Sharing Your AWS Resources with Other Accounts
Although it may be tempting to think of your organization's AWS account purely as a subscription service that gives you access to various cloud resources, the account is at its core, an isolation boundary. It's the one thing that keeps you and all of your AWS resources separate from Amazon's other tenants. Even so, there is sometimes a need to share resources across tenant boundaries. You might for example, need to share a database with your suppliers. Thankfully, the AWS Resource Access Manager can be used to share AWS resources with other accounts.
You can access the AWS Resource Access Manager from the AWS Services menu. You can find the link in the Security, Identity, and Compliance section.
One of the really great things about the Resource Access Manager is that unlike most other AWS resources, it is completely free to use. To get started, just click on the Create a Resource Share button, which you can see in Figure 1.
At this point, you will be taken to the Create Resource Share screen, which you can see in Figure 2. The first thing that you will need to do is to provide a name for the share that you are creating. It's a good idea to use a descriptive name since you could conceivably end up creating additional resource shares over time.
The next step in the process is to add resources to the share. Although the entire reason for creating a resource share is so that you can share resources, adding resources to the share is optional at this point. You can always add resources later on.
Regardless of whether you decide to add resources now or later, there are some significant limitations that you need to be aware of.
As it stands right now, there are only specific types of resources that you can share. Amazon currently lets you share subnets, transit gateways, resolver rules, capacity reservations, license configurations, Aurora DB clusters, and traffic mirror targets. Some of the supported resource types have additional sharing limitations. If you look back at the previous figure for example, you will notice that Subnets is selected as the resource type to share, but no subnets are listed within the interface. The reason why this is happening is because Amazon does not allow you to share subnets that exist within the default VPC. If you want to share a subnet, it must be in a non-default VPC.
Obviously, there are far more resources in AWS than those listed in the previous paragraph. In some cases it is possible to give others access to other resource types. You just won't be able to do it through the Resource Access Manager. If for example, you wanted to give a user access to a particular EC2 instance, then you might create a VPN connection that allows authorized users to access the VM from the outside world.
Once you finish specifying the resources that you want to share, then the next step in the process is to choose the principals to who you wish to share access. You can specify a principal by entering it's AWS account number, an OU, or an organization. As was the case with resource sharing, this step is optional. You can always assign principals (or modify your principal assignments) later on.
Finally, the Tags section allows you to assign key / value pairs to the share. As is the case for any other AWS object, tagging is important for keeping everything well organized.
When you finish populating the Create Resource Share screen, click on the Create Resource Share button at the bottom of the screen. When you do, you will be taken to the Resource Access Manager's Resource Shares tab, which you can see in Figure 3 below. This tab displays your newly created resource share, along with any other resource shares.
So as you can see, Amazon makes it really easy to share certain types of AWS resources with people outside of your organization.
Brien Posey is a 20-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.