Sharing resource across the account using AWS Resource Access Manager

AWS Organizations enables you to be centralized account management as you grow and scale your AWS resources. But it’s very difficult to manage, provision and control AWS resources in the organizations. If you have an AWS account which is a part of an AWS organization, it is very easy to share the resources with accounts in the organization and Organization Unit.

AWS Resource Access Manager (RAM)

If AWS account is managed by AWS Organization, then Resource Access Manager is used to share the resources you have created in one account with the other within the specific Organization Unit and specific AWS account by account id. When you share any resource with account outside the organization, those accounts will receive an invitation. The owner of those accounts need to accept the invitation, so the resources will be available for use.

Benefits of AWS RAM

Minimize operation overhead: To avoid the need to provision duplicate resource in all available accounts, create the resource in one account and share it with other account.

Security: Having shared resource and using single set of policies, minimize the security management overhead. If same set of resource are available in different account, then implementing identical policies will be a challenging task and will also increase the management overhead and redundancy.

How resource sharing works

• You have account (Owning Account) where you can create the resource and share it with other accounts (Consuming account) by granting access for principals of that account.
• When consuming account access the shared resources, the resources are available in the same region where owning account shared the resources.
• When owning account share resources with other account, permissions and quotas remain unchanged.

Task1: Steps to share the resources from Owning account

• Select the region where your created resource is available to share. Move to Resource Access Manager service. Select resource share from shared by me and create resource share.

• Specify resource share details
  • Resource Share Name

• • Choose the resources to add to the resource share and select the appropriate resource

• Associate managed permissions as per your need

• Grant access to principals: Specify the principals that are allowed access to the shared resources. A principal can be any of the following: An entire organization or organizational unit (OU) in AWS Organizations, an AWS account, IAM role, or IAM user.

• Review and create resource share.

• Resource is successfully shared. To check if the resource is shared, go to shared by me and select Shared resources

Task2: Steps to access the resources in Consuming account

• Log in to the account (Consuming Account) from where you need to access the resources.
• Select the region from where your need to access the resource. Move to Resource Access Manager service and check which resources are shared with your account by selecting resource share & shared resources from shared with me.

• Move to the VPC dashboard, select the subnets and you can identify, one subnet is shared with your account.

• Now you can use shared subnet for your other resources.

About CloudThat