# Share a workload in AWS Well-Architected Tool
<a name="workloads-sharing"></a>

You can share a workload that you own with other AWS accounts, users, an organization, and organization units (OUs) in the same AWS Region.

**Note**  
You can only share workloads within the same AWS Region.   
When sharing a workload with another AWS account, if the recipient does not have the `wellarchitected:UpdateShareInvitation` permission, they cannot accept the share invitation. See [Providing users, groups, or roles access to AWS WA Tool](iam-auth-access.md) for permission policy examples. 

**To share a workload with other AWS accounts and users**

1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/).

1. In the left navigation pane, choose **Workloads**.

1. Select a workload that you own in one of the following ways:
   + Choose the name of the workload.
   + Select the workload and choose **View details**.

1. Choose **Shares**. Then choose **Create** and **Create shares to users or accounts** to create a workload invitation.

1. Enter the 12-digit AWS account ID or the ARN of the user that you want to share the workload with.

1. Choose the permission that you want to grant.  
**Read-Only**  
Provides read-only access to the workload.  
**Contributor**  
Provides update access to answers and their notes, and read-only access to the rest of the workload.

1. Choose **Create** to send a workload invitation to the specified AWS account or user.

If the workload invitation is not accepted within seven days, the invitation is automatically expired. 

If a user and the user's AWS account both have workload invitations, the workload invitation with the highest level permission is applied to the user. 

**Important**  
Before sharing a workload with an organization or organization units (OUs), you must [enable AWS Organizations access](sharing.md#getting-started-sharing-orgs).

**To share a workload with your organization or OUs**

1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/).

1. In the left navigation pane, choose **Workloads**.

1. Select a workload that you own in one of the following ways:
   + Choose the name of the workload.
   + Select the workload and choose **View details**.

1. Choose **Shares**. Then choose **Create** and **Create shares to Organizations**.

1. On the **Create workload share** page, choose whether to grant permissions to the entire organization, or to one or more OUs.

1. Choose the permission that you want to grant.  
**Read-Only**  
Provides read-only access to the workload.  
**Contributor**  
Provides update access to answers and their notes, and read-only access to the rest of the workload.

1. Choose **Create** to share the workload.

To see who has shared access to a workload, choose **Shares** from the [View workload details in AWS Well-Architected Tool](workload-details.md) page.

To prevent an entity from sharing workloads, attach a policy that denies `wellarchitected:CreateWorkloadShare` actions.

You can also share custom lenses that you own with other AWS accounts, users, your organization, and OUs in the same AWS Region. For details, refer to [Sharing a custom lens in AWS WA Tool](lenses-sharing.md).

# Considerations when sharing AWS Well-Architected Tool workloads
<a name="sharing-considerations"></a>

A workload can be shared with up to 20 different AWS accounts and users. A workload can only be shared with accounts and users that are in the same AWS Region as the workload.

To share a workload in a Region introduced after March 20, 2019, both you and the shared AWS account must enable the Region in the AWS Management Console. For more information, refer to [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).

You can share a workload with an AWS account, individual users in an account, or both. When you share a workload with an AWS account, all users in that account are given access to the workload. If only specific users in an account require access, follow the best practice of granting least privilege and share the workload individually with those users.

If both an AWS account and a user in the account have workload invitations, the workload invitation with the highest level permissions determines the user's permission to the workload. If you delete the workload invitation for the user, the user's access is determined by the workload invitation for the AWS account. Delete both workload invitations to remove the user's access to the workload.

Before sharing a workload with an organization or one or more organization units (OUs), you must enable AWS Organizations access.

If you share a workload with both an organization and one or more OUs, the workload invitation with the highest level permissions determines the account's permission to the workload.

**To enable AWS Organizations sharing**

1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/).

1. In the left navigation pane, choose **Settings**.

1. Choose **Enable AWS Organizations support**.

1. Choose **Save settings**.

# Delete shared access in AWS Well-Architected Tool
<a name="sharing-remove"></a>

You can delete a workload invitation. Deleting a workload invitation removes shared access to the workload.

**To delete shared access to a workload**

1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/).

1. In the left navigation pane, choose **Workloads**.

1. Select the workload in one of the following ways:
   + Choose the name of the workload.
   + Select the workload and choose **View details**.

1. Choose **Shares**.

1. Select the workload invitation to delete and choose **Delete**.

1. Choose **Delete** to confirm.

If a user and the user's AWS account have workload invitations, you must delete both workload invitations to remove the user's permission to the workload.

# Modify shared access in AWS Well-Architected Tool
<a name="sharing-change"></a>

You can modify a pending or accepted workload invitation.

**To modify shared access to a workload**

1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/).

1. In the left navigation pane, choose **Workloads**.

1. Select a workload that you own in one of the following ways:
   + Choose the name of the workload.
   + Select the workload and choose **View details**.

1. Choose **Shares**.

1. Select the workload invitation to modify and choose **Edit**.

1. Choose the new permission that you want to grant to the AWS account or user.  
**Read-Only**  
Provides read-only access to the workload.  
**Contributor**  
Provides update access to answers and their notes, and read-only access to the rest of the workload.

1. Choose **Save**.

If the modified workload invitation is not accepted within seven days, it's automatically expired.

# Accept and reject workload invitations in AWS Well-Architected Tool
<a name="sharing-invitations"></a>

A workload invitation is a request to share a workload that is owned by another AWS account. If you accept the workload invitation, the workload is added to your **Workloads** and **Dashboard** pages. If you reject the workload invitation, it's removed from the workload invitation list.

You have seven days to accept a workload invitation. If you do not accept the invitation within seven days, it's automatically expired.

**Note**  
Workloads can only be shared within the same AWS Region.

**To accept or reject a workload invitation**

1. Sign in to the AWS Management Console and open the AWS Well-Architected Tool console at [https://console.aws.amazon.com/wellarchitected/](https://console.aws.amazon.com/wellarchitected/).

1. In the left navigation pane, choose **Workload invitations**.

1. Select the workload invitation to accept or reject.
   + To accept the workload invitation, choose **Accept**.

     The workload is added to the **Workloads** and **Dashboard** pages.
   + To reject the workload invitation, choose **Reject**.

     The workload invitation is removed from the list.

To reject shared access after a workload invitation has been accepted, choose **Reject share** from the [View workload details in AWS Well-Architected Tool](workload-details.md) page for the workload.