AWS Resource Access Manager – RAM

~ Last updated on : ~ jayendrapatil
Table of Contents hide
AWS Resource Access Manager – RAM
RAM Benefits
RAM Key Features
RAM vs Resource-based Policies
RAM Supported Resources
AWS Certification Exam Practice Questions

AWS Resource Access Manager – RAM

  • AWS Resource Access Manager – RAM helps secure sharing of the AWS resources created in one AWS account with other AWS accounts.
  • Using RAM, with multiple AWS accounts, a resource can be created once and made usable by those other accounts.
  • For an account managed by AWS Organizations, resources can be shared with all the other accounts in the organization or only those accounts contained by one or more specified organizational units (OUs).
  • Resources can also be shared with specific AWS accounts by account ID, regardless of whether the account is part of an organization.
  • RAM supports sharing resources with IAM roles and users in addition to accounts and organizations.
  • RAM supports AWS PrivateLink, allowing you to connect directly to RAM using an interface VPC endpoint for secure private access without traversing the public internet.

RAM Benefits

  • Reduces operational overhead
    • Create a resource once, and then use AWS RAM to share that resource with other accounts. This eliminates the need to provision duplicate resources in every account, which reduces operational overhead.
  • Provides security and consistency
    • Simplify security management for the shared resources by using a single set of policies and permissions.
    • Supports both AWS managed permissions and customer managed permissions for fine-grained access control over shared resources.
  • Provides visibility and auditability
    • AWS RAM provides comprehensive visibility into shared resources and accounts through the integration with CloudWatch and CloudTrail.

RAM Key Features

  • Customer Managed Permissions
    • In addition to AWS managed permissions, RAM supports customer managed permissions that allow you to author and maintain fine-grained resource access controls for supported resource types.
    • Customer managed permissions let you define exactly which actions a consumer can perform on shared resources.
    • You can create, view, and manage permission versions through the RAM console or APIs.
  • RetainSharingOnAccountLeaveOrganization (Feb 2026)
    • New resource share configuration that maintains resource sharing continuity when accounts move between AWS Organizations.
    • When enabled, RAM treats organization accounts as external accounts, requiring explicit invitation acceptance and preserving resource access during account transitions.
    • Useful for organizations undergoing mergers, acquisitions, or restructuring to maintain uninterrupted access to shared resources.
    • Security teams can use SCPs to enforce this configuration organization-wide.
  • Service Principal Sharing
    • You can associate service principals to resource shares, allowing specified AWS services to manage necessary actions for customer resources on your behalf.
  • AWS PrivateLink Support (Sept 2024)
    • RAM supports interface VPC endpoints via AWS PrivateLink, enabling private connectivity to RAM APIs without traversing the public internet.

RAM vs Resource-based Policies

  • Resources can be shared with an Organization or OU without having to enumerate every one of the AWS account IDs.
  • Users can see the resources shared with them directly in the originating AWS service console and API operations as if those resources were directly in the user’s account.
  • Owners of a resource can see which principals have access to each individual resource that they have shared.
  • RAM initiates an invitation process for resources shared with an account that isn’t part of the organization. Sharing within an organization doesn’t require an invitation and is auto-accepted.
  • RAM supports customer managed permissions for fine-grained access, while resource-based policies are defined per resource at the service level.

