# Configure cross-account access in Global Accelerator Configure cross-account access By using cross-account support, you can use AWS Global Accelerator as a fixed entry point to your application that accesses resources in multiple accounts, or choose IP addresses for your accelerator from shared CIDR blocks. Using cross-account permissions for allowing access to resources in different accounts is an AWS best practice. With cross-account support for bring your own IP (BYOIP) address CIDR blocks, you can use the same address pool for accelerators in different accounts in your organization. You can also organize AWS resources under one account that controls internet access to your applications, which can simplify monitoring and security, as well as provide visibility to inbound connections. Cross-account support in Global Accelerator enables you to do the following: + Add endpoints, such as Network Load Balancers, from other accounts to an accelerator. + Choose a BYOIP address pool for IP addresses, and then select IP addresses from the pool for accelerators in different accounts. By sharing a BYOIP address pool, you can use more addresses from the same CIDR block, reducing the number of CIDR blocks that you require. You can work with cross-account attachments and resources in the Global Accelerator console, or by using Global Accelerator API operations with the AWS Command Line Interface (AWS CLI) or an AWS SDK. For example, as a principal, you can use the [UpdateEndpoints](https://docs.aws.amazon.com/global-accelerator/latest/api/API_AddEndpoints.html) operation to add a cross-account resource as an endpoint for an accelerator. When you use the API operation, you specify the cross-account attachment ARN and the endpoint ID. For more information, see the [AWS Global Accelerator API Reference Guide](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). **Topics** + [How cross-account works](cross-account-resources.how-it-works.md) + [Work with cross-account attachments](cross-account-resources.work-with-attachments.md) + [Work with cross-account resources](cross-account-resources.work-with-resources.md) + [Identify cross-account resources](cross-account-resources.identify-cross-account.md) + [Responsibilities and permissions](cross-account-resources-endpoints.responsibilities-cross-account.md) + [Billing costs](cross-account-resources-endpoints.billing-cross-account.md) + [Quotas](cross-account-resources-endpoints.quotas-cross-account.md) # How cross-account works in Global Accelerator How cross-account works With cross-account support in Global Accelerator, resource owners control whether their resources are shared with accelerators owned by other accounts. To enable resource sharing for your resources, you—as a resource owner—create a Global Accelerator *cross-account attachment* to authorize resources in your account to be added to an accelerator by another account. You create the cross-account attachment in Global Accelerator. The attachment lists the *resources* that you want to share, and the *principals*—other accounts or specific accelerator ARNs— that are authorized to use the resources. Resources can be AWS resources, like Network Load Balancers, that you add as endpoints to accelerator endpoint groups, or resources can be IP address ranges that you've brought to Global Accelerator with the bring your own IP address (BYOIP) process. **Important** Before you can add a BYOIP IP address range to a cross-account attachment to share with principals, you must complete the process to *provision* and *advertise* the address range. For more information, see [Bring your own IP addresses (BYOIP) in Global Accelerator](using-byoip.md). After you, as a resource owner, create an attachment, principals listed in the attachment can work with resources that are listed in the attachment. That is, they can add as endpoints AWS resources that are listed, or select as a static IP address a BYOIP address from CIDR prefixes that are listed. When a principal wants to add a cross-account resource for an accelerator, they must specify the cross-account attachment that authorizes them as a principal with permission to use the resource. # Work with cross-account attachments in Global Accelerator Work with cross-account attachments To allow someone to add a resource from another account as an endpoint or a BYOIP address for an accelerator, the owner of the resource must create a *cross-account attachment* in Global Accelerator. In the attachment, the resource owner specifies one or more accelerators or accounts—principals— that are allowed to add resources, along with the specific resources that the principals can add to accelerators. As a resource owner, be aware that to specify a resource in a cross-account attachment, you must own the resource in your AWS account. That is, the resource must be allocated or provisioned in your account; you cannot specify a resource that has been shared with *you*, such as a shared subnet. **Topics** + [Create cross-account attachments](cross-account-resources.create-attachment.md) + [Edit cross-account attachments](cross-account-resources.edit-attachment.md) + [Delete cross-account attachments](cross-account-resources.delete-attachment.md) # Create a cross-account attachment in AWS Global Accelerator Create cross-account attachments Follow the steps in this section to create a cross-account attachment using the AWS Global Accelerator console. This section explains how to create a cross-acount attachment by using the AWS Global Accelerator console. To learn about using API operations with Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To create a cross-account attachment 1. Open the Global Accelerator console at [ https://console.aws.amazon.com/globalaccelerator/home](https://console.aws.amazon.com/globalaccelerator/home). 1. Choose **Create cross-account attachment**. 