Implementing Cross Account Access with AWS RAM (Resource Access Manager)

Introduction

In a multi-account AWS environment, managing shared resources like subnets, Transit Gateways, or Route 53 Resolver rules across accounts can become challenging. That’s where AWS Resource Access Manager (RAM) steps in. RAM allows secure, controlled sharing of AWS resources across accounts, eliminating duplication and reducing cost.

In this blog, we’ll walk you through the concept, use cases, and step-by-step implementation of cross-account access using AWS RAM.

Use Cases for AWS RAM

• Sharing VPC subnets with other AWS accounts (e.g., centralized VPC model).
• Sharing Transit Gateways between networking and workload accounts.
• Centralized management of Route 53 Resolver rules.
• Sharing License Manager configurations.
• Consolidated access to AWS Glue Data Catalogs.

Prerequisites

• At least two AWS accounts (a resource owner and a consumer).
• Appropriate IAM permissions (described below).
• Optional: AWS Organizations setup if you’re using organizational sharing.

IAM Permissions Required

In the resource-owning account:

Step-by-Step Implementation

We’ll walk through the steps to share a VPC subnet between two accounts using AWS RAM.

Step 1: Enable Sharing with AWS Organization (Optional)

If you use AWS Organizations and want to share with Organizational Units (OUs):

• Go to the AWS RAM Console in the resource-owning account.
• Click “Settings”.
• Select “Enable sharing with AWS Organization”.

 Step 2: Create the Resource Share

• In the resource owner’s account, go to the AWS RAM Console.
• Click “Create resource share”.

• Provide a name for the share (e.g., Shared-VPC-Subnets).
• Select the resources to share (e.g., a specific VPC subnet).

Scroll down, select NEXT.

In Associate managed permissions -leave as default, as AWS does not allow editing permissions for subnet sharing

• Under Principals, choose:
  • Either an AWS Account ID (for individual account sharing), or
  • An Organizational Unit (OU) or organization ID.
  • Click on ADD

• Optionally, add tags.
• Then, review and create a resource share.

Step 3: Accept the Resource Share Invitation

• In the consumer account, open the AWS RAM console.
• Navigate to “Shared with me” > “Resource share invitations”.
• Accept the invitation.

Note: If both accounts are under the same AWS Organization and organizational sharing is enabled, invitations are automatically accepted.

Step 4: Verify Access to Shared Resource

In the consumer account, verify that the shared resource appears:

• For VPC subnets, go to VPC Console → Subnets, and filter with the VPC ID.
• Ensure the region is the same.

For some services (like subnets), you can launch resources (like EC2 instances) directly into the shared subnet.

Example: Launch EC2 Instance in Shared Subnet

In the consumer account:

• Go to the EC2 Console.
• Choose Launch Instance.
• When selecting a VPC and subnet, the shared VPC and shared subnet will be listed.

• Complete the instance launch.

Security Considerations

• Always apply least privilege when granting IAM permissions.
• Use resource tags and conditions to restrict RAM access scope.
• Monitor sharing via AWS CloudTrail and RAM usage reports.

Testing & Troubleshooting Tips

• Check the RAM console logs if the shared resource is not visible.
• Make sure regions match – resources must be shared within the same region.
• Validate service limits (e.g., max resource shares).
• Use AWS CLI for automation and debugging:

Resources for reference

• AWS RAM Documentation
• Share VPC Subnets
• AWS RAM Pricing

Conclusion

AWS RAM is an essential tool for organizations adopting a multi-account strategy. RAM enhances security and operational efficiency by enabling centralized resource management while maintaining segregated responsibilities. If you haven’t explored it yet, now’s the time

About CloudThat