Resource Sharing with RAM
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Management and Security Governance: Resource Sharing with RAM
Introduction: Why Resource Sharing Matters in Multi-Account Environments
In the early days of cloud computing, organizations often operated within a single account, keeping all resources, identities, and data under one roof. However, as organizations grow and their cloud footprint expands, the "single account" model quickly becomes a bottleneck. It creates a "blast radius" issue where a security misconfiguration in a development environment could theoretically impact production systems. To solve this, organizations adopt multi-account strategies, using services like AWS Organizations to partition workloads.
While multi-account strategies improve isolation and security, they introduce a new challenge: how do you share common resources efficiently without duplicating them across every single account? If you have a centralized network hub, a shared database, or a common set of license configurations, creating them in every account is not only costly but also an administrative nightmare. This is where AWS Resource Access Manager (RAM) comes into play.
RAM is a service that allows you to share resources across AWS accounts, within your organization, or with specific organizational units (OUs). It provides a secure, audited, and controlled way to grant access to resources without needing to manage complex cross-account identity policies or replicate the resources themselves. Understanding RAM is critical for any cloud administrator or security engineer because it sits at the intersection of operational efficiency and governance. If configured incorrectly, it can inadvertently expose sensitive data or infrastructure; if configured correctly, it allows for a lean, highly manageable, and secure multi-account architecture.
Understanding the Fundamentals of RAM
At its core, AWS RAM is a resource-sharing service that operates on a simple premise: you own the resource in one account (the "owner"), and you grant access to that resource to one or more other accounts (the "principals"). The principal account does not need to own the resource, nor does it need to have complex IAM roles configured in the owner account. Instead, the resource effectively appears as if it exists within the principal account’s environment, subject to the permissions you define.
Key Concepts in RAM
To master RAM, you must understand the terminology used within the service. These concepts define the boundaries of your sharing strategy:
- Resource Owner: The account that created and manages the lifecycle of the resource. This account is responsible for all costs associated with the resource.
- Principal: The account, organizational unit, or organization that is granted access to the shared resource.
- Resource Share: A logical container created in RAM that groups together the resources you want to share and the principals you want to share them with.
- Managed Permissions: Predefined or custom sets of permissions that dictate what actions a principal can perform on the shared resource.
Callout: RAM vs. Cross-Account IAM Roles Many beginners confuse RAM with cross-account IAM roles. While both facilitate cross-account access, they work differently. IAM roles require the user in account A to "assume" a role in account B, often requiring a context switch or a complex chain of trust. RAM, by contrast, "projects" the resource into the target account. The user in the target account interacts with the resource as if it were a local resource, making it much easier to integrate with native tools and services.
Use Cases for Resource Sharing
Before diving into the technical implementation, it is helpful to understand the most common real-world scenarios where RAM is not just useful, but necessary.
1. Centralized Networking (VPC Sharing)
One of the most popular uses of RAM is sharing a Virtual Private Cloud (VPC) subnet. In many enterprises, the networking team manages the VPCs, subnets, and routing tables to ensure compliance with corporate security standards. By using RAM, the networking team can share specific subnets with application teams. The application teams can then launch EC2 instances or RDS databases into those subnets without needing administrative access to the network infrastructure itself.
2. Centralized License Management
If your organization uses AWS License Manager, you can use RAM to share license configurations across your entire organization. This ensures that every account adheres to the same software compliance policies. Instead of manually configuring licenses in every account, you share the license configuration, and any account within the organization can automatically associate that license with their local resources.
3. Shared Transit Gateways
Managing multiple Transit Gateways can be expensive and complex. RAM allows you to share a single Transit Gateway across multiple VPCs owned by different accounts. This simplifies connectivity, routing, and centralized traffic inspection, as all traffic flows through a single, well-governed hub.
Step-by-Step: Setting Up Resource Sharing
To effectively use RAM, you must follow a structured approach. We will walk through the process of sharing a subnet from a central networking account to a member account.
Step 1: Enable Sharing with AWS Organizations
Before you can share resources across your organization, you must enable this feature in the AWS Organizations console.
- Sign in to the AWS Organizations management account.
- Navigate to the Services tab.
- Search for Resource Access Manager.
- Click Enable trusted access.
Note: Enabling trusted access allows RAM to automatically detect your organization's structure, including OUs and accounts, making it significantly easier to manage sharing permissions without needing to invite each account individually.
Step 2: Create a Resource Share
Once enabled, move to the account that owns the resource you intend to share.
- Open the AWS RAM Console.
- Select Create resource share.
- Provide a Name for the share (e.g., "shared-production-subnet").
