AWS Resource Access Manager – RAM

AWS Resource Access Manager – RAM helps secure sharing of the AWS resources created in one AWS account with other AWS accounts.
Using RAM, with multiple AWS accounts, a resource can be created once and made usable by those other accounts.
For an account managed by AWS Organizations, resources can be shared with all the other accounts in the organization or only those accounts contained by one or more specified organizational units (OUs).
Resources can also be shared with specific AWS accounts by account ID, regardless of whether the account is part of an organization.
RAM supports sharing resources with IAM roles and users in addition to accounts and organizations.
RAM supports AWS PrivateLink, allowing you to connect directly to RAM using an interface VPC endpoint for secure private access without traversing the public internet.

RAM Benefits

Reduces operational overhead
- Create a resource once, and then use AWS RAM to share that resource with other accounts. This eliminates the need to provision duplicate resources in every account, which reduces operational overhead.
Provides security and consistency
- Simplify security management for the shared resources by using a single set of policies and permissions.
- Supports both AWS managed permissions and customer managed permissions for fine-grained access control over shared resources.
Provides visibility and auditability
- AWS RAM provides comprehensive visibility into shared resources and accounts through the integration with CloudWatch and CloudTrail.

RAM Key Features

Customer Managed Permissions
- In addition to AWS managed permissions, RAM supports customer managed permissions that allow you to author and maintain fine-grained resource access controls for supported resource types.
- Customer managed permissions let you define exactly which actions a consumer can perform on shared resources.
- You can create, view, and manage permission versions through the RAM console or APIs.
RetainSharingOnAccountLeaveOrganization (Feb 2026)
- New resource share configuration that maintains resource sharing continuity when accounts move between AWS Organizations.
- When enabled, RAM treats organization accounts as external accounts, requiring explicit invitation acceptance and preserving resource access during account transitions.
- Useful for organizations undergoing mergers, acquisitions, or restructuring to maintain uninterrupted access to shared resources.
- Security teams can use SCPs to enforce this configuration organization-wide.
Service Principal Sharing
- You can associate service principals to resource shares, allowing specified AWS services to manage necessary actions for customer resources on your behalf.
AWS PrivateLink Support (Sept 2024)
- RAM supports interface VPC endpoints via AWS PrivateLink, enabling private connectivity to RAM APIs without traversing the public internet.

RAM vs Resource-based Policies

Resources can be shared with an Organization or OU without having to enumerate every one of the AWS account IDs.
Users can see the resources shared with them directly in the originating AWS service console and API operations as if those resources were directly in the user’s account.
Owners of a resource can see which principals have access to each individual resource that they have shared.
RAM initiates an invitation process for resources shared with an account that isn’t part of the organization. Sharing within an organization doesn’t require an invitation and is auto-accepted.
RAM supports customer managed permissions for fine-grained access, while resource-based policies are defined per resource at the service level.

RAM Supported Resources

Amazon API Gateway (domain names) – Added Nov 2024
Amazon Application Recovery Controller (ARC) (clusters, plans)
~~AWS App Mesh~~ – Deprecated: EOL Sept 30, 2026. Migrate to Amazon VPC Lattice or ECS Service Connect.
AWS AppSync (GraphQL APIs)
Amazon Aurora
AWS Backup (logically air-gapped vaults) – Added Aug 2024
Amazon Bedrock (custom models) – Added Aug 2024
AWS Billing and Cost Management (views, dashboards) – Added Dec 2024/Aug 2025
AWS Cloud Map (namespaces) – Added Aug 2025
AWS Cloud WAN
Amazon CloudFront (VPC Origins) – Added Oct 2025
AWS CloudHSM (backups) – Added Jun 2024
AWS CodeBuild
AWS CodeConnections (code connections) – Added Mar 2025
Amazon DataZone
Amazon EC2 (Dedicated Hosts, Capacity Reservations, placement groups)
EC2 Image Builder
Elastic Load Balancing (trust stores) – Added Aug 2024
AWS End User Messaging SMS – Added Sept 2024
Amazon FSx for OpenZFS (snapshots)
AWS Glue
AWS License Manager
AWS Marketplace Catalog (entities)
AWS Migration Hub Refactor Spaces
Multi-party Approval (approval teams) – Added Jun 2025
AWS Network Firewall (policies, rule groups, firewalls)
Oracle Database@AWS (Exadata infrastructure, ODB networks) – Added Jun 2025
AWS Outposts
AWS Private Certificate Authority (AWS Private CA)
AWS Resource Explorer (views)
AWS Resource Groups
Amazon Route 53 (Resolver rules, query logs, DNS Firewall rule groups, Resolver Profiles)
Amazon S3 (Access Grants Instance)
Amazon S3 on Outposts
Amazon SageMaker AI (pipelines, lineage groups, Feature Store, Model Cards, Model Registry, JumpStart Hubs, Partner Apps, Catalog)
AWS Service Catalog AppRegistry
AWS Systems Manager (Incident Manager, Parameter Store advanced parameters, deny-access policies)
Amazon VPC (subnets, transit gateways, prefix lists, traffic mirroring targets, IPAM pools, IPAM resource discoveries, security groups)
Amazon VPC Lattice (services, service networks, resource configurations)
AWS Verified Access (groups)

