AWS Resource Access Manager: Maintain Resource Sharing Continuity

In recent developments, AWS Resource Access Manager (RAM) has introduced a game-changing feature that supports maintaining resource sharing continuity when accounts transition between AWS Organizations. This capability is particularly useful for organizations undergoing mergers, acquisitions, or restructuring. In this comprehensive guide, we will explore everything about AWS Resource Access Manager, including its features, how to implement the new enhancements, best practices, and the implications of the RetainSharingOnAccountLeaveOrganization parameter.

Table of Contents¶

• Introduction
• Understanding AWS Resource Access Manager
• What is AWS RAM?
• Key Features of AWS RAM
• New Enhancements: Retaining Resource Shares
• What is the RetainSharingOnAccountLeaveOrganization Parameter?
• How This Feature Works
• Implementing the New Feature
• Prerequisites
• Step-by-Step Implementation
• Configuring Service Control Policies (SCPs)
• Best Practices for Managing Resource Shares
• Conclusion
• Key Takeaways and Future Predictions

Introduction¶

As AWS environments grow increasingly complex, the need for robust resource sharing across organizational boundaries becomes paramount. The new feature in AWS Resource Access Manager provides a seamless solution for maintaining resource sharing when accounts leave or change AWS Organizations. In this guide, we will equip you with the knowledge to leverage this feature effectively, ensuring your resources remain accessible and secure as you navigate organizational changes.

Let’s dive deep into AWS RAM, the implications of this enhancement, and actionable steps to implement it in your organization.

Understanding AWS Resource Access Manager¶

What is AWS RAM?¶

AWS Resource Access Manager (RAM) is a service that allows you to share your resources securely between AWS accounts. This includes services like Amazon VPCs, subnets, Transit Gateways, and Route 53 Resolver Rules, among others. With RAM, you can simplify resource management, reduce operational costs, and enhance collaboration across teams and organizations.

Key Features of AWS RAM¶

• Resource Sharing: Share various types of resources (e.g., VPCs, subnets) across accounts.
• Cross-Account Access: Facilitate collaboration by allowing multiple accounts to access shared resources.
• Resource-Wide Access Control: Manage access permissions centrally through AWS Identity and Access Management (IAM).
• Granular Policies: Define fine-grained permissions using AWS Service Control Policies (SCPs).
• Central Management Console: Manage and visualize resource shares using the AWS Management Console or the AWS CLI.

New Enhancements: Retaining Resource Shares¶

What is the RetainSharingOnAccountLeaveOrganization Parameter?¶

The RetainSharingOnAccountLeaveOrganization parameter represents a significant advancement in how AWS RAM manages resource sharing when accounts move between organizations. Specifically, it enables organizations to retain existing resource sharing configurations and access even when accounts leave an AWS Organization.

How This Feature Works¶

When this feature is enabled, accounts that exit the organization are treated as external accounts. This means that the resources shared with them will remain intact, but explicit invitation acceptance will be required for continued access. This capability ensures that ongoing projects and shared services are not disrupted during transitions, allowing for a smooth exit or transfer of accounts across AWS Organizations.

Implementing the New Feature¶

Prerequisites¶

Before implementing the RetainSharingOnAccountLeaveOrganization feature, ensure that you meet the following prerequisites:

• An active AWS account with permissions to manage RAM and IAM.
• A clear understanding of your organizational structure and the accounts involved.
• Existing resource shares configured in AWS RAM.

Step-by-Step Implementation¶

Here’s a comprehensive step-by-step guide to enabling the new feature:

1. Log in to the AWS Management Console.
2. Navigate to the RAM Dashboard:

3. Choose Resource Access Manager from the AWS services menu.

4. Select Your Resource Share:

5. Locate the resource share you want to modify.

6. Click on the share to open its details.

7. Edit Resource Share Configuration:

8. In the resource share settings, look for the parameter RetainSharingOnAccountLeaveOrganization.

9. Toggle the parameter to enable it.

10. Save Changes:

11. Review your changes and click on Save to apply the new configuration.

Configuring Service Control Policies (SCPs)¶

Service Control Policies (SCPs) play a crucial role in managing the security of your AWS environment and maintaining consistent policies organization-wide. Follow these steps to configure SCPs for RAM:

1. Navigate to the AWS Organizations Console.
2. Select the Organizational Unit (OU) where the policies will apply.
3. Create or Modify an Existing SCP:

4. Attach the ram:RetainSharingOnAccountLeaveOrganization condition key in your SCP policy JSON to enforce the retention of sharing settings.

5. Test Your Configuration:

6. Conduct a test by moving an account between organizations to validate the retention settings.

Best Practices for Managing Resource Shares¶

When managing resource shares in AWS RAM, consider the following best practices:

• Regular Audits: Periodically review resource shares to ensure only necessary permissions are granted.
• Documentation: Maintain comprehensive documentation of sharing configurations and account transitions.
• Automate Processes: Utilize AWS Lambda and other automation tools to monitor and adjust resource shares in real-time.
• Utilize Tags: Implement tagging for resources to facilitate their management and tracking.
• Training and Awareness: Ensure your team is trained on these new features and understands the implications of organizational changes.

Conclusion¶

In conclusion, the new feature in AWS Resource Access Manager that supports maintaining resource sharing continuity when accounts transition between AWS Organizations represents a critical advancement for businesses facing structural changes. With this functionality, organizations can avoid disruptions in access to shared resources, streamline operational processes, and enhance collaboration across different teams.

Key Takeaways and Future Predictions¶

• AWS RAM’s new capability will significantly enhance post-merger integration and continuity in resource usage.
• As organizations increasingly adopt AWS and experience structural shifts, the importance of tools that facilitate smooth transitions will grow.
• Future updates may expand policy-making capabilities and further integrate features that enhance security and ease of use.

As you continue to explore AWS’s capabilities, remember that effective management of your resources can set the foundation for success. The introduction of the RetainSharingOnAccountLeaveOrganization feature in AWS Resource Access Manager is a prime example of how AWS is evolving to meet the needs of its customers.

By following the guidelines and practices outlined in this article, you can navigate organizational changes with confidence and maintain seamless resource access and management.

For more information on improving your AWS Resource Access Manager strategy, stay tuned for future updates and insights into AWS’s ever-evolving capabilities.

AWS Resource Access Manager now supports maintaining shares when accounts change organizations.

Learn more

More on Stackpioneers

Other Tutorials