AWS Resource Access Manager
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
Lesson: Mastering AWS Resource Access Manager (RAM)
Introduction: The Challenge of Multi-Account Architectures
In the early days of cloud computing, many organizations started with a single AWS account. As these organizations grew, they inevitably hit limits regarding resource quotas, billing transparency, and security boundaries. The industry-standard solution to these problems is the multi-account strategy, often implemented via AWS Organizations. By separating workloads into different accounts—such as a "Production" account, a "Development" account, and a "Shared Services" account—companies can achieve better isolation and security.
However, a multi-account strategy introduces a significant operational hurdle: how do you share resources across these accounts without duplicating them? If you have a centralized VPC, a Transit Gateway, or a set of License Manager configurations, you do not want to recreate these in every single account. This is where AWS Resource Access Manager (RAM) becomes essential. RAM is a service that allows you to share your AWS resources with any AWS account or through AWS Organizations. It provides a centralized, secure way to manage cross-account access, ensuring that you maintain governance while reducing the operational overhead of managing redundant infrastructure.
Understanding RAM is not just about knowing which buttons to click in the console; it is about understanding the architecture of resource ownership, permissions, and the lifecycle of shared infrastructure. In this lesson, we will dive deep into how RAM functions, how to implement it effectively, and the best practices for maintaining a secure and scalable multi-account environment.
Understanding the Core Concepts of AWS RAM
To use AWS RAM effectively, you must first understand the relationship between the "Resource Owner" and the "Principal." The Resource Owner is the account that originally created the resource. The Principal is the entity—which could be an individual AWS account, an Organizational Unit (OU), or an entire Organization—that receives access to that resource.
How Resource Sharing Works
When you share a resource through RAM, you are essentially creating a bridge between accounts. The resource itself remains in the owner's account; it is never moved or copied. Instead, RAM modifies the underlying resource-based policy to allow the principal to interact with it. This is a critical distinction because it means that if the owner deletes the resource, it disappears for everyone. If the owner updates the resource configuration, those changes are immediately reflected in the principal accounts.
Key Components of RAM
- Resource Share: This is the primary object in RAM. It acts as a container that groups the resources you want to share and the principals you want to share them with. You can think of it as a logical grouping for your cross-account permissions.
- Managed Permissions: RAM provides pre-defined, AWS-managed permissions for each resource type. These permissions define exactly what actions the principal can perform on the shared resource. For example, when sharing a subnet, the managed permission might allow the principal to launch instances into that subnet but prevent them from deleting the subnet itself.
- Resource Types: Not every AWS resource can be shared. RAM supports a specific list of resources, including VPC subnets, Transit Gateways, License Manager configurations, and Route 53 Resolver rules. As AWS evolves, the list of supported resources continues to grow.
Callout: Resource Sharing vs. Identity-Based Access It is important to distinguish between RAM and IAM (Identity and Access Management). IAM controls who can do what within a single account. RAM, by contrast, extends the reach of a resource across account boundaries. While IAM policies grant permissions to users or roles, RAM creates the cross-account plumbing that allows those users to see and interact with resources owned by another account.
Step-by-Step: Implementing Resource Sharing
Setting up RAM involves a few deliberate steps, particularly if you are working within an AWS Organization. If you are not using Organizations, you must manually invite accounts to accept the shares, which adds administrative friction.
1. Enabling Sharing with AWS Organizations
If you want to share resources across your entire organization without needing manual approvals for every account, you must enable sharing with AWS Organizations first.
- Log into the AWS Management Console of your Management Account (the account that acts as the organization root).
- Navigate to the Resource Access Manager dashboard.
- Click on Settings in the left-hand navigation pane.
- Check the box labeled "Enable sharing with AWS Organizations."
- Once enabled, any resource share you create can target the entire organization or specific Organizational Units (OUs), significantly simplifying management.
2. Creating a Resource Share
Once sharing is enabled, you can create your first resource share.
- In the RAM console, click Create resource share.
- Give your share a descriptive name, such as
Shared-VPC-Subnets-Prod. - Select Resources: Choose the resource type (e.g., Subnet) and select the specific resources you wish to share.
- Select Managed Permissions: Choose the permission set that aligns with the level of access you want to grant. For instance, if you are sharing a subnet, choose the standard subnet access permission.
- Specify Principals: Here, you can select the AWS accounts, OUs, or the entire organization ID.
- Review and Create: Double-check your configuration and finalize the share.
3. Verifying Access in the Principal Account
After the share is created, log into one of the recipient accounts. If you have enabled the "Allow sharing with AWS Organizations" feature, the share will automatically be available to the principal. You can verify this by going to the VPC console in the recipient account and attempting to launch an EC2 instance. You should see the shared subnet available in the dropdown menu.