1. On the **Create cross-account attachment** page, enter a name for the attachment. 1. Add the AWS accounts or the ARNs for the accelerators, or both, that you want to allow to add your resources. 1. Select the resources that you want to allow to be used. For example, to add resources that can added as endpoints, for each resource, choose an AWS Region. Then, from the drop-down menus, select an endpoint type (resource type) and the endpoint (resource) to add. 1. Choose **Create attachment**. Note: To see the new cross-account attachment in your list of attachments, refresh the **Cross-account attachments** page. # Edit a cross-account attachment in AWS Global Accelerator Edit cross-account attachments Follow the steps in this section to edit a cross-account attachment using the AWS Global Accelerator console. This section explains how to edit a cross-acount attachment by using the AWS Global Accelerator console. To learn about using API operations with Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). You can edit a cross-account attachment to add or remove principals or resources, rename the attachment, or delete the attachment. Be aware of the following when you remove principals or resources, or delete an attachment: + To remove a principal or CIDR from an attachment, the principal must first remove shared IP addresses from all accelerators that use them. Then, you can remove the principal, or CIDRs, from the attachment. + Before you can remove shared IP addresses or remove authorization for principals to access a shared CIDR from an attachment, the shared IP addresses for the CIDR must not be currently used by any accelerators. + If you remove a principal from a cross-account attachment that enables the principal to add one or more shared endpoints, Global Accelerator removes those cross-account endpoints from any accelerator that uses that permission for cross-account resources listed in the attachment. + If you remove an endpoint resource from a cross-account attachment, Global Accelerator removes the cross-account endpoint from any accelerator where it was added as an endpoint based on the permissions in the attachment. + If you delete a cross-account attachment, Global Accelerator removes all cross-account endpoints listed in the attachment from all accelerators where the resources were added as endpoints based on the permissions in the attachment. + If there are multiple cross-account attachments that include a principal, or that include a resource, Global Accelerator continues to allow the access that any existing attachment provides. So, for example, if you remove a principal from one attachment but the principal still has permission to access a resource that's granted by a second attachment, Global Accelerator continues to allow the principal access to the cross-account resource. # To edit a cross-account attachment 1. Open the Global Accelerator console at [ https://console.aws.amazon.com/globalaccelerator/home](https://console.aws.amazon.com/globalaccelerator/home). 1. Choose **Cross-account attachments**. 1. Choose a cross-account attachment to update, and then choose **Edit**. 1. Modify the attachment to make the desired changes. For example, you can add or remove principals, rename the attachment, or add or remove resources. 1. Choose **Save changes**. # Delete a cross-account attachment in Global Accelerator Delete cross-account attachments Follow the steps in this section to delete a cross-account attachment using the AWS Global Accelerator console. This section explains how to delete a cross-account attachment by using the AWS Global Accelerator console. To learn about using API operations with Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To delete a cross-account attachment 1. Open the Global Accelerator console at [ https://console.aws.amazon.com/globalaccelerator/home](https://console.aws.amazon.com/globalaccelerator/home). 1. Choose **Cross-account attachments**. 1. Choose a cross-account attachment, and then choose **Delete**. 1. In the dialog box, type **delete** in the text box, to confirm that you want to delete the cross-account attachment. 1. Choose **Delete**. # Work with cross-account resources in Global Accelerator Work with cross-account resources If your account, or an accelerator that you have permission to access, is specified as a principal in a cross-account attachment in AWS Global Accelerator, you can use resources that have been shared with you from another account. For example, you can select bring your own IP (BYOIP) addresses as static IP addresses when you create an accelerator, or you can add endpoints to accelerator endpoint groups for an accelerator. The resources that you can add must also be specified in the attachment. The following sections include the steps to add or remove cross-account attachments in Global Accelerator. **Topics** + [Add cross-account BYOIP addresses](cross-account-resources.add-byoip.md) + [Add cross-account endpoints](cross-account-resources.add-endpoints.md) + [Remove cross-account endpoints](cross-account-resources.remove-endpoints.md) # Add a cross-account BYOIP address in Global Accelerator Add cross-account BYOIP addresses Follow the steps in this section to configure cross-account bring your own IP (BYOIP) ID addresses using the Global Accelerator console. This section explains how to use a BYOIP IP address by using the AWS Global Accelerator console. To learn about using API operations with Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). You can change the BYOIP addresses that you use for your accelerator, but some restrictions apply. For more information, see [How to update an accelerator to change an IP address](using-byoip.update-accelerator.md#using-byoip.update-accelerator.how-to). # To use a cross-account BYOIP IP address 1. Open the Global Accelerator console at [ https://console.aws.amazon.com/globalaccelerator/home](https://console.aws.amazon.com/globalaccelerator/home). 