- Select the Resources you want to share. You can search by resource type (e.g., EC2 Subnet) and select the specific subnet ID.
- Choose the Managed Permissions. RAM provides default permissions that are usually sufficient, but you can create custom permissions if you need to restrict specific API actions.
- Select the Principals. You can choose to share with your entire organization, specific OUs, or individual AWS account IDs.
- Review and Create.
Step 3: Verifying Access in the Principal Account
After creating the share, the principal account will see the resource appearing in their console. If you shared a subnet, the principal account can now select that subnet when launching an EC2 instance.
# Example: Using AWS CLI to describe shared subnets
aws ec2 describe-subnets --filters "Name=owner-id,Values=123456789012"
In this example, the principal account can list the subnets that were shared from the owner account (123456789012). The output will include the shared subnets, which are now available for deployment.
Security Governance and Best Practices
Security is the primary concern when sharing resources across account boundaries. While RAM simplifies operations, it also broadens the potential impact of a compromised account.
Principle of Least Privilege
Always scope your resource shares as tightly as possible. If you only need to share a subnet for a specific application, do not share the entire VPC. If you only need to share with a specific team, use OUs rather than sharing with the "entire organization."
Monitoring with CloudTrail
RAM actions are logged in AWS CloudTrail. You should create CloudWatch alarms or EventBridge rules to notify your security team whenever a new resource share is created or when a principal is added to a share. This provides a clear audit trail of who is sharing what and with whom.
Regularly Audit Resource Shares
Over time, resource shares often become "orphaned"—they are shared with accounts that no longer need access. Conduct quarterly audits of your RAM configurations.
Tip: Use Infrastructure as Code (IaC) Managing RAM manually via the console is prone to human error. Use Terraform or AWS CloudFormation to define your resource shares. This allows you to treat your sharing policy as code, perform peer reviews, and maintain version control over your security governance.
Example: Terraform Snippet for RAM
resource "aws_ram_resource_share" "example" {
name = "shared-subnet-share"
allow_external_principals = false
tags = {
Environment = "Production"
}
}
resource "aws_ram_resource_association" "example" {
resource_arn = aws_subnet.main.arn
resource_share_arn = aws_ram_resource_share.example.arn
}
resource "aws_ram_principal_association" "example" {
principal = "arn:aws:organizations::123456789012:ou/o-example/ou-12345"
resource_share_arn = aws_ram_resource_share.example.arn
}
Common Pitfalls and How to Avoid Them
Even experienced cloud engineers encounter difficulties with RAM. Recognizing these patterns early can save hours of troubleshooting.
1. The "Resource Not Found" Fallacy
A common issue occurs when a user in a principal account tries to use a resource, but it doesn't appear in their console. This is often because the user is looking in the wrong region. RAM shares are region-specific. If you share a subnet in us-east-1, it will not be visible in us-west-2. Always ensure your regional context matches the share.
2. Dependency Conflicts
When you share a resource, you are often sharing a dependency. For example, if you share a subnet, the principal account needs permission to use that subnet, but they also need permission to interact with the associated Network ACLs or Route Tables. If you don't share these associated resources, the resource may appear to be present, but it will be functionally useless.
3. Over-Sharing at the Organization Level
It is tempting to share resources with the entire organization to save time. However, this is a major security risk. If a developer in a sandbox account accidentally deletes a shared resource, or if a compromised account gains access to a production database, the blast radius is massive. Always share with the smallest possible unit (an OU or a specific account).
Callout: The Risk of Implicit Trust Sharing a resource does not grant the principal account automatic permissions to do everything. However, it does grant them the ability to perform actions defined by the RAM permission. If you grant "full access," you are essentially trusting that account to manage that resource. Always evaluate whether the principal account truly needs the level of access you are granting.
Comparison of Resource Sharing Approaches
To decide whether RAM is the right tool for your specific scenario, compare it against traditional methods of cross-account access.
| Feature | AWS RAM | Cross-Account IAM Roles | VPC Peering |
|---|---|---|---|
| Primary Use | Sharing specific resources | Performing API actions | Networking connectivity |
| Complexity | Low | High | Medium |
| Visibility | Resource appears locally | Requires role assumption | Hidden behind routing |
| Governance | Managed via RAM policies | Managed via IAM policies | Managed via Route Tables |
| Best For | Subnets, Licenses, TGW | Admin tasks, CI/CD | Inter-VPC traffic |
Advanced Management: Custom Managed Permissions
While default permissions are useful, advanced environments often require custom logic. AWS RAM allows you to create customer-managed permissions, which are essentially IAM policy documents that define what actions the principal can perform on the shared resource.
