AWS account (other than the resource owner)** – Makes the resource available to the other account. The administrator of that account must complete the process by granting access to the shared resource using identity-based permission policies to individual roles and users. Those permissions can't exceed those defined in the managed permissions attached to the resource share.
+ **This AWS account (resource owner)** – All roles and users in the resource owning account automatically receive the access defined by the managed permissions attached to the resource share.
+ The addition immediately appears in the **Selected principals** list.
You can then add additional accounts, OUs, or your organization by repeating this step.
+ (Optional) To remove a principal, locate it under **Selected principals**, select its checkbox, and then choose **Deselect**.
1. Choose **Next**.
1. In **Step 4: Review and update**, review the configuration details for your resource share.
1. To change the configuration for any step, choose the link that corresponds to the step you want to go back to, and then make the required changes.
If any managed permissions are still using versions other than the default, you have another opportunity to address that by choosing **Update to default version**.
1. Choose **Update resource share** when you're done making changes.
------
#### [ AWS CLI ]
**To update a resource share**
You can use the following AWS CLI commands to modify a resource share:
+ To rename a resource share, or to change whether external principals are allowed, use the command [https://docs.aws.amazon.com/cli/latest/reference/ram/update-resource-share.html](https://docs.aws.amazon.com/cli/latest/reference/ram/update-resource-share.html). The following example renames the specified resource share and sets it to allow only principals from its organization. You must use the service endpoint for the AWS Region that contains the resource share.
```
$ aws ram update-resource-share \
--region us-east-1 \
--resource-share-arn arn:aws:ram:us-east-1:123456789012:resource-share/7ab63972-b505-7e2a-420d-6f5d3EXAMPLE \
--name "my-renamed-resource-share" \
--no-allow-external-principals
{
"resourceShare": {
"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource-share/7ab63972-b505-7e2a-420d-6f5d3EXAMPLE",
"name": "my-renamed-resource-share",
"owningAccountId": "123456789012",
"allowExternalPrincipals": false,
"status": "ACTIVE",
"creationTime": 1565295733.282,
"lastUpdatedTime": 1565303080.023
}
}
```
+ To add a resource to a resource share, use the command [https://docs.aws.amazon.com/cli/latest/reference/ram/associate-resource-share.html](https://docs.aws.amazon.com/cli/latest/reference/ram/associate-resource-share.html). The following example adds a subnet to the specified resource share.
```
$ aws ram associate-resource-share \
--region us-east-1 \
--resource-arns arn:aws:ec2:us-east-1:123456789012:subnet/subnet-0250c25a1f4e15235 \
--resource-share-arn arn:aws:ram:us-east-1:123456789012:resource-share/7ab63972-b505-7e2a-420d-6f5d3EXAMPLE
{
"resourceShareAssociations": [
"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource-share/7ab63972-b505-7e2a-420d-6f5d3EXAMPLE",
"associatedEntity": "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-0250c25a1f4e15235",
"associationType": "RESOURCE",
"status": "ASSOCIATING",
"external": false
]
}
```
+ To add or replace a managed permission for a resource type in a resource share, use the commands [https://docs.aws.amazon.com/cli/latest/reference/ram/list-permissions.html](https://docs.aws.amazon.com/cli/latest/reference/ram/list-permissions.html) and [https://docs.aws.amazon.com/cli/latest/reference/ram/associate-resource-share-permission.html](https://docs.aws.amazon.com/cli/latest/reference/ram/associate-resource-share-permission.html). You can assign only one managed permission per resource type in a resource share. If you try to add a managed permission to a resource type that already has a managed permission, you must include the `--replace` option or the command fails with an error.
The following example command lists the ARNs for the managed permissions available for an Amazon Elastic Compute Cloud (Amazon EC2) subnet, and then uses one of those ARNs to replace the currently assigned AWS managed permission for that resource type in the specified resource share.
```
$ aws ram list-permissions \
--resource-type ec2:Subnet
{
"permissions": [
{
"arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSubnet",
"version": "1",
"defaultVersion": true,
"name": "AWSRAMDefaultPermissionSubnet",
"resourceType": "ec2:Subnet",
"creationTime": "2020-02-27T11:38:26.727000-08:00",
"lastUpdatedTime": "2020-02-27T11:38:26.727000-08:00"
}
]
}
$ aws ram associate-resource-share-permission \
--region us-east-1 \
--resource-share-arn arn:aws:ram:us-east-1:123456789012:resource-share/f1d72a60-da19-4765-b4f9-e27b658b15b8 \
--permission-arn arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSubnet
{
"returnValue": true
}
```
+ To remove a resource from a resource share, use the command [https://docs.aws.amazon.com/cli/latest/reference/ram/disassociate-resource-share.html](https://docs.aws.amazon.com/cli/latest/reference/ram/disassociate-resource-share.html). The following example removes the Amazon EC2 subnet with the specified ARN from the specified resource share.
