One of AWS’s various methods for sharing our resources is the Resource Access Manager (RAM). In a nutshell, the RAM service enables you to share AWS resources developed in a single AWS account with multiple AWS accounts. They could be accounts from your company, organisational units (OUs), or even accounts from third parties.
When employing a multi-account approach to developing infrastructure, provisioning and control of resources to subordinate accounts inside the organisation is always a difficulty. Provisioning resources, keeping them current, and properly decommissioning them are just a few.
AWS Resource Access Manager (RAM)
AWS RAM service that allows you to simply and securely share AWS resources with any AWS account or, if you are a member of AWS Organizations, with Organizational Units (OUs) or your entire organization. If you share resources with accounts outside of your Organization, those accounts will receive an invitation to the Resource Share and can begin using the shared resources after they accept the invitation.
- Only the master account has the ability to share with AWS Organizations.
- All functionalities must be enabled for the organisation.
RAM avoids the need to create duplicate resources across numerous accounts. In a multi-account scenario, you can centrally build resources and use RAM to transfer those resources among accounts in three simple steps:
- Make a Resource Share
- Provide resources
- Accounts must be specified
- Share Your Resources
Why is AWS RAM used?
1. Lower operational costs – Remove the need to provision the same type of resource several times – RAM does it for you.
2. Security management has been simplified – AWS RAM-managed permissions (at least one per resource type) determine what activities principals with access to the resources (i.e. resource users) can execute on them.
3. Extensive experience – With an arbitrary number of accounts, you share the resource’s state and security configuration. When it comes to organization-wide sharing, this works fantastically: new accounts are automatically given access to the resources. In the account that accepts your sharing, the shared resource seems to be a native resource.
4. Audit and visibility – RAM can be used in conjunction with CloudWatch and CloudTrail.
How can we share a Resource?
1. When you share a resource, the resource remains fully owned by the AWS account that created it.
2. Any permissions or quotas that apply to that resource remain unchanged when it is shared. You can also only share a resource that you own.
3. Users of your shared resources can only access them in the same Region as the resources they belong to.
4. There are three steps to creating a resource share:
- Provide a name for the share as well as the resource(s) you want to share. It can be a single resource type or a collection of several. You can also choose to skip the resource selection and do it later. Later on, you can change the resource share (e.g., you want to add some resources to the share).
- Permissions should be associated with the resource types you share. Some resources can only have one managed permission (which is automatically attached), whereas others can have numerous. To view what managed permissions are available, go to the Permissions Library in the AWS RAM Console.
- Choose whether external or Organization accounts, as well as IAM roles and users, can access the resources you share. If you share the resource with others, they must expressly agree to the sharing. If the Organization’s resource sharing is enabled, the Organization’s resource sharing is implicitly accepted.
- Finally, go over the resource sharing summary page and create it.
5. Users using shared resources can only do particular actions. These actions are primarily “read-only” and vary depending on the resource type.
6. Terraform also supports the RAM service, thus the resource sharing configuration may look like this:
Read: Amazon Virtual Private Cloud
Using AWS RAM to Share a VPC
1. VPC sharing is a powerful notion with numerous advantages:
- Duties separation: centrally controlled VPC structure, routing, and IP address allocation
- Owners of applications retain control over resources, accounts, and security groups.
- Participants in VPC sharing can use each other’s security group IDs.
- Efficiencies include increased subnet density, more efficient usage of VPNs, and AWS Direct Connect.
- Through simplified network architecture, hard constraints such as 50 VIFs per AWS Direct Connect connection can be avoided.
- The reuse of NAT gateways, VPC interface endpoints, and intra-Availability Zone traffic can reduce costs.
2. AWS RAM allows us to share the following services :
3. When you share a resource with another account, that account is given permission to use it. The shared resource is subject to all policies and permissions in that account.
4. We’ll now share subnets from the owner account (A) to the participant account (B).
5. Creating an Amazon Web Services (AWS) organisation:
- In account A, create an AWS organisation and add the participant account B to it.
- Send a request from the console to invite account B to the AWS organisation.
6. In the owner account, create a Custom VPC and a few subnets that will be shared with the participant account.
7. Then, in account A’s AWS Resource Access Manager settings, enable resource sharing for your company.
8. Let’s get started with resource sharing by creating a share under the “shared by me” page.
9. Pick “Subnets” in the resource tab after providing a description for the shared resource, and then select the subnets you want to share with the participant account.
10. The destination account or AWS Organization with which the subnets will be shared will be the principal. Now, we are going to use AWS organisation and account B within the organisation.
11. Go to participant account B and check if the resource share is available in the AWS RAM dashboard “shared with me” tab after creating the resource share in owner account A.
12. Along with the VPC, the shared subnets will now appear in participant account B.
13. Now, we can use this VPC to launch Resources in the Participant Account.
Things to Know before sharing your VPC
1. Only inside the same AWS Organization is VPC sharing possible.
2. Default VPCs cannot be shared.
3. Security groups held by other participants or the owner cannot be used to launch resources from participant accounts.
4. Because the default security group for the VPC belongs to the owner, participants cannot deploy resources using it.
5. Participants pay for their resources as well as data transfer charges for Inter-Availability Zone data transmission, internet gateway, VPC peering connections, and data transfer via an AWS Direct Connect.
6. VPC owners are responsible for data processing and data transfer charges across NAT gateways, virtual private gateways, transit gateways, AWS PrivateLink, and VPC endpoints, as well as hourly rates (where applicable).
Security
- IAM policies can be used to control who has access to resources you’ve shared or received from another account.
Pricing
- Using AWS RAM comes at no additional cost.
Frequently Asked Questions
Q1. When should you use AWS RAM?
Ans. AWS Resource Access Manager (RAM) enables you to securely share resources between AWS accounts, within your organisation or organisational units (OUs) in AWS Organizations, and with IAM roles and IAM users for supported resource types. You can utilise AWS RAM to share resources with other AWS accounts.
Q2. How do I use the AWS RAM service?
Ans. The AWS RAM console is a web-based user interface provided by AWS RAM. If you have an AWS account, go to the AWS Management Console and select AWS RAM from the console home page. You can also go straight to the AWS RAM console from your browser.
Q3. How can I control access to resources shared with me?
Ans. IAM policies can be used to control access to resources that are shared with you.
Q4. Can I stop sharing a resource?
Ans. Yes, by removing a resource from the resource share or deleting the resource share, you can cease sharing it.
Related Links/References
- AWS Free Tier Limits
- How to create a free tier account in AWS
- AWS Certified Solutions Architect Associate SAA-CO2
- AWS Management Console Walkthrough
Next Task For You
Begin your journey towards an AWS Cloud by joining our FREE Informative Class on Amazon Cloud Free Class by clicking on the below image.
Leave a Reply