Expanding AWS Networking: Organizations and Resource Access Manager (RAM)

In modern cloud architectures, networking is rarely confined to a single AWS account. As organizations grow, they adopt a multi-account strategy to isolate workloads, manage costs, and improve security. This guide explores how AWS Organizations provides the administrative framework and AWS RAM provides the resource-sharing mechanism to scale networking across the enterprise.

---

Learning Objectives

After studying this guide, you should be able to:

• Explain the hierarchical structure of AWS Organizations and the role of the Management Account.
• Configure AWS Resource Access Manager (RAM) to share networking resources like VPC subnets and Transit Gateways.
• Contrast the effects of Service Control Policies (SCPs) versus IAM policies in a multi-account environment.
• Identify the specific networking resources that can be shared across accounts to reduce infrastructure duplication.
• Manage resource sharing invitations for accounts outside and inside an organization.

---

Key Terms & Glossary

• AWS Organizations: An account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.
• AWS RAM (Resource Access Manager): A service that allows you to share your AWS resources with any AWS account or within your AWS Organization.
• Management Account: The master account in an organization used to create member accounts, manage invitations, and handle consolidated billing.
• Service Control Policy (SCP): A type of organization policy used to manage permissions in your organization, offering central control over the maximum available permissions for all accounts.
• Organizational Unit (OU): A container for accounts within an organization, used to organize accounts into a hierarchy to make it easier to manage them.

---

The "Big Idea"

The core philosophy of modern AWS networking is "Centralized Control, Distributed Execution." By using AWS Organizations, a central network team can define the "guardrails" (SCPs). By using AWS RAM, they can create a "Golden VPC" or a Central Transit Gateway and share it out to developers. This prevents "shadow IT" and IP address fragmentation while giving developers the resources they need to build without waiting for manual network provisioning.

---

Formula / Concept Box

Access Evaluation Logic

[!IMPORTANT] Effective Permission = (Permissions allowed by SCP) AND (Permissions allowed by IAM).

---

Hierarchical Outline

• AWS Organizations Architecture
  • Management Account: Master billing; creates OUs; manages SCPs; cannot be changed once created.
  • Member Accounts: Belong to exactly one organization; can be moved between OUs.
  • Organizational Units (OUs): Logical groupings (e.g., "Production", "Testing") for policy application.
• AWS Resource Access Manager (RAM)
  • Sharing Mechanism: Sharing within an Org is seamless (no invitation needed if enabled). External sharing requires an invitation handshake.
  • Networking Resources Shared:
    • VPC Subnets: Allows multiple accounts to launch resources into the same VPC (VPC Sharing).
    • Transit Gateways: Centralizes edge connectivity (VPN/Direct Connect).
    • Route 53 Resolver Rules: Centralizes DNS resolution logic.
    • Network Firewall Policies: Ensures consistent security inspection rules.

---

Visual Anchors

Multi-Account Sharing Workflow

Permission Evaluation Tree

---

Definition-Example Pairs

• Consolidated Billing: The process of combining all costs from member accounts into a single invoice for the management account.
  • Example: A corporation with 50 AWS accounts receives one bill and benefits from volume discounts on data transfer across all accounts.
• VPC Sharing: Participating accounts can create resources (EC2, RDS) in subnets shared by a central owner account.
  • Example: The Network Team owns the VPC and IP space in Account A, while the App Team launches web servers in shared subnets in Account B, ensuring the App Team cannot modify the underlying VPC route tables.
• Handshake: A multi-step process for exchanging information between an initiator and a recipient for account invitations.
  • Example: The Management account invites a pre-existing standalone account via email; the owner of that email must log in and click "Accept" to join the Organization.

---

Worked Examples

Scenario: Centralizing Transit Gateway Connectivity

Goal: Provide 5 different AWS accounts access to an on-premises data center via a single Direct Connect connection.

1. Creation: Create the Transit Gateway (TGW) in a "Network Hub" account.
2. RAM Configuration: In the Hub account, open AWS RAM and create a "Resource Share."
3. Resource Selection: Select the TGW as the resource and specify the Organization ID as the principal.
4. Propagation: Because the share is within the Organization, the TGW automatically appears in the member accounts' consoles.
5. Attachment: Developers in member accounts create a "Transit Gateway Attachment" to link their local VPCs to the shared TGW.
6. Routing: The Hub account administrator accepts the attachments and configures TGW route tables to allow traffic to the Direct Connect gateway.

---

Checkpoint Questions

1. What happens if an SCP denies ec2:RunInstances but an IAM user in a member account has AdministratorAccess?
2. True or False: When sharing a subnet via RAM, the participant account can delete the VPC's Internet Gateway.
3. Which account is responsible for paying for the resources used when a resource is shared via RAM?
4. Why is an invitation not required when sharing a resource with an account inside your AWS Organization?

▶Click to see answers

1. The request is denied. SCPs act as a filter that overrides any local permissions.
2. False. Participants can only manage the resources they create in the subnet (like their own EC2 instances); they cannot modify VPC-level infrastructure.
3. The owner account (the one that created the resource) is generally responsible for the resource costs, but usage-based costs (like data transfer) may vary by service.
4. Integration with AWS Organizations allows the Management account to enable "Enable sharing with AWS Organizations", which pre-authorizes all accounts within the boundary.

---

Muddy Points & Cross-Refs

• SCP vs. IAM: Remember that SCPs never grant permissions; they only limit them. If you don't have an IAM policy granting access, the SCP cannot give it to you.
• VPC Peering vs. RAM Sharing:
  • Use VPC Peering for simple point-to-point connection between two VPCs.
  • Use RAM Sharing (VPC Sharing) when multiple accounts need to live in the same address space and share the same network topology.
• RAM Resource Limits: RAM supports many services (App Mesh, Aurora, Route 53), but not all. Always check the current documentation for the latest list of shareable resources.

---

Comparison Tables

Resource Access Manager: Internal vs. External Sharing

Management vs. Member Accounts