This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html).

# AWS Resource Access Manager
<a name="AWS_RAM"></a>

**Resource types**
+ [AWS::RAM::Permission](aws-resource-ram-permission.md)
+ [AWS::RAM::ResourceShare](aws-resource-ram-resourceshare.md)

# AWS::RAM::Permission
<a name="aws-resource-ram-permission"></a>

Creates a customer managed permission for a specified resource type that you can attach to resource shares. It is created in the AWS Region in which you call the operation.

## Syntax
<a name="aws-resource-ram-permission-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-resource-ram-permission-syntax.json"></a>

```
{
  "Type" : "AWS::RAM::Permission",
  "Properties" : {
      "[Name](#cfn-ram-permission-name)" : String,
      "[PolicyTemplate](#cfn-ram-permission-policytemplate)" : Json,
      "[ResourceType](#cfn-ram-permission-resourcetype)" : String,
      "[Tags](#cfn-ram-permission-tags)" : [ Tag, ... ]
    }
}
```

### YAML
<a name="aws-resource-ram-permission-syntax.yaml"></a>

```
Type: AWS::RAM::Permission
Properties:
  [Name](#cfn-ram-permission-name): String
  [PolicyTemplate](#cfn-ram-permission-policytemplate): Json
  [ResourceType](#cfn-ram-permission-resourcetype): String
  [Tags](#cfn-ram-permission-tags): 
    - Tag
```

## Properties
<a name="aws-resource-ram-permission-properties"></a>

`Name`  <a name="cfn-ram-permission-name"></a>
Specifies the name of the customer managed permission. The name must be unique within the AWS Region.  
*Required*: Yes  
*Type*: String  
*Pattern*: `[\w.-]*`  
*Minimum*: `1`  
*Maximum*: `36`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`PolicyTemplate`  <a name="cfn-ram-permission-policytemplate"></a>
A string in JSON format string that contains the following elements of a resource-based policy:  
+ **Effect**: must be set to `ALLOW`.
+ **Action**: specifies the actions that are allowed by this customer managed permission. The list must contain only actions that are supported by the specified resource type. For a list of all actions supported by each resource type, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *AWS Identity and Access Management User Guide*.
+ **Condition**: (optional) specifies conditional parameters that must evaluate to true when a user attempts an action for that action to be allowed. For more information about the Condition element, see [IAM policies: Condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *AWS Identity and Access Management User Guide*.
This template can't include either the `Resource` or `Principal` elements. Those are both filled in by AWS RAM when it instantiates the resource-based policy on each resource shared using this managed permission. The `Resource` comes from the ARN of the specific resource that you are sharing. The `Principal` comes from the list of identities added to the resource share.  
*Required*: Yes  
*Type*: Json  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`ResourceType`  <a name="cfn-ram-permission-resourcetype"></a>
Specifies the name of the resource type that this customer managed permission applies to.  
The format is `<service-code>:<resource-type>` and is not case sensitive. For example, to specify an Amazon EC2 Subnet, you can use the string `ec2:subnet`. To see the list of valid values for this parameter, query the [ListResourceTypes](https://docs.aws.amazon.com/ram/latest/APIReference/API_ListResourceTypes.html) operation.  
*Required*: Yes  
*Type*: String  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`Tags`  <a name="cfn-ram-permission-tags"></a>
Specifies a list of one or more tag key and value pairs to attach to the permission.  
*Required*: No  
*Type*: Array of [Tag](aws-properties-ram-permission-tag.md)  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

## Return values
<a name="aws-resource-ram-permission-return-values"></a>

### Ref
<a name="aws-resource-ram-permission-return-values-ref"></a>

When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the ARN of the permission.

For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).

### Fn::GetAtt
<a name="aws-resource-ram-permission-return-values-fn--getatt"></a>

The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html).

#### 
<a name="aws-resource-ram-permission-return-values-fn--getatt-fn--getatt"></a>

`Arn`  <a name="Arn-fn::getatt"></a>
The Amazon Resource Name (ARN) of the new permission.