```
$ aws ram disassociate-resource-share \
--region us-east-1 \
--resource-arns arn:aws:ec2:us-east-1:123456789012:subnet/subnet-0250c25a1f4e15235 \
--resource-share-arn arn:aws:ram:us-east-1:123456789012:resource-share/7ab63972-b505-7e2a-420d-6f5d3EXAMPLE
{
"resourceShareAssociations": [
"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource-share/7ab63972-b505-7e2a-420d-6f5d3EXAMPLE",
"associatedEntity": "arn:aws:ec2:us-east-1:ubnet/subnet-0250c25a1f4e15235",
"associationType": "RESOURCE",
"status": "DISASSOCIATING",
"external": false
]
}
```
+ To modify the tags attached to a resource share, use the commands [https://docs.aws.amazon.com/cli/latest/reference/ram/tag-resource.html](https://docs.aws.amazon.com/cli/latest/reference/ram/tag-resource.html) and [https://docs.aws.amazon.com/cli/latest/reference/ram/untag-resource.html](https://docs.aws.amazon.com/cli/latest/reference/ram/untag-resource.html). The following example adds the tag `project=lima` to the specified resource share.
```
$ aws ram tag-resource \
--region us-east-1 \
--resource-share-arn arn:aws:ram:us-east-1:123456789012:resource-share/f1d72a60-da19-4765-b4f9-e27b658b15b8 \
--tags key=project,value=lima
```
The following example removes the tag with a key of `project` from the specified resource share.
```
$ aws ram untag-resource \
--region us-east-1 \
--resource-share-arn arn:aws:ram:us-east-1:123456789012:resource-share/f1d72a60-da19-4765-b4f9-e27b658b15b8 \
--tag-keys=project
```
The tagging commands produce no output when successful.
------
# Viewing your shared resources in AWS RAM
You can view the list of individual resources that you've shared, across all resource shares. The list helps you to determine which resources you're currently sharing, the number of resource shares that they're included in, and the number of principals that have access to them.
------
#### [ Console ]
**To view the resources that you're currently sharing**
1. Open the **[Shared by me : Shared resources](https://console.aws.amazon.com/ram/home#OwnedResources:)** page in the AWS RAM console.
1. Because AWS RAM resource shares exist in specific AWS Regions, choose the appropriate AWS Region from the dropdown list in the upper-right corner of the console. To see resource shares that contain global resources, you must set the AWS Region to US East (N. Virginia), (`us-east-1`). For more information about sharing global resources, see [Sharing Regional resources compared to global resources](working-with-regional-vs-global.md).
1. For each shared resource, the following information is available:
+ **Resource ID** – The ID of the resource. Choose the ID of a resource to open a new browser tab to view the resource in its native service console.
+ **Resource type** – The type of resource.
+ **Last share date** – The date on which the resource was last shared.
+ **Resource shares** – The number of resource shares that include the resource. To see the list of the resource shares, choose the number.
+ **Principals** – The number of principals who can access the resource. Choose the value to view the principals.
------
#### [ AWS CLI ]
**To view the resources that you're currently sharing**
You can use the [list-resources](https://docs.aws.amazon.com/cli/latest/reference/ram/list-resources.html) command with the parameter `--resource-owner` set to `SELF` to display details of the resources that you currently share.
The following example shows the resources that are included in resource shares in the AWS Region (`us-east-1`) for the calling AWS account. To get the resources that you share in a different Region, use the `--region ` parameter.
```
$ aws ram list-resources \
--region us-east-1 \
--resource-owner SELF
{
"resources": [
{
"arn": "arn:aws:license-manager:us-east-1:123456789012:license-configuration:lic-ecbd5574fd92cb0d312baea260e4cece",
"type": "license-manager:LicenseConfiguration",
"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource-share/818d71dd-7512-4f71-99c6-2ae57aa010bc",
"creationTime": "2021-09-14T20:42:40.266000-07:00",
"lastUpdatedTime": "2021-09-14T20:42:41.081000-07:00"
},
{
"arn": "arn:aws:license-manager:us-east-1:123456789012:license-configuration:lic-ecbd5574fd92cb0d312baea260e4cece",
"type": "license-manager:LicenseConfiguration",
"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource-share/a477f3b2-4001-4dcb-bd54-7c8d23b4f07d",
"creationTime": "2021-07-22T11:48:11.104000-07:00",
"lastUpdatedTime": "2021-07-22T11:48:11.971000-07:00"
}
]
}
```
------
# Viewing the principals you share resources with in AWS RAM
You can view the principals you share your resources with, across all resource shares. Viewing this list of principals helps you determine who has access to your shared resources.
------
#### [ Console ]
**To view the principals you're sharing resources with**
1. Navigate to the **[Shared by me : Principals](https://console.aws.amazon.com/ram/home#OwnedPrincipals:)** page in the AWS RAM console.