Warning: The Principle of Least Privilege Even though RAM makes sharing easy, you must be careful. Sharing a resource grants the principal access to that resource. If you share a transit gateway, the principal can potentially route traffic through your centralized hub. Always audit your resource shares regularly to ensure you are not granting broader access than is strictly required for the workload.
Practical Examples of Resource Sharing
Example 1: Centralized VPC Networking
Many organizations prefer to have a single "Network Account" that manages all VPCs and transit gateways. This allows network engineers to control IP address management (IPAM) and security boundaries in one place while developers in other accounts simply consume those subnets.
- The Workflow:
- Create a VPC in the Network Account.
- Use RAM to share the subnets with the Developer OU.
- Developers can now launch their EC2 instances or RDS databases into these shared subnets.
- The Network Account maintains control over the routing tables, NACLs, and internet gateways, ensuring that all traffic adheres to company security policies.
Example 2: Managing Software Licenses
If your company has purchased a high-volume license for a specific software product, you can use AWS License Manager in conjunction with RAM.
- The Workflow:
- Configure the license in the License Manager within your central IT account.
- Use RAM to share the License Configuration with various business unit accounts.
- When developers in those accounts launch instances, they attach the license configuration. The central IT team can track usage across the entire organization without needing to track individual account activity manually.
Automation: Using Infrastructure as Code (IaC)
While the console is useful for learning, production-grade deployments should always use Infrastructure as Code. AWS RAM is fully supported by CloudFormation and the AWS CLI.
Using CloudFormation for Resource Sharing
Below is a simple example of how to define a resource share using CloudFormation. This template shares a subnet with an entire AWS Organization.
Resources:
MyResourceShare:
Type: AWS::RAM::ResourceShare
Properties:
Name: SharedSubnetShare
ResourceArns:
- !Sub "arn:aws:ec2:us-east-1:${AWS::AccountId}:subnet/subnet-0123456789abcdef0"
Principals:
- !Sub "arn:aws:organizations::123456789012:organization/o-exampleorgid"
PermissionArns:
- "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSubnet"
Explanation of the code:
AWS::RAM::ResourceShare: This is the resource type that manages the share.ResourceArns: This is a list of the specific resources you want to share. Note that you must provide the full ARN of the resource.Principals: This defines who gets access. By using the Organization ARN, you are inviting every account under that organization to consume the resource.PermissionArns: This defines the level of access. Using the default AWS-managed permission for subnets is usually the safest starting point.
Using the AWS CLI
If you prefer a command-line approach, you can create a share using the following command:
aws ram create-resource-share \
--name "Shared-Subnet-CLI" \
--resource-arns arn:aws:ec2:us-east-1:123456789012:subnet/subnet-0123456789abcdef0 \
--principals o-exampleorgid \
--permission-arns arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSubnet
This command achieves the same result as the CloudFormation template but is useful for quick, ad-hoc resource sharing tasks or for integration into CI/CD pipelines where you might be programmatically creating resources and sharing them immediately.
Best Practices for Secure Resource Sharing
Managing resources across accounts is powerful, but it introduces risks if not handled correctly. Follow these best practices to maintain a secure environment.
1. Centralize Your Resource Governance
Do not allow every account holder to share resources. Use SCPs (Service Control Policies) in AWS Organizations to restrict who can create or modify RAM resource shares. Only designated "Admin" accounts or the "Network" account should have the permissions required to initiate resource shares.
2. Audit Regularly with CloudTrail
Every action taken in RAM is logged in AWS CloudTrail. You should set up alerts for CreateResourceShare, DeleteResourceShare, and AssociateResourceShare events. This ensures that you can track exactly who is sharing what and when they are doing it.
3. Use Organizational Units (OUs) for Scoping
Never share resources with an entire organization if you don't have to. Organize your accounts into OUs (e.g., Prod, Dev, Sandbox) and share resources only with the specific OUs that require them. This minimizes the blast radius if an account in the Sandbox OU is compromised.
4. Understand Resource Limits
RAM has service quotas, just like any other AWS service. If you are sharing thousands of resources, you may hit these limits. Always check the AWS Service Quotas console to understand the maximum number of resource shares and resources per share allowed in your region.
Tip: Monitoring Shared Resources Use the AWS RAM console to periodically review the "Shared with me" tab. This will show you exactly what resources other accounts have shared with you. It is a great way to discover forgotten dependencies or unauthorized resource usage within your account.
Common Pitfalls and Troubleshooting
Even experienced engineers run into issues with RAM. Here are the most frequent mistakes and how to fix them.
