4.1.6. Multi-Account Resource Sharing: RAM and StackSets
š” First Principle: In a multi-account AWS organization, some resources need to be shared across accounts without being duplicated. Creating a VPC in every account is wasteful and complex to manage. AWS RAM lets you create a resource once and share it ā giving other accounts the ability to use it as if it were their own, without transferring ownership.
AWS Resource Access Manager (RAM):
RAM enables sharing of resources across AWS accounts within an organization or with specific account IDs. Supported resources include:
| Resource Type | Sharing Use Case |
|---|---|
| VPC Subnets | Shared networking ā accounts deploy into a centrally managed VPC |
| Transit Gateway | Shared network hub ā spoke accounts attach without creating their own |
| Route 53 Resolver Rules | Consistent DNS resolution across accounts |
| License Manager configurations | Shared software licenses |
| EC2 Capacity Reservations | Reserved capacity shared across accounts |
| AMIs | Golden images shared with member accounts |
Shared VPC (most commonly tested): The networking account creates a VPC and subnets, then uses RAM to share the subnets with application accounts. Application accounts can deploy EC2 instances and other resources into those subnets without managing VPC infrastructure themselves. This centralizes network management and security while allowing account-level resource isolation.
CloudFormation StackSets solve a different problem: deploying the same CloudFormation template consistently across many accounts and regions.
StackSets Operation Modes:
| Mode | How Permissions Work |
|---|---|
| Self-managed | You manually create IAM roles in each target account |
| Service-managed | StackSets uses AWS Organizations ā automatically manages IAM roles; can auto-deploy to new accounts |
Service-managed StackSets with automatic deployment is the key exam pattern: new accounts added to a targeted OU automatically get the StackSet deployed. This ensures guardrails (logging, Config, security baselines) are always in place from the moment an account is created.
ā ļø Exam Trap: RAM shares resources ā it does not transfer ownership. The owner account retains full control and can revoke sharing at any time. Participant accounts can use the shared resource but cannot modify or delete it. If a question asks "how do you allow account B to use account A's subnet without creating a new VPC," the answer is RAM ā not VPC peering, which creates a routing relationship between two separate VPCs.
Reflection Question: A company has 50 AWS accounts in an organization. They need a CloudWatch log archive configuration deployed to every account in the Production OU, and any new account added to Production should automatically receive this configuration. What CloudFormation feature achieves this, and what permission mode do you choose?