`IsResourceTypeDefault`  <a name="IsResourceTypeDefault-fn::getatt"></a>
Specifies whether this permission is the default for new resource shares that include resources of the associated resource type.

`PermissionType`  <a name="PermissionType-fn::getatt"></a>
The type of managed permission. This can be one of the following values:  
+ **AWS\$1MANAGED\$1PERMISSION** – AWS created and manages this managed permission. You can associate it with your resource shares, but you can't modify it.
+ **CUSTOMER\$1MANAGED\$1PERMISSION** – You, or another principal in your account created this managed permission. You can associate it with your resource shares and create new versions that have different permissions.

`Version`  <a name="Version-fn::getatt"></a>
The version number for this version of the permission.

## See also
<a name="aws-resource-ram-permission--seealso"></a>
+ [CreatePermission](https://docs.aws.amazon.com/ram/latest/APIReference/API_CreatePermission.html) in the *AWS Resource Access Manager API Reference*
+  [AWS Resource Access Manager User Guide](https://docs.aws.amazon.com/ram/latest/userguide) 



# AWS::RAM::Permission Tag
<a name="aws-properties-ram-permission-tag"></a>

A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see [Controlling access to AWS resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html).

For more information about tags, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference Guide*.

## Syntax
<a name="aws-properties-ram-permission-tag-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-ram-permission-tag-syntax.json"></a>

```
{
  "[Key](#cfn-ram-permission-tag-key)" : String,
  "[Value](#cfn-ram-permission-tag-value)" : String
}
```

### YAML
<a name="aws-properties-ram-permission-tag-syntax.yaml"></a>

```
  [Key](#cfn-ram-permission-tag-key): String
  [Value](#cfn-ram-permission-tag-value): String
```

## Properties
<a name="aws-properties-ram-permission-tag-properties"></a>

`Key`  <a name="cfn-ram-permission-tag-key"></a>
The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive.  
*Required*: Yes  
*Type*: String  
*Minimum*: `1`  
*Maximum*: `128`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Value`  <a name="cfn-ram-permission-tag-value"></a>
The string value attached to the tag. The value can be an empty string. Key values are case sensitive.  
*Required*: Yes  
*Type*: String  
*Minimum*: `0`  
*Maximum*: `256`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

# AWS::RAM::ResourceShare
<a name="aws-resource-ram-resourceshare"></a>

Creates a resource share. You can provide a list of the Amazon Resource Names (ARNs) for the resources that you want to share, a list of principals you want to share the resources with, and the permissions to grant those principals.

**Note**  
Sharing a resource makes it available for use by principals outside of the AWS account that created the resource. Sharing doesn't change any permissions or quotas that apply to the resource in the account that created it.

## Syntax
<a name="aws-resource-ram-resourceshare-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-resource-ram-resourceshare-syntax.json"></a>

```
{
  "Type" : "AWS::RAM::ResourceShare",
  "Properties" : {
      "[AllowExternalPrincipals](#cfn-ram-resourceshare-allowexternalprincipals)" : Boolean,
      "[Name](#cfn-ram-resourceshare-name)" : String,
      "[PermissionArns](#cfn-ram-resourceshare-permissionarns)" : [ String, ... ],
      "[Principals](#cfn-ram-resourceshare-principals)" : [ String, ... ],
      "[ResourceArns](#cfn-ram-resourceshare-resourcearns)" : [ String, ... ],
      "[Sources](#cfn-ram-resourceshare-sources)" : [ String, ... ],
      "[Tags](#cfn-ram-resourceshare-tags)" : [ Tag, ... ]
    }
}
```

### YAML
<a name="aws-resource-ram-resourceshare-syntax.yaml"></a>

```
Type: AWS::RAM::ResourceShare
Properties:
  [AllowExternalPrincipals](#cfn-ram-resourceshare-allowexternalprincipals): Boolean
  [Name](#cfn-ram-resourceshare-name): String
  [PermissionArns](#cfn-ram-resourceshare-permissionarns): 
    - String
  [Principals](#cfn-ram-resourceshare-principals): 
    - String
  [ResourceArns](#cfn-ram-resourceshare-resourcearns): 
    - String
  [Sources](#cfn-ram-resourceshare-sources): 
    - String
  [Tags](#cfn-ram-resourceshare-tags): 
    - Tag
```

