Cross-Account Resource Sharing

Explore how to implement cross-account resource sharing using AWS Resource Access Manager to centralize networking and license management while maintaining account-level isolation. Understand shared VPC subnets, Transit Gateway sharing, license control, and best practices for balancing efficiency with security in multi-account AWS environments.

We'll cover the following...

AWS Resource Access Manager mechanics
Shared networking patterns
- Shared VPC subnets
- Transit Gateway sharing
  - Hub-and-spoke routing at scale
  - Why Transit Gateway sharing replaces VPC peering at scale
License and resource management
Balancing isolation and efficiency
- Enterprise sharing strategy
- When not to share
Conclusion

When an enterprise operates 50, 100, or even thousands of AWS accounts under a single AWS Organizations boundary, every duplicated VPC, NAT gateway, and license configuration compounds into a sprawling mesh of wasted IP space, redundant routing, inflated costs, and inconsistent governance. The exam tests whether an architect can break this pattern by centralizing shared infrastructure (networking, licensing, and common services) while preserving the account-level isolation that delivers security boundaries, billing separation, quota containment, and compliance segmentation.

This lesson dissects the three pillars of cross-account resource sharing: shared networking resources, centralized license management, and AWS Resource Access Manager as the enabling mechanism. Each pattern directly addresses exam scenarios that penalize duplication and reward scalable, governed sharing. The next lesson on cost governance at scale extends these sharing patterns into tagging standards, cost-allocation models, and financial accountability across the same multi-account structure.

The following diagram illustrates the hub-and-spoke topology that underpins enterprise-scale cross-account sharing.

AWS Resource Access Manager mechanics

AWS Resource Access Manager (RAM) lets a resource-owning account create a resource share, select specific AWS resources, and grant access to individual accounts, organizational units, or the entire organization. When sharing is enabled at the organization level, participant accounts accept shares automatically. No manual invitation workflow is required. This frictionless integration is a key operational advantage tested on the exam.

RAM operates on a critical principle that candidates must internalize: It grants resource-level accessThe ability for a consumer account to use a shared resource (such as launching an instance into a shared subnet) without gaining IAM-level administrative control over the owning account’s configuration. The consumer cannot modify or delete the shared resource. This distinction separates RAM from cross-account IAM role trust policies, which grant identity-level access. The two mechanisms are complementary, not interchangeable.

Not all AWS resources support RAM sharing. The exam expects familiarity with key shareable resource types:

...