Cross-account VPC sharing using AWS RAM

AWS Resource Access Manager (AWS RAM) simplifies sharing AWS resources across different AWS accounts, including within an organization and with IAM roles and users. It enables you to create a resource once and use it across multiple accounts, reducing operational overhead and duplication. AWS RAM is a centralized service that provides a consistent experience for sharing various AWS resources. Key Features and Benefits: Resource Sharing: AWS RAM allows you to share resources like Route 53 Resolver Rules, Transit Gateways, Subnets, and License Manager Configurations with other AWS accounts. Centralized Management: It provides a single place to manage resource sharing, making it easier to control access and permissions. Reduced Overhead: By sharing resources, you eliminate the need to duplicate them across multiple accounts, saving time and resources. Security and Control: Access to shared resources is governed by IAM policies and Service Control Policies, ensuring secure and controlled access. Below are the list of resource type that lets their services can share by using AWS RAM AWS App Mesh Amazon Aurora AWS Private Certificate Authority AWS CodeBuild Amazon EC2 EC2 Image Builder AWS Glue AWS License Manager AWS Migration Hub Refactor Spaces AWS Network Firewall AWS Outposts Amazon S3 on Outposts AWS Resource Groups Amazon Route 53 Amazon SageMaker AWS Service Catalog AppRegistry AWS Systems Manager Incident Manager Amazon VPC AWS Cloud WAN Example: When you share a resource with another account, that account receives access to the resource, and its existing policies and permissions will apply to the shared resource. I will now share subnets from the account (A) which will be the owner account to account (B), say participant account. Setting up AWS organization: Create an AWS organization in account A and add the participant account B in the Organization. Invite the account B in the AWS organization by sending a request from the console. Create a custom VPC and several subnets in the owner account to be shared with the participant account. Next, enable the resource sharing for your organization from the AWS Resource Access Manager settings in account A. Now let’s start with resource sharing by creating a resource share in “shared by me tab”. After providing a description for the shared resource, select “Subnets” in the resource tab and then go ahead and select the subnets which you wish to share with participant account. The principal will be the destination account or the AWS Organization to which the subnets will be shared. I will go with AWS organization and select account B in the organization. After creating the resource share in owner account A, go to the participant account B and check if the resource share is visible in AWS RAM dashboard “shared with me” tab. The shared subnets will now appear in the participant account B along with the VPC. Let’s use this VPC to launch resources in Participant account. Navigate to the EC2 dashboard and while launching the instance, in the configure instance section check the availability of shared VPC and subnets. Conclusion AWS Resource Access Manager (RAM) removes the need to replicate resources across multiple accounts, reducing the operational overhead of managing them individually. With built-in integration with AWS CloudWatch and CloudTrail, RAM offers clear visibility into shared resources and the accounts accessing them. Access to shared resources is governed by existing policies and permissions, ensuring security and control. RAM delivers a consistent experience for sharing a wide range of AWS resources. By creating resources centrally and sharing them through RAM, you can streamline resource management in a multi-account environment. RAM enables efficient resource utilization across different parts of your organization, helping improve performance and reduce costs.

May 11, 2025 - 01:39

AWS Resource Access Manager (AWS RAM) simplifies sharing AWS resources across different AWS accounts, including within an organization and with IAM roles and users. It enables you to create a resource once and use it across multiple accounts, reducing operational overhead and duplication. AWS RAM is a centralized service that provides a consistent experience for sharing various AWS resources.

Key Features and Benefits:

Resource Sharing: AWS RAM allows you to share resources like Route 53 Resolver Rules, Transit Gateways, Subnets, and License Manager Configurations with other AWS accounts.
Centralized Management: It provides a single place to manage resource sharing, making it easier to control access and permissions.
Reduced Overhead: By sharing resources, you eliminate the need to duplicate them across multiple accounts, saving time and resources.
Security and Control: Access to shared resources is governed by IAM policies and Service Control Policies, ensuring secure and controlled access.

Below are the list of resource type that lets their services can share by using AWS RAM

AWS App Mesh
Amazon Aurora
AWS Private Certificate Authority
AWS CodeBuild
Amazon EC2
EC2 Image Builder
AWS Glue
AWS License Manager
AWS Migration Hub Refactor Spaces
AWS Network Firewall
AWS Outposts
Amazon S3 on Outposts
AWS Resource Groups
Amazon Route 53
Amazon SageMaker
AWS Service Catalog AppRegistry
AWS Systems Manager Incident Manager
Amazon VPC
AWS Cloud WAN

Example:
When you share a resource with another account, that account receives access to the resource, and its existing policies and permissions will apply to the shared resource.

I will now share subnets from the account (A) which will be the owner account to account (B), say participant account.

Setting up AWS organization:

Create an AWS organization in account A and add the participant account B in the Organization.

Invite the account B in the AWS organization by sending a request from the console.

Create a custom VPC and several subnets in the owner account to be shared with the participant account.

Next, enable the resource sharing for your organization from the AWS Resource Access Manager settings in account A.

Now let’s start with resource sharing by creating a resource share in “shared by me tab”.

After providing a description for the shared resource, select “Subnets” in the resource tab and then go ahead and select the subnets which you wish to share with participant account.

The principal will be the destination account or the AWS Organization to which the subnets will be shared. I will go with AWS organization and select account B in the organization.

After creating the resource share in owner account A, go to the participant account B and check if the resource share is visible in AWS RAM dashboard “shared with me” tab.

The shared subnets will now appear in the participant account B along with the VPC.

Let’s use this VPC to launch resources in Participant account. Navigate to the EC2 dashboard and while launching the instance, in the configure instance section check the availability of shared VPC and subnets.

Conclusion
AWS Resource Access Manager (RAM) removes the need to replicate resources across multiple accounts, reducing the operational overhead of managing them individually.

With built-in integration with AWS CloudWatch and CloudTrail, RAM offers clear visibility into shared resources and the accounts accessing them.

Access to shared resources is governed by existing policies and permissions, ensuring security and control. RAM delivers a consistent experience for sharing a wide range of AWS resources.

By creating resources centrally and sharing them through RAM, you can streamline resource management in a multi-account environment.

RAM enables efficient resource utilization across different parts of your organization, helping improve performance and reduce costs.