AWS Resource Access Manager
Share AWS resources securely across accounts and organizations
Imagine you and your neighbor both need to use a really expensive lawn mower. Instead of each buying one, you could share a single mower that sits in a common shed. AWS Resource Access Manager is that shed. It lets you share certain AWS resources, like subnets, Transit Gateway attachments, or Route 53 Resolver rules, across multiple AWS accounts without duplicating them or sacrificing security. You still own the mower, but your trusted neighbors (other accounts in your AWS Organization) can use it under rules you set.
RAM integrates tightly with AWS Organizations to enable resource sharing at scale. When you share a resource, you're creating a resource share that specifies which principals (accounts or OUs) can access which resources. The resources themselves remain in the owner account, but they appear natively in the consumer accounts' consoles. For example, if you share a VPC subnet via RAM, EC2 instances in the consumer account can launch directly into that subnet as if it were their own. This eliminates the need for complex VPC peering meshes or Transit Gateway route table proliferation. RAM supports sharing of Transit Gateway attachments, License Manager configurations, Aurora DB clusters, Route 53 Resolver rules, and more.
Key Capabilities
- Shares specific AWS resources (VPC subnets, Transit Gateway attachments, Route 53 Resolver rules, License Manager configurations, and more) across AWS accounts and OUs without duplicating them
- Organization-wide sharing removes the need for per-account invitations; resources become available to all accounts in a specified OU or the entire organization automatically
- Sharing VPC subnets enables a hub-and-spoke networking model where multiple accounts launch resources into a centrally managed network
- Resource owners retain full control; recipient accounts can use shared resources but cannot modify or delete them
- Resource shares are tagged and managed centrally, giving the owning account visibility into what is shared with whom
- Supports sharing with individual accounts outside your organization, enabling cross-organization resource access for partner or vendor scenarios
Gotchas & Constraints
Gotcha #1: Not all AWS resources support RAM; check documentation for supported resource types. Gotcha #2: Shared resources still count against the owner account's quotas, not consumer accounts. Constraints: RAM requires AWS Organizations with all features enabled, resource shares are region-specific, and some resources have additional sharing restrictions.
A financial services company operates with a hub-and-spoke network model using AWS Transit Gateway. They have 47 business unit accounts. Without RAM, each account would need its own Transit Gateway attachment and route propagation, creating management overhead and cost duplication. Instead, the central networking team creates a single Transit Gateway in the shared services account and uses RAM to share specific attachments with each business unit. Each BU can attach their VPCs to the shared Transit Gateway without managing routing complexity, and the central team retains full control over routing policies and security inspection. They also share Route 53 Resolver rules for DNS resolution to on-premises, and Aurora DB clusters for shared reference data.
The Result
60% reduction in networking costs, simplified management, and consistent network policies across all accounts.