AWS Resource Access Manager
AWS Resource Access Manager
6h 2m

This section of the AWS Certified Solutions Architect - Professional learning path introduces the AWS management and governance services relevant to the AWS Certified Solutions Architect - Professional exam. These services are used to help you audit, monitor, and evaluate your AWS infrastructure and resources and form a core component of resilient and performant architectures. 

Want more? Try a Lab Playground or do a Lab Challenge!

Learning Objectives

  • Understand the benefits of using AWS CloudWatch and audit logs to manage your infrastructure
  • Learn how to record and track API requests using AWS CloudTrail
  • Learn what AWS Config is and its components
  • Manage multi-account environments with AWS Organizations and Control Tower
  • Learn how to carry out logging with CloudWatch, CloudTrail, CloudFront, and VPC Flow Logs
  • Learn about AWS data transformation tools such as AWS Glue and data visualization services like Amazon Athena and QuickSight
  • Learn how AWS CloudFormation can be used to represent your infrastructure as code (IaC)
  • Understand SLAs in AWS

Hello and welcome to this lecture covering a high-level overview of the AWS Resource Access Manager service. AWS Resource Access Manager, as the name clearly implies, allows you to securely share certain resource types across your AWS organization, or with any AWS account. This helps to minimize administration between your accounts as it negates the need to duplicate resources in each of your AWS accounts. At the time of writing this course, AWS Resource Access Manager, or RAM, supports the sharing of the following. Subnets, transit gateways, resolver rules, capacity reservations, license configurations, Aurora DB clusters, and traffic mirror targets. However, AWS is continually working to add more and more resource types, so be sure to check the AWS documentation for the latest supported resources which can be found here. 

To understand how this sharing works, let me look at an example. Let's presume we wanted to share a subnet from one AWS account with another account. From an architectural point of view, what does this mean and how does it work? Well, once the subnet has been shared from the source account, let's call this account A, with another account, let's call this account B, then account B is able to see this subnet from within the management console or via the AWS CLI. This then allows Account B to use and deploy resources in that subnet, for example, having the ability to launch EC2 instances into that shared subnet. However, account B has no administrative control over the shared resource, so it can't delete the subnet or modify it in any way. The only action account B can take with the shared resource is to add or edit tags associated to the subnet. So to be clear, the subnet is not duplicated from account A and then added to Account B. Instead, the resource is simply shared from account A with account B, meaning the subnet itself remains a part of Account A and account A's VPC.

Let me run through a demonstration to show you how this is configured and how it works. In this demonstration, I will perform the following steps. I'll log in to my primary account via the AWS Management Console, I'll create a resource share of a subnet within my VPC of my primary account. I'll then nominate a different account from within my AWS Organization as the principal to this shared subnet resource. I'll then log in to the account that I shared the resource with, view the share from within the management console, and launch a new EC2 instance into the shared subnet.

Okay, let's take a look. As you can see, I'm logged in at the AWS Management Console, and this is going to be my primary account. So my primary account is, as you can see on the top right-hand corner here, is Stu Scott. So that's my primary account. So what I want to do, I want to share a subnet from this AWS account with another account that I have. So firstly, I need to go to the Resource Access Manager. And you can find that under the Security, Identity and Compliance section here. So if we just go to that. Now, if you haven't got any shares created already, then you'll be presented with this welcome screen, and it just gives you a brief overview of the service, use cases, etc. So let's get right into it and start creating our resource share. We can click on this orange button here, create a resource share. Now we've got a number of options that we can select. Firstly, we'll need to give this resource share a name. So we just call this SubnetSharing. Now, as we go down, we can select our resource type. As I mentioned previously, the current resource types that we have are subnets, transit gateways, resolver rules, capacity reservations, license configurations, Aurora DB clusters, and traffic mirror targets. For this demonstration, I'm going to be selecting a subnet. Under here, I have all my subnets in my VPCs. So I'm going to select this subnet here, this Public-Sub. So I can select that subnet. Now I have the subnet selected that I want to share, I can scroll down and allocate who I want to share this with. And this is in the Principals section. As you can see here, we can simply add the AWS account number, or the OU or organization if you're using AWS Organizations. Now, this account is actually part of an organization. So if I click on show organization structure, you can see here that here's my organization and I have two AWS accounts within this organization. So I'm going to select my other account, this CA-Demo account. If you scroll down, we can see that it's added the account number as the principal to share it with. Finally at the bottom, you can add a tag for your share as well, if you want to. That's just an optional value. So I'm just gonna leave that blank. Then I simply click on Create resource share. And now we see at the top in blue, our Resource Share has been successfully created. And that's it. It's as simple as that to create your resource share. 

One thing I do want to show you quickly, is just on the left-hand side here under settings. If you do want to use AWS Organizations and select an account within your organization, then you'll need to enable this tick box here, which is enable sharing with your AWS organization. If you just want to configure sharing using the AWS account ID, then you can simply add that, that's no problem. But if you do want to enable sharing with your AWS organization, then do ensure that this tick box is ticked. 

Okay. Now what I want to do is log in to the other account that I selected as the principal within this share. So let me just flip over now and go across to that account. Okay, so I'm now in the other account, as you can see up here the account has changed. So if I go across to my VPC configuration and take a look at the subnets, if I take a look at the subnets here, I notice that this bottom subnet wasn't here previously the last time I was logged in. And if I scroll right across to the end, we can see under the owner column that it is the other account, and this is the shared subnet. So it appears on our AWS Management Console as an available subnet to use, and that's exactly what we wanted. Now we can also see here that it's associated to a different VPC. And if I select on that, this shows me the options or the VPC of the primary account. And if we just take a look at the bottom here, we can see that the owner of this VPC is in fact the other account. So by setting up a share of the subnet, it's automatically shared the VPC details as well.

So now, let's go ahead and see if we can launch an EC2 instance in that shared subnet. So if I go across to EC2, Launch instance. Just select a Linux AMI. Go to configure. Let's go across to the network where we can select our VPC. So we have our default VPC, but we also have the shared VPC that's associated to the shared subnet. So we can select that VPC, and this allows us to see any subnets within this VPC that has been shared with us. And we can see here that this is the subnet as it's been highlighted as shared. And then we can simply go ahead and add our storage and tags, etc, and just carry on going through the process of launching an EC2. I'm just gonna accept all the default for the sake of this demonstration, and then launch the instance.

If I go to view instances, I can see that this instance is trying to launch at the moment, it's pending. And there we go, it's now running. So if we take a look at the instance details at the bottom here, we can see the subnet that it's associated to, and that is the shared subnet that's running in the primary account. And if I select on that subnet, it'll take us to the details. And again, if we have a look at the owner options at the bottom here, we can confirm that that is the shared subnet. So just to recap what we've done in this demonstration. In the primary account, I created a share of a subnet that was running in the VPC of that account. I added a secondary account as a principal of that share. I then logged in to that secondary account and confirmed that I could see that subnet available from within my management console, and I then created an EC2 instance and launched it within that same subnet. And that's it. So that's how you can create resource shares using the AWS Resource Access Manager.

That brings me to the end of this course, which explained the principles behind the AWS Resource Access Manager and how to share resources across accounts. If you'd like some additional information on some of the topics I covered in this course, then please take a look at the resources below. Feedback on our courses here at Cloud Academy is valuable to both us as trainers and any students looking to take the same course in the future. If you have any feedback, positive or negative, it'll be greatly appreciated if you can contact Thank you for your time, and good luck with your continued learning of cloud computing. Thank you.

About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.