Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

7.2.4. Cross-Account Resource Sharing

First Principle: Organizations need to share resources (AMIs, networking, service catalogs) across accounts without exposing them to unauthorized access. Controlled sharing provides the benefits of centralization without the risks of over-exposure.

AWS Resource Access Manager (RAM):
  • Share resources with specific accounts, OUs, or the entire organization
  • Shareable resources: VPC subnets, Transit Gateways, License Manager configurations, Route 53 Resolver rules, and more
  • Sharing is controlled by the resource owner — consumers can use but not modify
  • Integrated with Organizations for automatic trust
AWS Service Catalog:
  • Create catalogs of pre-approved, pre-configured CloudFormation products
  • Distribute across accounts and OUs
  • Enforce security configurations by limiting what users can deploy to catalog products
  • Versioning and constraints ensure compliance as products evolve
Secure Sharing Patterns:
ResourceSharing MechanismSecurity Control
VPC subnetsRAMConsumers launch instances in shared subnets; networking team controls networking
Approved AMIsRAM, Service CatalogOnly approved, hardened AMIs available
CloudFormation templatesService CatalogPre-validated, security-compliant templates only
Transit GatewayRAMCentral networking team manages inter-VPC routing

⚠️ Exam Trap: RAM shares resources at the infrastructure level. Service Catalog shares deployable products. If a question asks about sharing VPC subnets across accounts, RAM is the answer. If it asks about deploying pre-approved templates, Service Catalog is the answer.

Scenario: A networking team creates a shared VPC with subnets in each AZ, shared via RAM to the Workloads OU. Application teams launch resources in the shared subnets but can't create or modify VPC networking — separation of duties enforced through resource sharing.

Reflection Question: How does RAM-based resource sharing enforce separation of duties between networking and application teams?

Alvin Varughese
Written byAlvin Varughese
Founder15 professional certifications