AWS Resource Access Manager
A service for securely sharing resources across AWS accounts and within Organizations, eliminating duplicate resource creation and reducing costs
Overview
AWS Resource Access Manager (RAM) is a service that enables secure sharing of AWS resources across accounts and within AWS Organizations. It eliminates the need to create duplicate resources in each account, reducing operational overhead and costs while maintaining centralized governance. Shareable resources include VPC subnets, Transit Gateways, Route 53 Resolver rules, License Manager configurations, and more.
RAM's Role in Multi-Account Strategy and Sharing Models
In a multi-account strategy following AWS best practices, workloads are isolated into separate accounts for security and billing boundaries. However, certain resources like network infrastructure benefit from centralization rather than duplication. RAM bridges this gap by enabling a networking account to share VPC subnets and Transit Gateways with workload accounts. Sharing can be configured at the organization level (all accounts automatically receive access), at the organizational unit (OU) level, or with specific individual accounts. Resource shares define which resources are shared with which principals, and permissions are managed through RAM-managed permissions that specify exactly what actions consumers can perform on shared resources. This model maintains the security benefits of account isolation while enabling efficient resource utilization.
VPC Subnet Sharing for Network Consolidation in Practice
VPC subnet sharing is one of RAM's most impactful use cases. A central networking account owns the VPC and subnets, sharing them with workload accounts. Resources in workload accounts (EC2 instances, Lambda functions, RDS instances) are launched directly into the shared subnets, appearing on the same network without VPC peering or Transit Gateway. This dramatically simplifies network architecture, reduces IP address waste, and centralizes network security controls (NACLs, flow logs) in one account. The networking team maintains full control over CIDR allocation, route tables, and internet gateways, while workload teams simply deploy into their designated subnets. Billing for resources remains in the workload account, maintaining clear cost attribution despite shared infrastructure.
Transit Gateway Sharing and Resource Share Operational Design
Transit Gateway sharing enables a central networking account to build and manage the Transit Gateway while workload accounts attach their VPCs. This avoids each account needing its own Transit Gateway and simplifies routing management. Combined with RAM, the networking team controls which accounts can attach and which route tables they use. For operational design, resource shares should be organized by purpose (networking, DNS, licensing) with clear naming conventions. Monitoring shared resource usage through CloudTrail and Config rules ensures compliance. When accounts leave the organization, their access to shared resources is automatically revoked. Regular audits of resource shares verify that only intended accounts have access, preventing scope creep in large organizations.