Skip to content
Gallery
12. Deployment & Management
AWS CloudFormation
AWS Elastic Beanstalk
AWS Systems Manager
AWS Config
AWS Secret Manager
AWS OpsWorks
AWS Resource Access Manager
RPO, RTO, & DR Strategies
More
Share
Explore

icon picker
AWS Resource Access Manager

AWS Resource Access Manager (AWS RAM) helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs), and with AWS Identity and Access Management (IAM) roles and users for supported resource types.
If you have multiple AWS accounts, you can create a resource once and use AWS RAM to make that resource usable by those other accounts. If your account is managed by AWS Organizations, you can share resources with all the other accounts in the organization or only those accounts contained by one or more specified organizational units (OUs). You can also share with specific AWS accounts by account ID, regardless of whether the account is part of an organization.
Some supported resource types
also let you share them with specified IAM roles and users.

Benefits of AWS RAM

Why use AWS RAM? It offers the following benefits:
Reduces your operational overhead – Create a resource once, and then use AWS RAM to share that resource with other accounts. This eliminates the need to provision duplicate resources in every account, which reduces operational overhead. Within the account that owns the resource, AWS RAM simplifies granting access to every role and user in that account without having to use identity-based permission policies.
Provides security and consistency – Simplify security management for your shared resources by using a single set of policies and permissions. If you were to instead create duplicate resources in all your separate accounts, you would have the task of implementing identical policies and permissions, and then have to keep them identical across all those accounts. Instead, all users of an AWS RAM resource share are managed by a single set of policies and permissions. AWS RAM offers a consistent experience for sharing different types of AWS resources.
Provides visibility and auditability – View the usage details for your shared resources through the integration of AWS RAM with Amazon CloudWatch and AWS CloudTrail. AWS RAM provides comprehensive visibility into shared resources and accounts.

What about cross-account access with resource-based policies?

You can share some types of AWS resources with other AWS accounts by attaching a
resource-based policy
that identifies AWS Identity and Access Management (IAM) principals (IAM roles and users) outside of your AWS account. However, sharing a resource by attaching a policy doesn't take advantage of the additional benefits that AWS RAM provides. By using AWS RAM you get the following features:
You can share with an
organization or an organizational unit (OU)
without having to enumerate every one of the AWS account IDs.
Users can see the resources shared with them directly in the originating AWS service console and API operations as if those resources were directly in the user's account. For example, if you use AWS RAM to share an Amazon VPC subnet with another account, users in that account can see the subnet in the Amazon VPC console and in the results of Amazon VPC API operations performed in that account. Resources shared by attaching a resource-based policy aren't visible this way; instead, you have to discover and explicitly refer to the resource by its Amazon Resource Name (ARN).
The owners of a resource can see which principals have access to each individual resource that they have shared.
If you share resources with an account that isn't part of your organization, then AWS RAM initiates an invitation process. The recipient must accept the invitation before that principal can access the shared resources.
After you turn on the ability to share within your organization,
sharing with accounts in the organization doesn't require invitations.
If you have resources that you have shared by using a resource-based permission policy, you can promote those resources to fully AWS RAM managed resources by doing either of the following:
Use the
PromoteResourceShareCreatedFromPolicy
API operation.
Use the API operation's equivalent, which is the AWS Command Line Interface (AWS CLI)
promote-resource-share-created-from-policy
command.

Loading
docs.aws.amazon.com
Benefits of AWS RAM
What about cross-account access with resource-based policies?
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.