Resource Sharing
Working on Resource Sharing
When you share a resource with another AWS account, it's called resource sharing. Principals in that account gain access to the shared resource. The restrictions and permissions that apply to the account you shared the resource also apply to the shared resource. The resources in the share appear to be native to the AWS accounts with whom they were shared.
How to share your resources
By creating a resource share with AWS RAM, you can share resources you own. To create a resource share, enter the following information:
- The AWS Region is where the resource share will be created. The Region drop-down option in the console's upper-right corner is where you select your region. The region argument is used in the AWS CLI.
- Only Regional resources from the same AWS Region as the resource share can be included in a resource share.
- Only if the resource share is in the chosen home Region, US East (N. Virginia), us-east-1, can it contain global resources.
- The resource share's name.
- The resources to which you want to give access as part of this resource share.
- The principals to whom you grant resource sharing access. Individual AWS accounts, Individual AWS Identity and Access Management (IAM) roles, or users can be regarded as principals for an organization or an organizational unit (OU) in AWS Organizations.
- To associate each resource type with an AWS RAM permission. This AWS-managed permission policy controls what other accounts' principals can do with the resource share's resources.
Using Shared Resources
When a resource's owner shares it with your account, you can access it just as if your account owned it. You can use the applicable service's console, AWS Command Line Interface (AWS CLI) commands, and API actions to get to the resource. The API activities that principals in your account can conduct are determined by the AWS RAM authorization connected to the resource share and vary based on the resource type. All IAM rules and service control policies set up in your account apply, allowing you to keep your existing security and governance controls in place.
When you use the service to access a shared resource, you have the same capabilities and restrictions as the AWS account that owns the resource.
- If the resource is Regional, you can only access it from the AWS Region where the owning account has it.
- If the resource is global, you can use the service console and tools to access it from any AWS Region that the resource supports. Only the selected home Region, US East (N. Virginia), us-east-1, can view and manage the resource share and global resources in the AWS RAM console and tools.
Accessing AWS RAM
You can use AWS RAM in a variety of ways, including:
AWS RAM console
The AWS RAM console is a web-based user interface for AWS RAM. If you have an AWS account, go into the AWS Management Console and select AWS RAM from the console home page to access the AWS RAM console.
You can also go straight to the AWS RAM console in your browser. Before the console shows, you'll be asked to sign in if you haven't already.
AWS CLI and Tools for Windows PowerShell
The AWS CLI and Tools provide direct access to PowerShell's AWS RAM public API activities. These tools are available on AWS for Windows, macOS, and Linux.
AWS SDKs
AWS supports a wide range of programming languages using API commands.
Query API
The AWS RAM HTTPS Query API allows you programmatic access to AWS RAM and AWS if you don't use one supported programming language. You can use the AWS RAM API to send HTTPS queries to the service directly. When using the AWS RAM API, you must include code to sign requests using your credentials digitally.
Benefits of AWS RAM
Following are the benefits of using AWS Resource Access Manager:
Reduces Your Operational Overhead
Create a resource once, and then share it with additional accounts using AWS RAM. This saves operational overhead by eliminating the need to provide duplicate resources in each account.
Provides Visibility and Auditability
AWS RAM's connection with Amazon CloudWatch and AWS CloudTrail allows you to see use details for your shared resources. AWS RAM gives you complete access to shared resources and accounts.
Provides Security and Consistency
Use a single set of policies and permissions to simplify security management for your shared resources. Suppose you instead created duplicate resources in each of your individual accounts. In that case, you'd have to install identical policies and permissions in each one, then keep them consistent across all of them. Instead, a single set of policies and permissions governs all AWS RAM resource pool users. AWS RAM provides a uniform experience while sharing various AWS resources.
Types of AWS RAM managed permissions.
When you build a resource share, you choose the AWS RAM permissions for each resource type in the resource share. The resource-owning service defines managed permissions, which AWS RAM manages.
Default Managed Permission
There is one default managed permission for each resource type supported by AWS RAM. The default managed permission allows principals to conduct particular actions for the resource type that the service has defined. The default managed permission for the Amazon VPC ec2:Subnet resource type, for example, allows principals to do the following:
ec2:RunInstances
ec2:CreateNetworkInterface
ec2:DescribeSubnets
AWSRAMDefaultPermissionShareableResourceType is the format for the names of default managed permissions. The default AWS RAM managed permission name for the ec2:Subnet resource type is AWSRAMDefaultPermissionSubnet.
Additional Managed Permissions
Some resource types give you more options for the permissions you can assign to them in a resource share. Read-only access and full access are two examples (Read and Write access). These additional managed permissions allow you more flexibility when it comes to granting permissions to specific principals for supported resource types. For example, you can provide an administrator full access managed permission when you share a resource type that supports both full access (Read and Write) and read-only managed permission. The read-only managed permission, which follows the security best practice of granting the least power, can then be used to share the resources with other team members.
Frequently Ask Questions
What is AWS Resource Access Manager?
For supported resource types, RAM lets you securely transfer resources between AWS accounts, within your organization or organizational units (OUs) in AWS Organizations, as well as with IAM roles and IAM users. AWS RAM allows you to share resources with other AWS accounts. This removes the need for each account to provide and manage resources. When you share a resource with another account, it's called sharing. It becomes subject to that account's policies and permissions.
How can I get started using AWS RAM?
Create a resource share using the AWS RAM Console, AWS RAM APIs, AWS CLI, or AWS SDKs to get started with AWS RAM. By adding resources to a resource share, selecting a managed permission to associate with each resource type, and designating who you want to have access to the resources, you can effortlessly share them.
Who can I share resources with?
Any AWS account can share resources with you. You can share resources with OUs or your entire organization if you're a member of an AWS Organization and sharing inside your organization is enabled. For supported resource types, you can also share resources with IAM roles and IAM users. If you have accounts outside of your company that you share resources with, those accounts will be invited to join the resource share. They can begin using the shared resources after they accept the invitation.
How can I manage who has access to resources that are shared with me?
IAM policies can be used to restrict access to resources shared with you.
Conclusion
In this blog, we have extensively discussed AWS Resource Access Manager.
Do we hope that our blog enhances your AWS Resource Access Manager knowledge? If you would like to learn extra, check out our articles on AWS.
After reading about AWS Resource Access Manager, are you not feeling excited to read/explore more articles on the topic of file systems? Don't worry; Coding Ninjas has you covered. To learn, see Operating System, Unix File System, File System Routing, and File Input/Output.
Refer to our Guided Path on Coding Ninjas Studio to upskill yourself in Data Structures and Algorithms, Competitive Programming, JavaScript, System Design, and many more! If you want to test your competency in coding, you may check out the mock test series and participate in the contests hosted on Coding Ninjas Studio! But suppose you have just started your learning process and are looking for questions asked by tech giants like Amazon, Microsoft, Uber, etc. In that case, you must look at the problems, interview experiences, and interview bundle for placement preparations.
Nevertheless, you may consider our paid courses to give your career an edge over others!
Do upvote our blogs if you find them helpful and engaging!
Happy Learning!
568+ registered 