For example, if you are sharing an EC2 Image Builder component, you might want to allow the principal account to "use" the component to build images but prevent them from "deleting" or "modifying" the component. You can define this in a customer-managed permission and attach it to your resource share.
Steps to create a Custom Permission:
- Navigate to the RAM Console.
- Select Permission Library.
- Select Create customer managed permission.
- Define the policy document using the JSON editor.
- Ensure you follow the principle of least privilege by only including the necessary
ram:ResourceShareand specific service-linked actions.
Warning: Be extremely careful when defining custom permissions. If you provide overly broad permissions (e.g.,
*actions), you essentially grant the principal account control over the resource that is equivalent to ownership, potentially bypassing your intended governance model.
Practical Troubleshooting Guide
When things go wrong, follow this systematic approach to identify the root cause:
- Check Resource Availability: Is the resource actually in the owner account? Is it in the correct region?
- Verify Trust Status: Is the AWS Organizations integration still active? Check the RAM console for any alerts regarding service-linked roles.
- Check Resource Share Status: Does the resource share show as "Active"? If it is in a "Pending" state, it usually means there is a configuration error in the sharing policy.
- Validate IAM Permissions: Even if the resource is shared, the IAM user or role in the principal account must have the necessary permissions to use the resource. For example, if you share a subnet, the user needs
ec2:RunInstancespermissions in their own account. - Review CloudTrail Logs: Filter by the
ResourceAccessManagerevent source. This will tell you if the share was created, modified, or if an access attempt was denied due to policy constraints.
Scaling Resource Sharing in Large Enterprises
In a large enterprise with hundreds of accounts, managing RAM manually is impossible. You need a centralized strategy for scaling.
The "Hub-and-Spoke" Governance Model
- The Hub (Security/Network Account): This account owns the shared resources (e.g., Transit Gateways, shared subnets, license configurations).
- The Spokes (Workload Accounts): These accounts consume the shared resources.
- Automated Provisioning: Use a CI/CD pipeline to deploy resource shares. When a new workload account is created, the pipeline automatically adds it to the appropriate RAM resource share based on its OU membership.
This approach ensures consistency. You never have to worry about a manual configuration being missed during the onboarding of a new team or application.
Final Best Practices Summary
As we conclude this lesson, keep these fundamental principles at the forefront of your multi-account governance strategy:
- Always use OUs for sharing: Instead of managing individual accounts, group your accounts into OUs and share resources with the OU. This scales automatically as you add new accounts to the organization.
- Use Descriptive Tagging: Tag your resource shares with metadata indicating the owner, the environment, and the purpose of the share. This makes auditing significantly easier.
- Monitor for Unused Shares: Set up a scheduled task (e.g., a Lambda function) to detect resource shares that haven't been accessed in 90 days and flag them for deletion.
- Limit "Allow External Principals": By default, you should disable sharing with accounts outside of your organization unless there is a strictly defined business requirement.
- Document the "Why": For every complex resource share, document the business justification. This is essential for compliance audits (e.g., SOC2, HIPAA).
- Test in Sandbox: Always test new resource sharing configurations in a sandbox environment before applying them to production-critical infrastructure.
- Understand Service Limits: Keep in mind that there are limits on the number of resources you can include in a single share and the number of shares you can have per account. Review the AWS documentation for your specific region to stay within these bounds.
Key Takeaways
- Efficiency through Centralization: RAM allows you to maintain single instances of shared resources like subnets, licenses, and gateways, reducing duplication and operational overhead across your multi-account environment.
- Governance as Code: Treat your resource shares as infrastructure. Use tools like Terraform or CloudFormation to manage shares, ensuring they are documented, version-controlled, and peer-reviewed.
- Blast Radius Reduction: By using RAM, you maintain ownership in one account while providing access to others. This separation of concerns is a cornerstone of a secure, multi-account architecture.
- Least Privilege is Mandatory: Never share more than is necessary. Use custom managed permissions to restrict the specific API actions principals can perform on shared resources to prevent unauthorized modifications.
- Visibility and Auditing: Leverage AWS CloudTrail and EventBridge to monitor RAM activity. Proactive monitoring is the only way to ensure that your sharing policies remain secure and compliant over time.
- Regional Awareness: Remember that RAM is a regional service. A resource shared in one region is not automatically available in another, and your resource shares must be managed accordingly.
- Scalability via Organizations: Utilize the integration with AWS Organizations to share resources at the OU level, which simplifies the management of large-scale environments as you add or remove accounts over time.
By mastering AWS Resource Access Manager, you are not just learning a service; you are adopting a mindset of efficient, secure, and manageable cloud governance. This approach will enable your organization to scale effectively without losing control over your infrastructure assets.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons