This chapter covers AWS Resource Access Manager (RAM), a service that enables you to share AWS resources across accounts within your organization or with external accounts. For the SOA-C02 exam, RAM is a key topic under Security and Compliance (Objective 4.1), typically appearing in 2-3% of questions. Understanding RAM's sharing mechanisms, supported resource types, and integration with AWS Organizations is crucial for scenarios involving multi-account architectures, centralized resource management, and cross-account networking.
Jump to a section
Imagine a large city library system with multiple branch libraries. Each branch has its own collection of books (resources) that are managed independently. However, sometimes a patron at one branch needs a book that is only available at another branch. Instead of buying a duplicate copy for every branch, the libraries use an inter-library loan system. The central catalog (AWS RAM) allows a branch (account) to share a specific book (resource) with another branch (account) without physically moving the book. The borrowing branch can lend the book to its patrons (principals in the account) as if it were its own, but the ownership remains with the lending branch. The central catalog keeps track of who has borrowed which book and enforces that the lending branch can revoke the loan at any time. Importantly, the borrowing branch cannot modify the book (only the owner can), and if the lending branch updates the book (e.g., a new edition), the borrowing branch sees the update automatically. This system prevents duplication, centralizes management, and enables controlled sharing across branches without compromising ownership or security.
What is AWS RAM and Why It Exists
AWS Resource Access Manager (RAM) is a service that allows you to share AWS resources that you own with other AWS accounts. Rather than duplicating resources or complex IAM cross-account roles, RAM provides a native, auditable, and secure way to share resources such as subnets, Transit Gateways, Route53 Resolver rules, License Manager configurations, and more. The primary driver is cost optimization and centralised management: you can create a shared VPC subnet once and allow multiple accounts to launch EC2 instances into it, eliminating the need for VPC peering or Transit Gateway attachments for simple scenarios.
How RAM Works Internally
RAM operates on a resource-sharing model. You create a resource share – a container that specifies which resources to share and which principals (AWS accounts, organizational units, or the entire organization) can access them. When you share a resource, RAM grants the principal access to that resource's ARN and permissions to use it according to the resource's own IAM policy. The resource owner retains full ownership and control; the consumer account can only use the resource as permitted by the resource type's sharing rules.
For example, if you share a subnet, the consumer account can see the subnet in its AWS console and launch EC2 instances into it, but cannot delete or modify the subnet. The owner manages any updates (e.g., changing route tables) and those changes are immediately visible to consumers.
RAM integrates with AWS Organizations. If you enable sharing with AWS Organizations in RAM, you can share resources with all accounts in your organization or specific OUs without needing to add each account ARN individually. This simplifies management and scales to hundreds of accounts.
Key Components and Defaults
Resource Share: The container. It has a name, a list of resources (by ARN), and a list of principals (account IDs, OU IDs, or organization ID).
Principals: Can be individual AWS account IDs, organizational unit (OU) IDs, or the entire organization ID. You cannot share with IAM roles/users directly; only with accounts.
Managed Permissions: RAM uses the resource's existing IAM permissions. For example, sharing a subnet does not require additional permissions beyond the standard EC2 actions. However, some resource types have specific RAM permissions that can be associated with the resource share (e.g., for License Manager configurations).
Association: Once created, RAM creates associations between the resource share and each principal. These associations are what grant access.
Tags: You can tag resource shares for cost allocation and management.
Supported Resource Types
As of the SOA-C02 exam, the following resource types are commonly tested:
Amazon VPC Subnets: Allows consumer accounts to launch EC2 instances, RDS databases, and other resources into shared subnets. The owner manages the VPC, subnets, route tables, and security groups.
AWS Transit Gateway: Share a Transit Gateway with multiple accounts so they can attach their VPCs without needing individual Transit Gateway instances.
Route53 Resolver Rules: Share outbound or inbound resolver rules across accounts for centralized DNS resolution.
License Manager Configurations: Share license configurations to enforce licensing across accounts.
Dedicated Hosts: Share Dedicated Hosts so multiple accounts can launch instances on the same physical host.
Amazon EC2 Image Builder: Share image recipes and components.
AWS Network Firewall: Share firewall policies.
Amazon SageMaker: Share SageMaker notebook instances and model packages.
Note that you cannot share IAM roles, S3 buckets, or EC2 instances directly via RAM – those use different mechanisms.
Configuration and Verification
To create a resource share via AWS CLI:
aws ram create-resource-share \
--name MySharedSubnet \
--resource-arns arn:aws:ec2:us-east-1:123456789012:subnet/subnet-0bb1c79de3EXAMPLE \
--principals 111111111111To list resource shares:
aws ram get-resource-shares \
--resource-owner SELF \
--region us-east-1To see associations:
aws ram get-resource-share-associations \
--association-type RESOURCE \
--resource-share-arn arn:aws:ram:us-east-1:123456789012:resource-share/xxxxxxxxInteraction with Related Technologies
AWS Organizations: When enabled, RAM can share with the entire organization or specific OUs. New accounts added to an OU automatically gain access to resources shared with that OU.
IAM: The consumer account's IAM policies still apply. Even if a subnet is shared, a user in the consumer account must have ec2:RunInstances permission to launch an instance into that subnet.
VPC Peering / Transit Gateway: Shared subnets eliminate the need for VPC peering for simple resource sharing. However, if you need full connectivity between VPCs, Transit Gateway or VPC peering is still required.
AWS Service Catalog: You can share Service Catalog portfolios via RAM to standardize deployments across accounts.
Security and Auditing
RAM uses AWS CloudTrail to log all API calls. You can audit who shared what resource with whom. The resource owner can revoke sharing at any time by deleting the resource share or removing the principal. When revoked, the consumer account loses access immediately; any existing resources (e.g., EC2 instances) in a shared subnet are not terminated but the consumer cannot launch new ones.
Limits
Maximum number of resource shares per account: 1,000 (default).
Maximum number of resources per resource share: 1,000.
Maximum number of principals per resource share: 1,000.
These limits can be increased via service quotas.
Common Scenarios on the Exam
Shared VPC: One account owns the VPC and subnets; other accounts launch workloads into those subnets. This is common in large enterprises to centralize network management.
Centralized Transit Gateway: One account owns the Transit Gateway and shares it with all other accounts, avoiding the need to create and manage multiple Transit Gateways.
License Management: Share license configurations to ensure compliance across accounts.
Trap: Cross-Account vs RAM
Many candidates confuse RAM with cross-account IAM roles. RAM shares the resource itself, not access through a role. With RAM, the consumer account directly accesses the resource; with IAM roles, you assume a role in the owner account to access resources. RAM is simpler for resource sharing but does not grant administrative access to the resource – only usage.
Create a Resource Share
The owner account creates a resource share via console, CLI, or SDK. They specify a name, select resources by ARN (e.g., subnet IDs), and define principals (account IDs, OUs, or organization). RAM validates that the owner has permission to share each resource type. If sharing with an external account (not in the organization), the owner must accept the invitation. For organization accounts, sharing is automatic if enabled.
Invitation and Acceptance (if external)
If the principal is not part of the same AWS Organization, the consumer account receives an invitation to join the resource share. The invitation appears in the RAM console under 'Shared with me'. The consumer must accept within 7 days, or the invitation expires. Once accepted, the resource becomes available. For organization accounts, no invitation is needed; sharing takes effect immediately.
Resource Association and Access
After acceptance (if needed), RAM creates an association between the resource share and the principal. The consumer account can now see the shared resource in its AWS console (e.g., subnets appear in VPC console). The consumer can use the resource according to its type's permissions. For subnets, the consumer can launch EC2 instances but cannot modify the subnet itself.
Usage with IAM Policies
The consumer account's IAM users/roles still need explicit permissions to use the shared resource. For example, to launch an instance into a shared subnet, the IAM user must have ec2:RunInstances permission and specify the subnet ID. RAM does not bypass IAM; it only makes the resource visible and usable. The resource owner's IAM policies do not affect the consumer's access.
Modification and Revocation
The resource owner retains full control. They can modify the resource (e.g., change route tables) and those changes are immediately reflected for consumers. To revoke access, the owner deletes the resource share or removes the principal. Upon revocation, the consumer loses ability to use the resource (e.g., cannot launch new instances), but existing resources in a shared subnet remain running.
In enterprise environments, AWS RAM is frequently used to implement a shared VPC model. For example, a large financial institution has a central networking team that manages a single VPC with multiple subnets. They use RAM to share subnets with dozens of application accounts. This reduces the complexity of managing separate VPCs, simplifies security group management, and centralizes egress traffic through a single NAT Gateway. The networking team creates a resource share containing all subnets and shares it with the entire AWS Organization. Application teams then launch their EC2 instances and RDS databases directly into the shared subnets. They do not need VPC peering or Transit Gateway attachments for basic connectivity. A common pitfall is that application teams forget to request the necessary security group rules from the networking team, leading to connectivity issues. Also, if the networking team accidentally deletes a subnet, all resources in that subnet are impacted.
Another scenario is centralized Transit Gateway sharing. A company with multiple VPCs across different accounts uses a single Transit Gateway owned by a central account. They share the Transit Gateway via RAM with all other accounts. Each account then attaches its VPCs to the shared Transit Gateway. This avoids the need for each account to create its own Transit Gateway and reduces costs. Performance considerations include the bandwidth limits of the Transit Gateway and the number of attachments. If the Transit Gateway owner modifies routing tables, all attached VPCs are affected. Misconfiguration can lead to routing loops or black holes if route propagation is not properly managed.
A third scenario is License Manager sharing. A software vendor wants to enforce license limits across multiple accounts. They create a license configuration and share it via RAM with all accounts in their organization. Each account can then associate the license configuration with their EC2 instances. The vendor can centrally track license usage and ensure compliance. If the sharing is accidentally revoked, instances may become non-compliant, triggering alerts. The key is to ensure that the license configuration is shared with the correct principals and that the consumer accounts have the necessary IAM permissions to use it.
The SOA-C02 exam tests AWS RAM under Objective 4.1 (Security and Compliance). You can expect 2-3 questions on RAM, often scenario-based. The most common wrong answers involve confusing RAM with cross-account IAM roles or VPC peering. For example, a question might ask: 'A company wants to share a subnet with multiple accounts so they can launch EC2 instances. What is the simplest solution?' The wrong answer is 'Create a VPC peering connection' – but that only connects VPCs, it doesn't share subnets. Another trap is 'Use an IAM role in the owner account and grant access to the consumer' – that gives the consumer full access to the owner account, not just the subnet.
Key numbers to remember: Invitations expire after 7 days. Maximum resource shares per account: 1,000. RAM is free to use (you pay only for the resources). Supported resource types include subnets, Transit Gateways, Route53 Resolver rules, License Manager configurations, and Dedicated Hosts. Not supported: S3 buckets, IAM roles, EC2 instances.
Edge cases: If you share a subnet with an account that is later removed from the organization, the sharing continues until you revoke it. If you share with an OU, new accounts in that OU automatically get access. If you share with the entire organization, all current and future accounts get access.
To eliminate wrong answers, focus on whether the question requires sharing a resource (use RAM) or granting access to manage resources (use IAM cross-account roles). Also, if the question mentions 'centralized management' or 'reduce duplication', RAM is likely the answer.
AWS RAM allows sharing of supported resources across accounts without duplication.
Resource types include subnets, Transit Gateways, Route53 Resolver rules, License Manager configurations, Dedicated Hosts, and more.
RAM integrates with AWS Organizations for automatic sharing with OUs or entire organization.
Sharing with external accounts requires invitation acceptance within 7 days.
The resource owner retains full control; consumers can only use the resource as permitted.
RAM does not replace IAM – consumer IAM policies still apply.
Revoking a resource share does not terminate existing resources in shared subnets.
Maximum resource shares per account: 1,000; resources per share: 1,000; principals per share: 1,000.
These come up on the exam all the time. Here's how to tell them apart.
AWS RAM
Shares the resource itself (e.g., subnet, Transit Gateway).
Consumer account directly uses the resource without assuming a role.
Resource owner retains full control; consumer cannot modify resource.
No need to manage trust policies or role assumptions.
Best for sharing infrastructure resources like VPC subnets.
Cross-Account IAM Roles
Grants access to manage resources in the owner account.
Consumer assumes a role to perform actions as the role's permissions.
Consumer can have broad permissions based on the role's policy.
Requires trust policy configuration and role assumption logic.
Best for granting administrative access or specific actions on resources.
Mistake
RAM can share any AWS resource, including S3 buckets and EC2 instances.
Correct
RAM supports only specific resource types: subnets, Transit Gateways, Route53 Resolver rules, License Manager configurations, Dedicated Hosts, and a few others. S3 buckets are shared via bucket policies, not RAM. EC2 instances are not shareable.
Mistake
Sharing a subnet via RAM gives the consumer account full administrative access to the subnet.
Correct
The consumer can only use the subnet (e.g., launch instances) but cannot modify or delete it. The owner retains full control. The subnet's route tables, security groups, and other configurations are managed by the owner.
Mistake
RAM requires all accounts to be in the same AWS Organization to share resources.
Correct
RAM can share with external accounts (outside the organization) via invitations. However, sharing with organization accounts is simpler and does not require acceptance.
Mistake
When a resource share is deleted, all resources in shared subnets are terminated.
Correct
Deleting the resource share only revokes the ability to use the resource. Existing EC2 instances in a shared subnet remain running. The consumer cannot launch new instances or manage the subnet.
Mistake
RAM provides a way to share IAM roles across accounts.
Correct
IAM roles are shared using cross-account IAM roles, not RAM. RAM shares resources like subnets and Transit Gateways.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, S3 buckets cannot be shared via RAM. S3 uses bucket policies or ACLs for cross-account access. RAM supports only specific resource types such as VPC subnets, Transit Gateways, Route53 Resolver rules, License Manager configurations, and Dedicated Hosts.
The sharing continues until you explicitly revoke it by deleting the resource share or removing the principal. RAM does not automatically revoke when an account leaves the organization. You must manage this manually.
No, AWS RAM itself is free to use. You only pay for the underlying resources you share (e.g., subnets, Transit Gateway attachments). There is no cost for creating resource shares or for the sharing mechanism.
You can delete the resource share entirely, or remove the specific principal from the resource share. You can also disable sharing with AWS Organizations if you want to stop sharing with all organization accounts. Revocation is immediate.
No, RAM only supports sharing with AWS accounts (or OUs/organizations). To grant access to specific IAM users or roles in the consumer account, those users must have the necessary IAM permissions to use the shared resource.
RAM allows a consumer account to launch resources directly into the owner's subnet without needing a separate VPC. VPC peering connects two VPCs, allowing resources in each VPC to communicate, but does not allow the consumer to use the owner's subnet directly. RAM is simpler for resource sharing; VPC peering is for network connectivity.
All RAM API calls are logged in AWS CloudTrail. You can also use AWS Config rules to track resource shares. Additionally, you can view resource share associations in the RAM console.
You've just covered AWS Resource Access Manager (RAM) — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?