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

A company has multiple AWS accounts managed by AWS Organizations. The networking team wants to share a set of VPC subnets with the development team’s accounts to allow them to launch resources in a shared VPC. Which approach requires the LEAST operational overhead?
1. Create VPC peering connections between each account
2. Use AWS Resource Access Manager to share the subnets with the development OU
3. Use resource-based policies on each subnet to grant cross-account access
4. Create duplicate VPCs in each development account
Answer: b – RAM allows sharing subnets with an entire OU, eliminating the need to manage individual account IDs or duplicate resources.
An organization is restructuring and moving AWS accounts between different AWS Organizations. They need to ensure shared resources remain accessible during the transition. Which RAM feature should they use?
1. Customer managed permissions
2. Service principal sharing
3. RetainSharingOnAccountLeaveOrganization configuration
4. Resource-based policies
Answer: c – The RetainSharingOnAccountLeaveOrganization configuration (Feb 2026) maintains resource sharing continuity when accounts move between organizations.
A security team wants to control exactly which actions a consumer account can perform on shared AWS Network Firewall rule groups. What should they use?
1. AWS managed permissions in RAM
2. Customer managed permissions in RAM
3. IAM resource-based policies
4. Service Control Policies (SCPs)
Answer: b – Customer managed permissions in RAM allow fine-grained control over exactly which actions consumers can perform on shared resources.
Which of the following resources can be shared using AWS RAM? (Select THREE)
1. Amazon VPC security groups
2. Amazon Bedrock custom models
3. Amazon DynamoDB tables
4. AWS CloudHSM backups
5. Amazon SQS queues
Answer: a, b, d – VPC security groups (Oct 2024), Bedrock custom models (Aug 2024), and CloudHSM backups (Jun 2024) are all shareable via RAM. DynamoDB tables and SQS queues are not supported.
A company wants to share an Amazon VPC Lattice resource configuration representing an internal RDS database with another AWS account so it can be accessed privately via VPC endpoints. Which service facilitates this sharing?
1. AWS PrivateLink directly
2. VPC Peering
3. AWS Resource Access Manager (RAM)
4. AWS Transit Gateway
Answer: c – VPC Lattice resource configurations are shared via AWS RAM. Once shared, the consumer can access the resource privately using VPC endpoints via PrivateLink.

References

AWS Identity Services Cheat Sheet

AWS Identity and Security Services

IAM – Identity & Access Management

securely control access to AWS services and resources
helps create and manage user identities and grant permissions for those users to access AWS resources
helps create groups for multiple users with similar permissions
not appropriate for application authentication
is Global and does not need to be migrated to a different region
helps define Policies,
- in JSON format
- all permissions are implicitly denied by default
- most restrictive policy wins
IAM Role
- helps grants and delegate access to users and services without the need of creating permanent credentials
- IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls
- needs Trust policy to define who and Permission policy to define what the user or service can access
- used with Security Token Service (STS), a lightweight web service that provides temporary, limited privilege credentials for IAM users or for authenticated federated users
- IAM role scenarios
  - Service access for e.g. EC2 to access S3 or DynamoDB
  - Cross Account access for users
    - with user within the same account
    - with user within an AWS account owned the same owner
    - with user from a Third Party AWS account with External ID for enhanced security
  - Identity Providers & Federation
    - AssumeRoleWithWebIdentity – Web Identity Federation, where the user can be authenticated using external authentication Identity providers like Amazon, Google or any OpenId IdP
    - AssumeRoleWithSAML – Identity Provider using SAML 2.0, where the user can be authenticated using on premises Active Directory, Open Ldap or any SAML 2.0 compliant IdP
    - AssumeRole (recommended) or GetFederationToken – For other Identity Providers, use Identity Broker to authenticate and provide temporary Credentials
IAM MFA (Multi-Factor Authentication)
- AWS supports FIDO2 passkeys, virtual MFA devices (authenticator apps), and hardware MFA tokens
- SMS MFA has been discontinued – use FIDO2 passkeys or virtual/hardware MFA devices instead
- AWS enforces MFA for root users across all account types (rolled out 2024-2025)
- FIDO2 passkeys use public key cryptography for phishing-resistant authentication
- Up to 8 MFA devices can be registered per IAM user
IAM Best Practices
- Do not use Root account for anything other than billing
- Create Individual IAM users
- Use groups to assign permissions to IAM users
- Grant least privilege
- Use IAM roles for applications on EC2
- Delegate using roles instead of sharing credentials
- Rotate credentials regularly
- Use Policy conditions for increased granularity
- Use CloudTrail to keep a history of activity
- Enforce a strong IAM password policy for IAM users
- Remove all unused users and credentials
- Enable MFA for all users, especially root accounts – use FIDO2 passkeys for strongest protection
- Use IAM Access Analyzer to identify unused access and overly permissive policies
Increased IAM Quotas (May 2026)
- Roles per account: up to 10,000
- Managed policies per account: up to 10,000
- Role trust policy size: up to 8,192 characters

