Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Table of contents
1.
Introduction
2.
What is AWS Resource Access Manager?
3.
Resource Sharing
3.1.
Working on Resource Sharing
3.2.
How to share your resources
3.3.
Using Shared Resources
4.
Accessing AWS RAM
4.1.
AWS RAM console
4.2.
AWS CLI and Tools for Windows PowerShell
4.3.
AWS SDKs
4.4.
Query API
5.
Benefits of AWS RAM
5.1.
Reduces Your Operational Overhead 
5.2.
Provides Visibility and Auditability 
5.3.
Provides Security and Consistency 
6.
Types of AWS RAM managed permissions.
6.1.
Default Managed Permission
6.2.
Additional Managed Permissions
7.
Frequently Ask Questions
7.1.
What is AWS Resource Access Manager?
7.2.
How can I get started using AWS RAM?
7.3.
Who can I share resources with?
7.4.
How can I manage who has access to resources that are shared with me?
8.
Conclusion
Last Updated: Mar 27, 2024

AWS Resource Access Manager

Master Python: Predicting weather forecasts
Speaker
Ashwin Goyal
Product Manager @

Introduction

Each shareable resource type has at least one AWS Resource Access Manager (AWS RAM) managed authorization that governs what activities principals with access to those resources are permitted to do on them. There is just one AWS RAM-controlled authorization for some resource types, and it is used automatically by default without your intervention. You can choose which managed permission to utilize in a resource share if a resource type defines several managed permissions.

Today, we will learn about the AWS Resource Access Manager or AWS RAM.

So, let's begin!

What is AWS Resource Access Manager?

AWS Resource Access Manager (AWS RAM) allows you to safely share AWS resources created in one AWS account with other AWS accounts. If you have numerous AWS accounts, you can create a resource once and make it available to all of them using AWS RAM. If AWS Organizations manage your account, you can share resources with all other accounts in the organization or just those accounts that are part of one or more organizational units (OUs). You can also communicate with specific AWS accounts by account ID, whether or not they are members of an organization. You can also share supported resource types with specific IAM roles and users.

Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job
Bootcamp

Resource Sharing

Working on Resource Sharing

When you share a resource with another AWS account, it's called resource sharing. Principals in that account gain access to the shared resource. The restrictions and permissions that apply to the account you shared the resource also apply to the shared resource. The resources in the share appear to be native to the AWS accounts with whom they were shared.

How to share your resources

By creating a resource share with AWS RAM, you can share resources you own. To create a resource share, enter the following information:

  • The AWS Region is where the resource share will be created. The Region drop-down option in the console's upper-right corner is where you select your region. The region argument is used in the AWS CLI.
  • Only Regional resources from the same AWS Region as the resource share can be included in a resource share.
  • Only if the resource share is in the chosen home Region, US East (N. Virginia), us-east-1, can it contain global resources.
  • The resource share's name.
  • The resources to which you want to give access as part of this resource share.
  • The principals to whom you grant resource sharing access. Individual AWS accounts, Individual AWS Identity and Access Management (IAM) roles, or users can be regarded as principals for an organization or an organizational unit (OU) in AWS Organizations.
  • To associate each resource type with an AWS RAM permission. This AWS-managed permission policy controls what other accounts' principals can do with the resource share's resources.

Using Shared Resources

When a resource's owner shares it with your account, you can access it just as if your account owned it. You can use the applicable service's console, AWS Command Line Interface (AWS CLI) commands, and API actions to get to the resource. The API activities that principals in your account can conduct are determined by the AWS RAM authorization connected to the resource share and vary based on the resource type. All IAM rules and service control policies set up in your account apply, allowing you to keep your existing security and governance controls in place.

When you use the service to access a shared resource, you have the same capabilities and restrictions as the AWS account that owns the resource.

  • If the resource is Regional, you can only access it from the AWS Region where the owning account has it.
  • If the resource is global, you can use the service console and tools to access it from any AWS Region that the resource supports. Only the selected home Region, US East (N. Virginia), us-east-1, can view and manage the resource share and global resources in the AWS RAM console and tools.

Accessing AWS RAM

You can use AWS RAM in a variety of ways, including:

AWS RAM console

The AWS RAM console is a web-based user interface for AWS RAM. If you have an AWS account, go into the AWS Management Console and select AWS RAM from the console home page to access the AWS RAM console.

You can also go straight to the AWS RAM console in your browser. Before the console shows, you'll be asked to sign in if you haven't already.

AWS CLI and Tools for Windows PowerShell

The AWS CLI and Tools provide direct access to PowerShell's AWS RAM public API activities. These tools are available on AWS for Windows, macOS, and Linux.