1. Choose **Create accelerator**. 1. Provide a name for your accelerator. 1. Select an **Accelerator type**. 1. For **IP address type**, select **IPv4**. 1. Select the **Use a static IP address from a CIDR authorized for cross-account** check box. 1. Select the account ID for the owner of the cross-account attachment that specifies you as a principal and that includes the BYOIP address block that has been shared with you. Note that because you must choose one account to select addresses from, if you select two BYOIP IP addresses when you create an accelerator, the IP addresses must have the same owner and be authorized in the same cross- account attachment. 1. Specify one or both static IP addresses for your accelerator. + For each static IP address, choose the IP address pool to use. **Note** You must choose a different IP address pool for each static IP address. This restriction is because Global Accelerator assigns each address range to a different network zone, for high availability. + If you chose your own IP address pool, also choose a specific IP address from the pool. If you choose the default Amazon IP address pool, Global Accelerator assigns a specific IP address to your accelerator. 1. Optionally, add one or more tags to help you identify your accelerator resources. 1. Choose **Next** to add listeners, endpoint groups, and endpoints. # Add cross-account endpoints in AWS Global Accelerator Add cross-account endpoints Follow the steps in this section to add a cross-account endpoints using the Global Accelerator console. This section explains how to add cross-account endpoints by using the AWS Global Accelerator console. To learn about using API operations with Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To add a cross-account endpoint 1. When you create or update an accelerator, in the **Endpoints** section, choose **Add endpoint**. 1. On the **Add endpoints** page, select **Add a resource specified in a cross-account attachment**. 1. In the drop-down menu, select an AWS account that has created a cross-account attachment that includes you or the accelerator as a principal. 1. For **Endpoint type**, choose the type of resource that you want to add. Note that only the resource types included in the cross-account attachment appear in the drop-down menu. 1. For **Endpoint**, choose resource that you want to add. Note that only resources that are included in the cross-account attachment appear in the drop-down menu. To see resources that are not enabled by a cross-account attachment, clear the **Add a resource specified in a cross-account attachment** check box. # Remove a cross-account endpoint in Global Accelerator Remove cross-account endpoints Follow the steps in this section to remove a cross-account endpoints using the Global Accelerator console. This section explains how to remove cross-account endpoints by using the AWS Global Accelerator console. To learn about using API operations with Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To remove a cross-account endpoint 1. When you create or update an accelerator, on the **Endpoint group** details page, choose the endpoint that you want to remove. 1. Choose **Remove**. # Identify your cross-account resources in Global Accelerator Identify cross-account resources Resource owners and principals can identify shared resources by using the AWS Global Accelerator console or by using the AWS CLI with Global Accelerator operations. For example, you can do the following: + As an owner, you can see a list of your cross-account attachments, and view the principals and resources in each attachment. + As a principal, you can view all cross-account attachments that you're listed in, and you can list the resources that you can add as endpoints or IP address ranges for an accelerator, for a specific attachment. For more information about using API operations to view cross-account attachments and shared resources, see [AWS Global Accelerator API Reference Guide](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). ## As an owner: Identify your cross-account resources in Global Accelerator Owner: Identify cross-account resources As an owner, you can view your cross-account attachments in the AWS Management Console, or by using the AWS Command Line Interface with Global Accelerator API operations. ## To see your cross-account attachments + In the Global Accelerator console, choose **Cross-accounts attachments**. ## To see the information included in a cross-account attachment 1. In the Global Accelerator console, on the **Cross-accounts attachments** page, choose an attachment, and then choose **View details**. —OR— 1. Use the API operation [ListCrossAccountResources](https://docs.aws.amazon.com/global-accelerator/latest/api/API_ListCrossAccountResources.html), for example, by using the AWS Command Line Interface. This operation returns a list of unique attachment-resource pairs, for every resource, in every attachment, in the account. For example, if you have two cross-account attachments, and the first includes two endpoints and a CIDR block, while the second includes three endpoints, `ListCrossAccountResources` returns six attachment-resource pairs: attachment1-endpoint1, attachment1-endpoint2, attachment1-CIDR, attachment2-endpoint3, attachment2-endpoint4, and attachment2-endpoint5. ## As a principal: Identify your cross-account resources in Global Accelerator Principal: Identify cross-account resources As a principal, after you're authorized by a cross-account attachment to add a resource to an accelerator as an endpoint, there is no additional action to take before you can add a resource as an endpoint. You can see the AWS accounts that have created a cross-account attachment that you're listed as a principal in. You can also see the resources specified in the attachment that each account has created, that you can add as endpoints or IP address ranges for an accelerator. ## To see the accounts that have created a cross-account attachment that you're listed as a principal in 1. In the Global Accelerator console, on the **Endpoint details** page for an accelerator, choose **Add endpoint**. 