## Properties
<a name="aws-resource-ram-resourceshare-properties"></a>

`AllowExternalPrincipals`  <a name="cfn-ram-resourceshare-allowexternalprincipals"></a>
Specifies whether principals outside your organization in AWS Organizations can be associated with a resource share. A value of `true` lets you share with individual AWS accounts that are *not* in your organization. A value of `false` only has meaning if your account is a member of an AWS Organization. The default value is `true`.  
*Required*: No  
*Type*: Boolean  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Name`  <a name="cfn-ram-resourceshare-name"></a>
Specifies the name of the resource share.  
*Required*: Yes  
*Type*: String  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`PermissionArns`  <a name="cfn-ram-resourceshare-permissionarns"></a>
Specifies the [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) of the AWS RAM permission to associate with the resource share. If you do not specify an ARN for the permission, AWS RAM automatically attaches the default version of the permission for each resource type. You can associate only one permission with each resource type included in the resource share.  
*Required*: No  
*Type*: Array of String  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Principals`  <a name="cfn-ram-resourceshare-principals"></a>
Specifies the principals to associate with the resource share. The possible values are:  
+ An AWS account ID
+ An Amazon Resource Name (ARN) of an organization in AWS Organizations
+ An ARN of an organizational unit (OU) in AWS Organizations
+ An ARN of an IAM role
+ An ARN of an IAM user
Not all resource types can be shared with IAM roles and users. For more information, see the column **Can share with IAM roles and users** in the tables on [Shareable AWS resources](https://docs.aws.amazon.com/ram/latest/userguide/shareable.html) in the *AWS Resource Access Manager User Guide*.
*Required*: No  
*Type*: Array of String  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`ResourceArns`  <a name="cfn-ram-resourceshare-resourcearns"></a>
Specifies a list of one or more ARNs of the resources to associate with the resource share.  
*Required*: No  
*Type*: Array of String  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Sources`  <a name="cfn-ram-resourceshare-sources"></a>
Specifies from which source accounts the service principal has access to the resources in this resource share.  
*Required*: No  
*Type*: Array of String  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Tags`  <a name="cfn-ram-resourceshare-tags"></a>
Specifies one or more tags to attach to the resource share itself. It doesn't attach the tags to the resources associated with the resource share.  
*Required*: No  
*Type*: Array of [Tag](aws-properties-ram-resourceshare-tag.md)  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

## Return values
<a name="aws-resource-ram-resourceshare-return-values"></a>

### Ref
<a name="aws-resource-ram-resourceshare-return-values-ref"></a>

When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns The ID of the resource share.

For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).

### Fn::GetAtt
<a name="aws-resource-ram-resourceshare-return-values-fn--getatt"></a>

The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html).

#### 
<a name="aws-resource-ram-resourceshare-return-values-fn--getatt-fn--getatt"></a>

`Arn`  <a name="Arn-fn::getatt"></a>
The Amazon Resource Name (ARN) of the resource share.

`CreationTime`  <a name="CreationTime-fn::getatt"></a>
The date and time when the resource share was created.

`FeatureSet`  <a name="FeatureSet-fn::getatt"></a>
Indicates what features are available for this resource share. This parameter can have one of the following values:  
+ **STANDARD** – A resource share that supports all functionality. These resource shares are visible to all principals you share the resource share with. You can modify these resource shares in AWS RAM using the console or APIs. This resource share might have been created by AWS RAM, or it might have been **CREATED\$1FROM\$1POLICY** and then promoted.
+ **CREATED\$1FROM\$1POLICY** – The customer manually shared a resource by attaching a resource-based policy. That policy did not match any existing managed permissions, so AWS RAM created this customer managed permission automatically on the customer's behalf based on the attached policy document. This type of resource share is visible only to the AWS account that created it. You can't modify it in AWS RAM unless you promote it. For more information, see PromoteResourceShareCreatedFromPolicy.
+ **PROMOTING\$1TO\$1STANDARD** – This resource share was originally `CREATED_FROM_POLICY`, but the customer ran the PromoteResourceShareCreatedFromPolicy and that operation is still in progress. This value changes to `STANDARD` when complete.