AWS SDKs

AWS supports a wide range of programming languages using API commands.

Query API

The AWS RAM HTTPS Query API allows you programmatic access to AWS RAM and AWS if you don't use one supported programming language. You can use the AWS RAM API to send HTTPS queries to the service directly. When using the AWS RAM API, you must include code to sign requests using your credentials digitally.

Benefits of AWS RAM

Following are the benefits of using AWS Resource Access Manager:

Reduces Your Operational Overhead 

Create a resource once, and then share it with additional accounts using AWS RAM. This saves operational overhead by eliminating the need to provide duplicate resources in each account.

Provides Visibility and Auditability 

AWS RAM's connection with Amazon CloudWatch and AWS CloudTrail allows you to see use details for your shared resources. AWS RAM gives you complete access to shared resources and accounts.

Provides Security and Consistency 

Use a single set of policies and permissions to simplify security management for your shared resources. Suppose you instead created duplicate resources in each of your individual accounts. In that case, you'd have to install identical policies and permissions in each one, then keep them consistent across all of them. Instead, a single set of policies and permissions governs all AWS RAM resource pool users. AWS RAM provides a uniform experience while sharing various AWS resources.

Types of AWS RAM managed permissions.

When you build a resource share, you choose the AWS RAM permissions for each resource type in the resource share. The resource-owning service defines managed permissions, which AWS RAM manages.

Default Managed Permission

There is one default managed permission for each resource type supported by AWS RAM. The default managed permission allows principals to conduct particular actions for the resource type that the service has defined. The default managed permission for the Amazon VPC ec2:Subnet resource type, for example, allows principals to do the following:

ec2:RunInstances

ec2:CreateNetworkInterface

ec2:DescribeSubnets

AWSRAMDefaultPermissionShareableResourceType is the format for the names of default managed permissions. The default AWS RAM managed permission name for the ec2:Subnet resource type is AWSRAMDefaultPermissionSubnet.

Additional Managed Permissions

Some resource types give you more options for the permissions you can assign to them in a resource share. Read-only access and full access are two examples (Read and Write access). These additional managed permissions allow you more flexibility when it comes to granting permissions to specific principals for supported resource types. For example, you can provide an administrator full access managed permission when you share a resource type that supports both full access (Read and Write) and read-only managed permission. The read-only managed permission, which follows the security best practice of granting the least power, can then be used to share the resources with other team members.

Frequently Ask Questions

What is AWS Resource Access Manager?

For supported resource types, RAM lets you securely transfer resources between AWS accounts, within your organization or organizational units (OUs) in AWS Organizations, as well as with IAM roles and IAM users. AWS RAM allows you to share resources with other AWS accounts. This removes the need for each account to provide and manage resources. When you share a resource with another account, it's called sharing. It becomes subject to that account's policies and permissions.

How can I get started using AWS RAM?

Create a resource share using the AWS RAM Console, AWS RAM APIs, AWS CLI, or AWS SDKs to get started with AWS RAM. By adding resources to a resource share, selecting a managed permission to associate with each resource type, and designating who you want to have access to the resources, you can effortlessly share them.

Who can I share resources with?

Any AWS account can share resources with you. You can share resources with OUs or your entire organization if you're a member of an AWS Organization and sharing inside your organization is enabled. For supported resource types, you can also share resources with IAM roles and IAM users. If you have accounts outside of your company that you share resources with, those accounts will be invited to join the resource share. They can begin using the shared resources after they accept the invitation.

How can I manage who has access to resources that are shared with me?

IAM policies can be used to restrict access to resources shared with you.

Conclusion

In this blog, we have extensively discussed AWS Resource Access Manager.

Do we hope that our blog enhances your AWS Resource Access Manager knowledge? If you would like to learn extra, check out our articles on AWS

After reading about AWS Resource Access Manager, are you not feeling excited to read/explore more articles on the topic of file systems? Don't worry; Coding Ninjas has you covered. To learn, see Operating SystemUnix File SystemFile System Routing, and File Input/Output.

Refer to our Guided Path on Coding Ninjas Studio to upskill yourself in Data Structures and AlgorithmsCompetitive ProgrammingJavaScriptSystem Design, and many more! If you want to test your competency in coding, you may check out the mock test series and participate in the contests hosted on Coding Ninjas Studio! But suppose you have just started your learning process and are looking for questions asked by tech giants like Amazon, Microsoft, Uber, etc. In that case, you must look at the problemsinterview experiences, and interview bundle for placement preparations.

Nevertheless, you may consider our paid courses to give your career an edge over others!

Do upvote our blogs if you find them helpful and engaging!

Happy Learning!

Previous article
AWS Network Firewall
Next article
AWS Secrets Manager
Live masterclass