1. Because AWS RAM resource shares exist in specific AWS Regions, choose the appropriate AWS Region from the dropdown list in the upper-right corner of the console. To see resource shares that contain global resources, you must set the AWS Region to US East (N. Virginia), (`us-east-1`). For more information about sharing global resources, see [Sharing Regional resources compared to global resources](working-with-regional-vs-global.md).
1. Apply a filter to find specific principals. You can apply multiple filters to narrow your search. Choose the text box to see a dropdown list of suggested attribute fields. After you choose one, you can choose from the list of available values for that field. You can add other attributes or keywords until you find the resource you want.
1. For each principal in the list, the console displays the following information:
+ **Principal ID** – The ID of the principal. Choose the ID to open a new browser tab to view the principal in its native console.
+ **Resource shares** – The number of resource shares you shared with the specified principal. Choose the number to view the list of resource shares.
+ **Resources** – The number of resources you shared with the principal. Choose the number to view the list of shared resources.
------
#### [ AWS CLI ]
**To view the principals you're sharing resources with**
You can use the [list-principals](https://docs.aws.amazon.com/cli/latest/reference/ram/list-principals.html) command to get a list of the principals you reference in resource shares that you created in the current AWS Region for the calling account.
The following example lists the principals that have access to shares created in the default Region for the calling account. In this example, the principals are the calling account's organization and a separate AWS account, as part of two different resource shares. You must use the service endpoint for the AWS Region that contains the resource share.
```
$ aws ram list-principals \
--region us-east-1 \
--resource-owner SELF
{
"principals": [
{
"id": "arn:aws:organizations::123456789012:organization/o-a1b2c3dr",
"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource-share/a477f3b2-4001-4dcb-bd54-7c8d23b4f07d",
"creationTime": "2021-09-14T20:40:58.532000-07:00",
"lastUpdatedTime": "2021-09-14T20:40:59.610000-07:00",
"external": false
},
{
"id": "111111111111",
"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource-share/6405fa7c-0786-4e15-8c9f-8aec02802f18",
"creationTime": "2021-09-15T15:00:31.601000-07:00",
"lastUpdatedTime": "2021-09-15T15:14:13.618000-07:00",
"external": true
}
]
}
```
------
# Deleting a resource share in AWS RAM
You can delete a resource share at any time. When you delete a resource share, all principals that were associated with the resource share lose access to the shared resources. Deleting a resource share doesn't delete the shared resources.
**To delete an AWS resource**
If you need to delete an AWS resource that you included in a resource share, AWS recommends that you first ensure that you either remove the resource from any resource share that includes it, or delete the resource share.
The deleted resource share remains visible in the AWS RAM console for a short period after deletion, but its status changes to `Deleted`.
------
#### [ Console ]
**To delete a resource share**
1. Open the **[Shared by me : Resource shares](https://console.aws.amazon.com/ram/home#OwnedResourceShares:)** page in the AWS RAM console.
1. Because AWS RAM resource shares exist in specific AWS Regions, choose the appropriate AWS Region from the dropdown list in the upper-right corner of the console. To see resource shares that contain global resources, you must set the AWS Region to US East (N. Virginia), (`us-east-1`). For more information about sharing global resources, see [Sharing Regional resources compared to global resources](working-with-regional-vs-global.md).
1. Select the resource share you want to delete.
**Warning**
Be sure to select the correct resource share. You can't recover a resource share after you delete it.
1. Choose **Delete**, then in the confirmation message, choose **Delete**.
1. The deleted resource share disappears after two hours. Until then, it remains visible in the console with a deleted status.
------
#### [ AWS CLI ]
**To delete a resource share**
You can use the [delete-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/delete-resource-share.html) command to delete a resource share that you no longer need.
The following example first uses the [get-resource-shares](https://docs.aws.amazon.com/cli/latest/reference/ram/get-resource-shares.html) command to get the Amazon Resource Name (ARN) of the resource share that you want to delete. Then it uses [delete-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/delete-resource-share.html) to delete the specified resource share.
```
$ aws ram get-resource-shares \
--region us-east-1 \
--resource-owner SELF
{
"resourceShares": [
{
"resourceShareArn": "arn:aws:ram:us-east-1:123456789012:resource-share/2ebe77d7-4156-4a93-87a4-228568d04425",
"name": "MySubnetShare",
"owningAccountId": "123456789012",
"allowExternalPrincipals": true,
"status": "ACTIVE",
"creationTime": "2021-09-10T15:38:54.449000-07:00",
"lastUpdatedTime": "2021-09-10T15:38:54.449000-07:00",
"featureSet": "STANDARD"
}
]
}
$ aws ram delete-resource-share \
--region us-east-1 \
--resource-share-arn arn:aws:ram:us-east-1:123456789012:resource-share/2ebe77d7-4156-4a93-87a4-228568d04425
{
"returnValue": true
}
```
------