`LastUpdatedTime`  <a name="LastUpdatedTime-fn::getatt"></a>
The date and time when the resource share was last updated.

`OwningAccountId`  <a name="OwningAccountId-fn::getatt"></a>
The ID of the AWS account that owns the resource share.

`Status`  <a name="Status-fn::getatt"></a>
The current status of the resource share.

## Examples
<a name="aws-resource-ram-resourceshare--examples"></a>

### Creating a resource share
<a name="aws-resource-ram-resourceshare--examples--Creating_a_resource_share"></a>

The following example demonstrates how to create a resource share.

#### YAML
<a name="aws-resource-ram-resourceshare--examples--Creating_a_resource_share--yaml"></a>

```
AWSTemplateFormatVersion: 2010-09-09
Resources:
  myresourceshare:
    Type: "AWS::RAM::ResourceShare"
    Properties:
      Name: "My Resource Share"
      ResourceArns:
        - "arn:aws:ec2:us-east-1:123456789012:resource-type/12345678-1234-1234-1234-12345678"
      Principals:
        - "210987654321"
      Tags:
        - Key: "Key1"
          Value: "Value1"
        - Key: "Key2"
          Value: "Value2"
```

#### JSON
<a name="aws-resource-ram-resourceshare--examples--Creating_a_resource_share--json"></a>

```
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00.000Z",
  "Resources": {
    "myresourceshare": {
      "Type": "AWS::RAM::ResourceShare",
      "Properties": {
        "Name": "My Resource Share",
        "ResourceArns": [
          "arn:aws:ec2:us-east-1:123456789012:resource-type/12345678-1234-1234-1234-12345678"
        ],
        "Principals": [
          "210987654321"
        ],
        "Tags": [
          {
            "Key": "Key1",
            "Value": "Value1"
          },
          {
            "Key": "Key2",
            "Value": "Value2"
          }
        ]
      }
    }
  }
}
```

## See also
<a name="aws-resource-ram-resourceshare--seealso"></a>
+ [CreateResourceShare](https://docs.aws.amazon.com/ram/latest/APIReference/API_CreateResourceShare.html) in the *AWS Resource Access Manager API Reference*
+  [AWS Resource Access Manager User Guide](https://docs.aws.amazon.com/ram/latest/userguide) 



# AWS::RAM::ResourceShare Tag
<a name="aws-properties-ram-resourceshare-tag"></a>

A structure containing a tag. A tag is metadata that you can attach to your resources to help organize and categorize them. You can also use them to help you secure your resources. For more information, see [Controlling access to AWS resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html).

For more information about tags, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *AWS General Reference Guide*.

## Syntax
<a name="aws-properties-ram-resourceshare-tag-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-ram-resourceshare-tag-syntax.json"></a>

```
{
  "[Key](#cfn-ram-resourceshare-tag-key)" : String,
  "[Value](#cfn-ram-resourceshare-tag-value)" : String
}
```

### YAML
<a name="aws-properties-ram-resourceshare-tag-syntax.yaml"></a>

```
  [Key](#cfn-ram-resourceshare-tag-key): String
  [Value](#cfn-ram-resourceshare-tag-value): String
```

## Properties
<a name="aws-properties-ram-resourceshare-tag-properties"></a>

`Key`  <a name="cfn-ram-resourceshare-tag-key"></a>
The key, or name, attached to the tag. Every tag must have a key. Key names are case sensitive.  
*Required*: Yes  
*Type*: String  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Value`  <a name="cfn-ram-resourceshare-tag-value"></a>
The string value attached to the tag. The value can be an empty string. Key values are case sensitive.  
*Required*: Yes  
*Type*: String  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)