New AWS Resource Access Manager – Cross-Account Resource Sharing
As I have discussed in the past, our customers use multiple AWS accounts for many different reasons. Some of them use accounts to create administrative and billing boundaries; others use them to control the blast radius around any mistakes that they make.
Even though all of this isolation is a net positive for our customers, it turns out that certain types of sharing can be useful and beneficial. For example, many customers want to create resources centrally and share them across accounts in order to reduce management overhead and operational costs.
AWS Resource Access Manager
The new AWS Resource Access Manager (RAM) facilitates resource sharing between AWS accounts. It makes it easy to share resources within your AWS Organization and can be used from the Console, CLI, or through a set of APIs. We are launching with support for Route 53 Resolver Rules (announced yesterday in Shaun’s excellent post) and will be adding more types of resources soon.
To share resources, you simply create a Resource Share, give it a name, add one or more of your resources to it, and grant access to other AWS accounts. Each Resource Share is like a shopping cart, and can hold resources of differing types. You can share any resources that you own, but you cannot re-share resources that have been shared with you. You can share resources with Organizations, Organizational Units (OUs), or AWS accounts. You can also control whether accounts from outside of your Organization can be added to a particular Resource Share.
The master account for your Organization must enable sharing on the Settings page of the RAM Console:
After that, sharing a resource with another account in your Organization makes the resources available with no further action on either side (RAM takes advantage of the handshake that was done when the account was added to the Organization). Sharing a resource with an account outside of your Organization sends an invitation that must be accepted in order to make the resource available to the account.
When resources are shared with an account (let’s call it the consuming account) the shared resources will show up on the appropriate console page along with the resources owned by the consuming account. Similarly,
List calls will return both shared resources and resources owned by the consuming account.
Resource Shares can be tagged and you can reference the tags in IAM policies to create a tag-based permission system. You can add and remove accounts and resources from a Resource Share at any time.
Using AWS Resource Access Manager
I open the RAM Console and click Create a resource share to get started:
I enter a name for my share (CompanyResolvers) and choose the resources that I want to add:
As I mentioned earlier, we’ll be adding more resource types soon!
I enter the principals (Organizations, OUs, or AWS accounts) that I want to share the resources with, and click Create resource share:
The other accounts receive invitations if they are outside of my Organization. The invitations are visible in, and can be accepted from, the console. After accepting the invites, and with proper IAM permissions, they have access to the resources.
RAM also gives me centralized access to everything that I have shared, and everything that has been shared with me:
You can also automate the sharing process using functions like
AcceptResourceShareInvitation. You can, of course, use IAM policies to regulate the use of these functions on both sides of the transaction.
There are no charges for resource sharing.
AWS Resource Access Manager (RAM) and is available now and you can start sharing resources today.