IAM Roles Anywhere

enables workloads running outside of AWS (on-premises, hybrid, multi-cloud) to access AWS resources using temporary credentials
eliminates the need for long-term AWS access keys for external workloads
uses X.509 certificates from your Certificate Authority (CA) for authentication
integrates with existing enterprise PKI infrastructure
key components:
- Trust Anchor – establishes trust between IAM Roles Anywhere and your CA
- Profile – specifies the IAM roles and session policies
- Credential Helper – tool that runs on the workload to obtain temporary credentials
supports workloads on-premises, in containers, or in other cloud providers
uses the same IAM policies and roles as AWS workloads for consistent access control

IAM Access Analyzer

helps identify resources shared with external entities and validate IAM policies
provides External Access Analysis – identifies resources accessible from outside your account or organization
provides Unused Access Analysis – continuously monitors for:
- Unused IAM roles
- Unused access keys for IAM users
- Unused passwords for IAM users
- Unused services and actions for active roles/users
supports Custom Policy Checks – validates policies before deployment against best practices
generates policy recommendations based on access activity (least privilege)
integrates with AWS Security Hub for centralized findings
zone of trust can be set at account or organization level

AWS Organizations

is an account management service that enables consolidating multiple AWS accounts into an organization that can be centrally managed.
include consolidated billing and account management capabilities that enable one to better meet the budgetary, security, and compliance needs of your business.
As an administrator of an organization, new accounts can be created in an organization and invite existing accounts to join the organization.
enables you to
- Automate AWS account creation and management, and provision resources with AWS CloudFormation Stacksets.
- Maintain a secure environment with policies and management of AWS security services
- Govern access to AWS services, resources, and regions
- Centrally manage policies across multiple AWS accounts
- Audit your environment for compliance
- View and manage costs with consolidated billing
- Configure AWS services across multiple accounts
supports Service Control Policies – SCPs
- offer central control over the maximum available permissions for all of the accounts in your organization, ensuring member accounts stay within the organization’s access control guidelines.
- are available only in an organization that has all features enabled, and aren’t available if the organization has enabled only the consolidated billing features.
- are NOT sufficient for granting access to the accounts in the organization.
- defines a guardrail for what actions accounts within the organization root or OU can do, but IAM policies need to be attached to the users and roles in the organization’s accounts to grant permissions to them.
- Effective permissions are the logical intersection between what is allowed by the SCP and what is allowed by the IAM and resource-based policies.
- with an SCP attached to member accounts, identity-based and resource-based policies grant permissions to entities only if those policies and the SCP allow the action
- don’t affect users or roles in the management account. They affect only the member accounts in your organization.
supports Resource Control Policies (RCPs) – launched Nov 2024
- a new authorization policy type that sets the maximum available permissions on resources within the organization
- complement SCPs – SCPs control what principals can do, RCPs control what can be done on resources
- help centrally restrict external access to AWS resources at scale (establish data perimeters)
- don’t affect resources in the management account – only affect resources in member accounts
- work alongside SCPs to provide comprehensive authorization guardrails
- supported by AWS Control Tower for managed preventive controls
supports Declarative Policies – launched Dec 2024 at re:Invent
- a new management policy type that declares and enforces desired configuration for AWS services at scale
- different from SCPs/RCPs – declarative policies enforce service configurations, not just permissions
- configuration is always maintained even when the service adds new features or APIs
- simplifies governance by defining durable intent for baseline service configurations

