AWS Resource Access Manager Cheat Sheet

• AWS Resource Access Manager (AWS RAM) is a service that allows you to securely share AWS resources across accounts, organizational units (OUs), or your entire AWS Organization. It eliminates the need to duplicate resources in multiple accounts, simplifying management and maintaining security and consistency.
  • Only the master account can enable sharing with AWS Organizations.
  • The organization must be enabled for all features.
• RAM eliminates the need to create duplicate resources in multiple accounts. You can create resources centrally in a multi-account environment, and use RAM to share those resources across accounts in three simple steps: 

• 1. Create a Resource Share
  2. Specify resources
  3. Specify accounts

• You can stop sharing a resource by deleting the share in AWS RAM.
• Services you can share with AWS RAM

Features

Resource Sharing

• Share resources with specific AWS accounts, organizational units (OUs), or your entire organization.
• Automatically accept shared resources within the same AWS Organization when organizational sharing is enabled.
• Invitation-based access for external AWS accounts.

• Stop sharing a resource at any time by deleting the resource share.

Centralized Management

• Create resources once and share them across multiple accounts without provisioning duplicates.
• Maintain centralized ownership while allowing controlled cross-account usage.
• Supports large-scale, multi-account architectures with centralized governance.

Expanded Resource Support

• Share networking resources such as VPC subnets, VPC security groups, Transit Gateways, Network Firewall firewalls, and VPC Lattice resource configurations.
• Share edge and DNS resources including CloudFront VPC Origins, Route 53 Resolver Profiles, and API Gateway custom domain names.
• Share compute, storage, and database resources such as Aurora DB clusters, FSx for OpenZFS snapshots, S3 Access Grants instances, and CloudHSM backups.
• Share governance, security, and recovery resources including AWS Backup air-gapped vaults, Application Recovery Controller clusters and recovery plans, and multi-party approval teams.
• Share AI and ML resources including Amazon SageMaker AI Partner Apps, Model Registry resources, JumpStart hubs, Model Cards, and Amazon Bedrock custom models.
• Share billing and cost resources such as Billing views and Cost Management dashboards.
• Share service management and discovery resources including Cloud Map namespaces, Resource Explorer views, DataZone resources, and Systems Manager parameters and deny-access policies.
• Share specialized and third-party resources including Oracle Database@AWS Exadata infrastructure and database networks.

Permission Management

• Attach managed or custom permissions to resource shares to control what shared principals can do.
• Use service principal sharing to allow AWS services to manage required actions on shared resources.
• Resource-owning accounts retain full ownership and administrative control.
• Supports Attribute-Based Access Control (ABAC) using tags on resources and principals.

Visibility & Auditability

• Track shared resource usage through integration with AWS CloudTrail.
• Monitor operational and access activity using Amazon CloudWatch.

Support for Regional and Global Resources

• Share regional resources within the same AWS Region.
• Share global resources from their home region (for example, Route 53).

Organization-Based Sharing

• Integrates with AWS Organizations to allow sharing with OUs and accounts.
• Centralized governance controls apply consistently across shared resources.

Connectivity & Access

• AWS PrivateLink support for AWS RAM, enabling private access via VPC interface endpoints.

Under Expanded Resource Support

• Share AWS Network Firewall rule groups in addition to firewalls across AWS accounts and organizations.

Under Permission Management

• Allow AWS services to automatically manage required permissions on shared resources through service-managed access.

Use Cases 

• Multi-Account Resource Sharing: Share central VPC subnets, Transit Gateways, or license configurations across multiple accounts.
• Cost Optimization: Avoid duplicating resources across accounts, reducing operational overhead and cost.
• Centralized Security & Compliance: Maintain a consistent security posture by sharing resources with controlled permissions.
• Third-Party Collaboration: Share resources with external AWS accounts while controlling access through invitations.

Security

• IAM-Based Access: Use IAM policies to manage who can access resources you share or receive.
• Managed Permissions: Attach managed permissions to resource shares to define allowed actions.
• Ownership Retention: Resource-owning accounts maintain full ownership and control of shared resources.
• ABAC Support: Permissions can be further controlled using attributes (tags) on resources and principals.
• Auditability: Integrates with CloudTrail and CloudWatch to monitor shared resource usage.
• RAM Permissions Model:
  
  AWS RAM uses resource share permissions to define allowed actions on shared resources. These permissions are separate from IAM policies and apply only to shared resources.

AWS Resource Access Manager Pricing

• • There is no additional charge for using AWS RAM.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

AWS RAM Cheat Sheet References:
https://aws.amazon.com/ram/
https://aws.amazon.com/ram/faqs/
https://docs.aws.amazon.com/ram/latest/userguide/what-is.html
https://aws.amazon.com/blogs/aws/new-aws-resource-access-manager-cross-account-resource-sharing/