1. On the **Add endpoints** page, select **Add a resource specified in a cross-account attachment**. 1. In the drop-down menu for **Select account ID of the cross-account attachment owner**, view the account or accounts that give you permission in a cross-account attachment to add resources to the accelerator. ## To see the endpoint resources specified in the attachment that each account has created 1. In the Global Accelerator console, on the **Endpoint details** page for an accelerator, choose **Add endpoint**. 1. On the **Add endpoints** page, select **Add a resource specified in a cross-account attachment**. 1. In the drop-down menu, select an account that gives you permission in a cross-account attachment to add resources to the accelerator. 1. For **Endpoint type**, choose a type of resource. Note that only the resource types included in the cross-account attachment appear in the drop-down menu. 1. In the **Endpoint** drop-down menu is a list of the resources. These are the resources that you are authorized by the account that created the cross-account attachment to add as endpoints, for a specific resource type. 1. To see the resources that you can add that are specified in the cross-account attachment created by a different account, do the following: In the drop-down menu for **Select account ID of the cross-account attachment owner**, select a different AWS account. ## To see the IP address resources specified in the attachment that an account has created 1. In the Global Accelerator console, choose **Create accelerator**. 1. On the **Enter name** page, for IP address type, select **IPv4**. 1. Under IP address pool selection, select **Use a shared IP address pool specified in a cross-account attachment**. 1. Select an account that gives you permission in a cross-account attachment to choose IP addresses from a shared IP address pool. 1. For **IP address pool**, in the drop-down list, you can view shared IP address pools. Note that only the shared IP address pools included in a cross-account attachment that you are permitted to use appear in the drop-down menu. # Responsibilities and permissions for cross-account resources in Global Accelerator Responsibilities and permissions The following sections list the permissions you have as a resource owner or as a principal for cross-account access in AWS Global Accelerator. ## Permissions for resource owners When you, as a resource owner, authorize principals to add resources from your AWS account to their accelerators, or to a specific accelerator, principals can add any resources that you have listed in the cross-account attachment. As a resource owner, you are responsible for creating, managing, and deleting your resources. You can't add or remove resources in accelerators unless you have a role that is authorized to do so. If you have an accelerator and you need to add or remove cross-account resources, a principal can set up a role in IAM with permission to access the resources, and add your account to the role. You can add or remove principals or resources from a cross-account attachment, to manage whether resources that you own are used as endpoints or shared IP address pools for accelerators. ## Permissions for principals In general, principals can add resources that are listed in a cross-account attachment for an accelerator that the attachment provides permission for. They can only view, add, or remove endpoints, or select shared IP addresses from BYOIP address pools, for the cross-account resources that they have permission for. The following applies for principals: + Principals can only view, add, or remove resources as endpoints or shared IP address pools for an accelerator that they have been granted permission for in a cross-account attachment. + Principals can only modify resources, such as load balancers, that they own themselves. They cannot modify resources specified in a cross-account attachment, because the resources belong to the resource owner. Although principals cannot modify the actual cross-account resources, based on a cross-account attachment, the resource owner can create an IAM role that provides permission to access the resource. Then, the owner can grant a principal permissions to assume the role, so that the principal can access the resource, however the owner has specified through the role's permissions. # Billing costs for cross-account resources in Global Accelerator Billing costs The owner of an accelerator in AWS Global Accelerator is billed for costs associated with the accelerator. There are no additional costs, for accelerator owners or for resource owners, for adding cross-account resources as endpoints or as bring your own IP address (BYOIP) pools for an accelerator. For more information about pricing, see [Pricing for AWS Global Accelerator](introduction-pricing.md). # Quotas for cross-account resources in Global Accelerator Quotas The following applies when you work with cross-account attachments and cross-account resources in AWS Global Accelerator: + All cross-account resources, and other resources, that are added as endpoints for an accelerator—including resources added by all principals with cross-account permission—count toward quotas in effect for the accelerator. + Quotas for accelerators are enforced for principals. + Quotas for cross-account attachments in Global Accelerator are enforced for resource owners. For more information about quotas, see [Quotas for AWS Global Accelerator](limits-global-accelerator.md).