Pitfall 1: Forgetting to Accept Shares
If you have not enabled "Sharing with AWS Organizations," you must manually accept every resource share invitation. If you create a share and the recipient account says they cannot see it, check the "Shared with me" section in the RAM console of the recipient account to see if there is a pending invitation.
Pitfall 2: Confusing IAM and RAM
A common point of confusion is assuming that because a resource is shared, the user automatically has permission to use it. This is false. RAM only creates the "cross-account plumbing." The user in the recipient account must also have the appropriate IAM permissions to interact with that resource type (e.g., ec2:RunInstances for a shared subnet). Always check both the RAM share and the IAM policy if access is denied.
Pitfall 3: Deleting Shared Resources
When an owner deletes a shared resource, it disappears from all accounts immediately. This can cause massive, unexpected outages. Before deleting a subnet, a Transit Gateway, or any other shared infrastructure, always check the RAM console to see if it is currently being shared and with whom. Communicate any planned deletions to the stakeholders in the recipient accounts well in advance.
Pitfall 4: Regional Constraints
RAM is a regional service. You cannot share a resource in us-east-1 with an account in us-west-2. If your architecture spans multiple regions, you must create a resource share for each region individually. Keep this in mind when designing your infrastructure automation.
Comparison Table: RAM vs. Other Cross-Account Methods
| Feature | AWS RAM | VPC Peering | Transit Gateway |
|---|---|---|---|
| Primary Purpose | Sharing resources | Connecting VPCs | Hub-and-spoke networking |
| Complexity | Low | Medium | High |
| Scalability | High (via Orgs) | Low (point-to-point) | Very High |
| Resource Types | Subnets, Licenses, etc. | VPCs only | Network traffic only |
| Management | Centralized | Decentralized | Centralized |
As shown in the table, RAM is distinct from networking tools like VPC Peering. While peering connects two VPCs together, RAM is used to allow multiple accounts to exist within the same VPC subnets. Choosing the right tool depends on whether you need isolation (Peering/TGW) or shared infrastructure (RAM).
Frequently Asked Questions (FAQ)
Q: Can I share resources with accounts outside of my AWS Organization? A: Yes, you can share resources with individual AWS accounts outside of your organization by providing their Account ID. However, this requires the recipient to manually accept the invitation, which is why sharing within an Organization is the preferred method for internal corporate environments.
Q: Does RAM charge extra fees? A: AWS RAM itself is free to use. You only pay for the underlying resources that you are sharing (e.g., the cost of the VPC, the Transit Gateway, or the License Manager configuration).
Q: If I share a subnet, can the recipient see all the instances I have running in it? A: Yes, if a recipient has permissions to use the subnet, they can describe the resources within that subnet. They cannot necessarily modify the instances owned by other accounts, but they can see the metadata of the resources residing in the shared space.
Q: What happens if I move an account to a different Organizational Unit? A: If you share resources with an OU, and you move an account out of that OU, the account will lose access to the shared resources. If you move an account into that OU, it will automatically gain access. This makes OUs a very powerful way to manage access dynamically.
Summary and Key Takeaways
AWS Resource Access Manager is a fundamental service for any organization operating at scale. By moving away from resource duplication and toward a model of shared infrastructure, you can significantly reduce your operational burden and improve the consistency of your environment.
Key Takeaways:
- Centralization is Key: Use AWS Organizations and RAM together to create a central hub for shared resources like subnets and transit gateways. This ensures consistency and simplifies compliance.
- Understand the "Owner vs. Principal" Dynamic: Always remember that the resource owner retains full control. If the owner deletes the resource, all principals lose access immediately.
- Governance through SCPs: Do not let resource sharing become the "Wild West." Use Service Control Policies (SCPs) to limit who can create shares and restrict sharing to approved Organizational Units.
- IAM and RAM work together: Remember that RAM provides the path to the resource, but IAM provides the permission to use it. If a user cannot access a shared resource, check both layers.
- Automate Everything: Use CloudFormation or Terraform to manage your RAM shares. Manually configuring shares through the console is prone to human error and is difficult to audit over time.
- Regular Auditing: Use CloudTrail and the RAM console to periodically review your resource shares. Remove any shares that are no longer in use to adhere to the principle of least privilege.
- Regional Awareness: Always remember that RAM is regional. Ensure your infrastructure automation accounts for regional differences when deploying across multiple AWS regions.
By mastering these concepts, you transition from managing individual accounts to managing a cohesive, multi-account ecosystem. This shift is essential for building resilient, scalable, and secure cloud architectures that stand the test of time.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons