7.2.4. Cross-Account Resource Sharing

First Principle: Organizations need to share resources (AMIs, networking, service catalogs) across accounts without exposing them to unauthorized access. Controlled sharing provides the benefits of centralization without the risks of over-exposure.

AWS Resource Access Manager (RAM):

• Share resources with specific accounts, OUs, or the entire organization
• Shareable resources: VPC subnets, Transit Gateways, License Manager configurations, Route 53 Resolver rules, and more
• Sharing is controlled by the resource owner — consumers can use but not modify
• Integrated with Organizations for automatic trust

AWS Service Catalog:

• Create catalogs of pre-approved, pre-configured CloudFormation products
• Distribute across accounts and OUs
• Enforce security configurations by limiting what users can deploy to catalog products
• Versioning and constraints ensure compliance as products evolve

Secure Sharing Patterns:

⚠️ Exam Trap: RAM shares resources at the infrastructure level. Service Catalog shares deployable products. If a question asks about sharing VPC subnets across accounts, RAM is the answer. If it asks about deploying pre-approved templates, Service Catalog is the answer.

Scenario: A networking team creates a shared VPC with subnets in each AZ, shared via RAM to the Workloads OU. Application teams launch resources in the shared subnets but can't create or modify VPC networking — separation of duties enforced through resource sharing.

Reflection Question: How does RAM-based resource sharing enforce separation of duties between networking and application teams?