AWS Directory Services

gives applications in AWS access to Active Directory services
different from SAML + AD, where the access is granted to AWS services through Temporary Credentials
AWS Managed Microsoft AD
- fully managed Microsoft Active Directory powered by Windows Server
- available in Standard and Enterprise editions
- supports self-service API-driven edition upgrades (Standard to Enterprise) – Oct 2025
- supports dual-stack networking (IPv4 and IPv6) – Sep 2025
- includes Directory Service Data API for built-in object management (users, groups, attributes) – Sep 2024
- Hybrid Edition (Aug 2025) – extends your existing self-managed AD domain to AWS Managed Microsoft AD
  - automatically handles replication between on-premises AD and AWS
  - preserves existing identity and access infrastructure
  - simplifies migration of AD-dependent workloads to AWS
  - supports extending domains from on-premises, AWS, or multi-cloud
Simple AD
- least expensive but does not support Microsoft AD advanced features
- provides a Samba 4 Microsoft Active Directory compatible standalone directory service on AWS
- No single point of Authentication or Authorization, as a separate copy is maintained
- trust relationships cannot be setup between Simple AD and other Active Directory domains
- Don’t use it, if the requirement is to leverage access and control through centralized authentication service
AD Connector
- acts just as an hosted proxy service for instances in AWS to connect to on-premises Active Directory
- enables consistent enforcement of existing security policies, such as password expiration, password history, and account lockouts, whether users are accessing resources on-premises or in the AWS cloud
- needs VPN connectivity (or Direct Connect)
- integrates with existing RADIUS-based MFA solutions to enabled multi-factor authentication
- does not cache data which might lead to latency
Read-only Domain Controllers (RODCs)
- works out as a Read-only Active Directory
- holds a copy of the Active Directory Domain Service (AD DS) database and respond to authentication requests
- they cannot be written to and are typically deployed in locations where physical security cannot be guaranteed
- helps maintain a single point to authentication & authorization controls, however needs to be synced
Writable Domain Controllers
- are expensive to setup
- operate in a multi-master model; changes can be made on any writable server in the forest, and those changes are replicated to servers throughout the entire forest

AWS IAM Identity Center (formerly AWS Single Sign-On)

is the recommended service for managing workforce access to AWS accounts and applications (formerly known as AWS SSO, renamed July 2022)
provides centralized SSO access to all AWS accounts and cloud applications
helps manage access and permissions to commonly used third-party software as a service (SaaS) applications, AWS-integrated applications as well as custom applications that support SAML 2.0.
includes a user portal where end-users can find and access all their assigned AWS accounts, cloud applications, and custom applications in one place.
supports connecting external identity providers (Okta, Microsoft Entra ID, Ping Identity) or using built-in directory
Trusted Identity Propagation
- enables administrators to grant permissions based on user attributes (user ID, group associations) across AWS service boundaries
- eliminates the need for service-specific identity mapping
- supports services like Amazon Redshift, Amazon Q Business, Amazon EMR, and more
Multi-Region Replication (Feb 2026)
- replicate identity configurations across multiple AWS Regions
- provides active access portal endpoints in multiple Regions for improved availability
- available for organization instances connected to external identity providers
- currently available in 17 enabled-by-default commercial AWS Regions
supports customer managed policies and permission boundaries in permission sets

Amazon Cognito

Amazon Cognito provides authentication, authorization, and user management for the web and mobile apps.
Users can sign in directly with a username and password, or through a third party such as Facebook, Amazon, Google, or Apple.
Cognito has two main components.
- User pools are user directories that provide sign-up and sign-in options for the app users.
- Identity pools enable you to grant the users access to other AWS services.
Feature Tiers (Nov 2024) – User pools now offer three tiers:
- Lite – basic authentication features (existing user pools default to this)
- Essentials – includes Managed Login, passwordless authentication (passkeys, email, SMS), access token customization, password reuse prevention (new user pools default to this)
- Plus – adds advanced security features including adaptive authentication, threat protection, and compromised credentials detection
Managed Login (Nov 2024) – fully managed, hosted sign-in/sign-up experience with rich branding customization
Passwordless Authentication (Nov 2024)
- supports passkeys (FIDO standards, public key cryptography) for phishing-resistant sign-in
- supports email and SMS one-time passwords
- available in the Essentials tier
Refresh Token Rotation (Apr 2025) – enables automatic rotation of OAuth 2.0 refresh tokens for improved security
Client Secret Management (Feb 2026) – custom client secrets, on-demand rotation, up to two active secrets per app client
Multi-Region Replication (2026) – replicate user pools across Regions for business continuity and reduced latency
Customer-Managed Keys – full control over data encryption at rest using your own KMS keys
Cognito Sync – Note: AWS recommends using AWS AppSync instead of Cognito Sync for new implementations. AppSync provides similar data synchronization with additional real-time and offline capabilities.

Amazon Verified Permissions

a fully managed, fine-grained authorization service for applications (GA 2023)
uses Cedar, an open-source policy language purpose-built for authorization
externalizes authorization logic from application code for consistent access control
supports both Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC)
key components:
- Policy Store – container for Cedar policies, logically isolated from other stores
- Policies and Templates – define who can do what on which resources
- Schema – defines entity types, actions, and their relationships
- Authorization Requests – real-time evaluation of user access against policies
integrates natively with Amazon Cognito for identity context
aligns with Zero Trust principles – least privilege and continuous verification
supports multi-tenant authorization with multiple identity providers
enables security teams to audit and analyze application-level access centrally