Operations Management

Resource Sharing Management - Efficient Resource Utilization in Multi-Account Environments with AWS RAM

Learn about resource sharing in multi-account environments with AWS RAM (Resource Access Manager) and organization-wide resource management through AWS Organizations integration. Explore practical patterns for VPC subnet sharing and Transit Gateway sharing.

約 5 分で読めます

Resource Sharing Challenges in Multi-Account Environments and AWS RAM

In enterprise environments, multi-account strategies using multiple AWS accounts for security isolation and cost management are common. However, creating duplicate resources in each account leads to increased costs and management complexity. AWS RAM (Resource Access Manager) is a service for securely sharing resources across AWS accounts, eliminating resource duplication and enabling centralized management. It supports sharing of over 20 resource types, including VPC subnets, Transit Gateways, Route 53 Resolver rules, AWS Network Firewall policies, License Manager configurations, Outposts, and Capacity Reservations. Resource ownership remains with the sharing account, and recipient accounts receive only usage permissions, enabling efficient resource utilization while maintaining governance. You can create a resource share via CLI with aws ram create-resource-share --name my-share --resource-arns arn:aws:ec2:ap-northeast-1:123456789012:subnet/subnet-xxx --principals arn:aws:organizations::123456789012:ou/o-xxx/ou-xxx.

Streamlining Network Management with VPC Subnet Sharing

The most common use case for RAM is VPC subnet sharing. A central networking account creates and manages VPCs and subnets, then shares the necessary subnets with each workload account. Workload accounts can create resources like EC2 instances, RDS, and Lambda in shared subnets but cannot modify VPC or subnet configurations. This approach enables efficient IP address space management, centralized control of route tables and security groups, and consolidation of VPC peering and Transit Gateway connections. Compared to each account creating its own VPC, the benefits include avoiding IP address conflicts, ensuring consistent network policies, and simplifying inter-VPC connectivity. Resources in shared subnets can communicate directly via private IP with other resources in the same VPC, without needing VPC peering or Transit Gateway.

Organizations Integration and Automation

RAM integrates with AWS Organizations to automate resource sharing at the organizational unit (OU) level. When sharing within Organizations is enabled, recipient accounts automatically gain access to resources without needing to accept invitations. When a new account is added to an OU, it automatically receives access to resources shared with that OU. This lets you build workflows that unify account provisioning and resource sharing. Combined with AWS CloudFormation StackSets, you can fully automate new account creation, OU placement, resource share configuration, and initial resource deployment. By combining Service Control Policies (SCP) with RAM sharing policies, you can control which resources are shared with which OUs at the organizational level. For a systematic study of resource sharing management, books (Amazon) offer comprehensive coverage.

Transit Gateway Sharing and Cost Optimization

Transit Gateway sharing significantly contributes to network cost optimization in multi-account environments. A central networking account creates a Transit Gateway and shares it with workload accounts via RAM, eliminating the need for each account to create its own Transit Gateway. Transit Gateway hourly charges are consolidated in the sharing account, while attachment charges are distributed to each account. Route 53 Resolver rule sharing unifies DNS resolution policies across the organization and centralizes DNS integration with on-premises environments. License Manager configuration sharing tracks software license usage across the organization and ensures compliance. Usage of RAM shared resources can be audited via CloudTrail, tracking who accessed which resources.

Summary - Optimizing Multi-Account Resource Sharing

AWS RAM is a service that enables safe and efficient resource sharing in multi-account environments. By combining centralized network management through VPC subnet sharing, cost optimization through Transit Gateway sharing, and automation through Organizations integration, you can optimize resource utilization across your entire organization. The design of maintaining resource ownership with the sharing account while granting usage permissions ensures governance and security while enabling efficient resource sharing. You can check sharing status with aws ram get-resource-shares --resource-owner SELF.

Related Services

AWS Resource Access ManagerSecurely share AWS resources with other accounts within your organizationAWS OrganizationsA service for centrally managing multiple AWS accountsAWS Transit GatewayA network hub that connects multiple VPCs and on-premises networks in a hub-and-spoke topology

Related Articles

Amazon VPC Network Design - Subnet Architecture and NAT Gateway OptimizationLearn how to design public/private subnet separation, layered security group management, and reduce NAT Gateway costs with Gateway VPC Endpoints.Designing Identity and Access Management - Achieving Zero Trust Security with IAMLearn access management design techniques with AWS IAM, including the principle of least privilege, policy design, and achieving zero trust security through Cognito integration.Multi-Account Management - Organization-Wide Governance with AWS Organizations and RAMLearn how to deploy CloudTrail, Config, GuardDuty, and Security Hub across all accounts using the Organizations delegated administrator model, achieving unified security and compliance management.

More on This Topic

How AWS Keeps Time Internally - Amazon Time Sync Service and Leap Second Smearing DesignLearn how Amazon Time Sync Service works, how GPS and atomic clocks provide high-precision time sources, the design decision to absorb leap seconds through smearing, and why time synchronization matters in distributed systems.Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.Implementing Feature Flags with AWS AppConfig - Safe Configuration Deployment and RollbackRoll out configuration changes independently from code deployments using Linear and Exponential strategies. Ensure safety with automatic rollback triggered by CloudWatch alarms.Architecture Review - Systematically Evaluate Workloads with the AWS Well-Architected ToolLearn about architecture reviews using the AWS Well-Architected Tool. Covers evaluation based on the six pillars, improvement planning, and custom lens usage.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.Lessons from AWS Incident Reports (COE) - How Past Major Outages Shaped Design PrinciplesAnalyze the root causes of past major incidents including the S3 outage, us-east-1 DNS failure, and Kinesis outage from AWS's published Correction of Errors (COE) and incident reports, and explain how they changed AWS's design principles.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.Why AWS Service Quotas Exist - Multi-Tenant Design That Protects Shared InfrastructureExplain how AWS service quotas (formerly service limits) are not mere restrictions but a design to protect other customers in a multi-tenant environment, covering the noisy neighbor problem, soft vs hard limits, and what happens behind quota increase requests.

Similar Articles and Services

Cross-Account Resource Sharing with AWS RAM - Sharing VPC Subnets and Transit GatewaysLearn how to share VPC subnets and Transit Gateways across accounts to centralize IP address space management and reduce VPC peering connections.Multi-Account Management - Organization-Wide Governance with AWS Organizations and RAMLearn how to deploy CloudTrail, Config, GuardDuty, and Security Hub across all accounts using the Organizations delegated administrator model, achieving unified security and compliance management.Multi-Account Design for Amazon VPC Lattice - RAM Sharing and Service Network Configuration PatternsLearn how to design VPC Lattice for multi-account environments, including RAM sharing strategies, service network partitioning, and hierarchical Auth Policy design.AWS OrganizationsAn account management service that centrally manages multiple AWS accounts as an organization, with consolidated billing and service control policies for governance