RAM Supported Resources

  • Amazon API Gateway (domain names) – Added Nov 2024
  • Amazon Application Recovery Controller (ARC) (clusters, plans)
  • AWS App Mesh Deprecated: EOL Sept 30, 2026. Migrate to Amazon VPC Lattice or ECS Service Connect.
  • AWS AppSync (GraphQL APIs)
  • Amazon Aurora
  • AWS Backup (logically air-gapped vaults) – Added Aug 2024
  • Amazon Bedrock (custom models) – Added Aug 2024
  • AWS Billing and Cost Management (views, dashboards) – Added Dec 2024/Aug 2025
  • AWS Cloud Map (namespaces) – Added Aug 2025
  • AWS Cloud WAN
  • Amazon CloudFront (VPC Origins) – Added Oct 2025
  • AWS CloudHSM (backups) – Added Jun 2024
  • AWS CodeBuild
  • AWS CodeConnections (code connections) – Added Mar 2025
  • Amazon DataZone
  • Amazon EC2 (Dedicated Hosts, Capacity Reservations, placement groups)
  • EC2 Image Builder
  • Elastic Load Balancing (trust stores) – Added Aug 2024
  • AWS End User Messaging SMS – Added Sept 2024
  • Amazon FSx for OpenZFS (snapshots)
  • AWS Glue
  • AWS License Manager
  • AWS Marketplace Catalog (entities)
  • AWS Migration Hub Refactor Spaces
  • Multi-party Approval (approval teams) – Added Jun 2025
  • AWS Network Firewall (policies, rule groups, firewalls)
  • Oracle Database@AWS (Exadata infrastructure, ODB networks) – Added Jun 2025
  • AWS Outposts
  • AWS Private Certificate Authority (AWS Private CA)
  • AWS Resource Explorer (views)
  • AWS Resource Groups
  • Amazon Route 53 (Resolver rules, query logs, DNS Firewall rule groups, Resolver Profiles)
  • Amazon S3 (Access Grants Instance)
  • Amazon S3 on Outposts
  • Amazon SageMaker AI (pipelines, lineage groups, Feature Store, Model Cards, Model Registry, JumpStart Hubs, Partner Apps, Catalog)
  • AWS Service Catalog AppRegistry
  • AWS Systems Manager (Incident Manager, Parameter Store advanced parameters, deny-access policies)
  • Amazon VPC (subnets, transit gateways, prefix lists, traffic mirroring targets, IPAM pools, IPAM resource discoveries, security groups)
  • Amazon VPC Lattice (services, service networks, resource configurations)
  • AWS Verified Access (groups)

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A company has multiple AWS accounts managed by AWS Organizations. The networking team wants to share a set of VPC subnets with the development team’s accounts to allow them to launch resources in a shared VPC. Which approach requires the LEAST operational overhead?
    1. Create VPC peering connections between each account
    2. Use AWS Resource Access Manager to share the subnets with the development OU
    3. Use resource-based policies on each subnet to grant cross-account access
    4. Create duplicate VPCs in each development account

    Answer: b – RAM allows sharing subnets with an entire OU, eliminating the need to manage individual account IDs or duplicate resources.

  2. An organization is restructuring and moving AWS accounts between different AWS Organizations. They need to ensure shared resources remain accessible during the transition. Which RAM feature should they use?
    1. Customer managed permissions
    2. Service principal sharing
    3. RetainSharingOnAccountLeaveOrganization configuration
    4. Resource-based policies

    Answer: c – The RetainSharingOnAccountLeaveOrganization configuration (Feb 2026) maintains resource sharing continuity when accounts move between organizations.

  3. A security team wants to control exactly which actions a consumer account can perform on shared AWS Network Firewall rule groups. What should they use?
    1. AWS managed permissions in RAM
    2. Customer managed permissions in RAM
    3. IAM resource-based policies
    4. Service Control Policies (SCPs)

    Answer: b – Customer managed permissions in RAM allow fine-grained control over exactly which actions consumers can perform on shared resources.

  4. Which of the following resources can be shared using AWS RAM? (Select THREE)
    1. Amazon VPC security groups
    2. Amazon Bedrock custom models
    3. Amazon DynamoDB tables
    4. AWS CloudHSM backups
    5. Amazon SQS queues

    Answer: a, b, d – VPC security groups (Oct 2024), Bedrock custom models (Aug 2024), and CloudHSM backups (Jun 2024) are all shareable via RAM. DynamoDB tables and SQS queues are not supported.

  5. A company wants to share an Amazon VPC Lattice resource configuration representing an internal RDS database with another AWS account so it can be accessed privately via VPC endpoints. Which service facilitates this sharing?
    1. AWS PrivateLink directly
    2. VPC Peering
    3. AWS Resource Access Manager (RAM)
    4. AWS Transit Gateway

    Answer: c – VPC Lattice resource configurations are shared via AWS RAM. Once shared, the consumer can access the resource privately using VPC endpoints via PrivateLink.

References