Open in app

Sign in

Write

Sign in

AWS RAM and Transit Gateway

Cloud Journey
6 min readJul 28, 2021

--

Overview

In this blog post, we continue to explore AWS networking, meanwhile start to learn the security around network components.

When create AWS transit gateway in one account, it’s scoped to the account. In order to attach VPC from another account to the transit gateway, we have to share the TGW with the second account.

AWS Resource Access Manager (RAM) helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs) in AWS Organizations, and with IAM roles and IAM users for supported resource types.

We will share transit gateway within Organization, explore RAM managed permission and how AWS RAM works with IAM.

Off course, at the end, we will compare with Azure product feature.

Configure Organization

Create Organization

From AWS console, select organizations service, then click “create organization”.

A Root organization is created, and current AWS account joined as the management account.

Meanwhile a verification email has been sent to the root user email address.

Before invite existing AWS account to the organization, we have to verify the email address, click the “verify your email address” button, it will prompt you to sign in to AWS console, after email address is successfully verified, you will see the green banner showing the status.

Add Existing Account to Organization

From organization management account, send invitation to another account.

Here is the invitation email send over to the recipient account owner.

From recipient account console, accept the invitation to join the organization. Please ensure the recipient account is not a member account or management account of any other organization.

Now from the management account, it shows two accounts joined to the organization.

Configure IAM Policy

For the resource that you own, how are you authenticated to create resource share?

By default, IAM users don’t have permission to create or modify AWS RAM resources. To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant permission to use specific resources and API actions.

We first give IAM user ReadOnlyAccess, logon using this IAM user, and it failed to create resource share.

Let’s add inline policy to give IAM user “Operator” proper permission to create resource share only on a specific transit gateway.

(Note: when I use the exact policy from AWS doc https://docs.aws.amazon.com/ram/latest/userguide/iam-examples.html#owner-share-specific-resources, I still get the same error, so I update the inline policy to grant ram:CreateResourceShare permission in a separate statement)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ram:AssociateResourceShare"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ResourceArn": "arn:aws:ec2:us-west-2:<acct>:transit-gateway/tgw-<id>"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ram:CreateResourceShare"
            ],
            "Resource": "*"
        }
    ]
}

Create a Share Resource

Now IAM user “Operator” is able to create a resource share and share the transit gateway in the organization.

RAM Managed Permission

For a resource that is shared with you , what permission you have?

AWS RAM managed permissions define the actions that are allowed for each shareable resource type in a resource share. When create a resource share, you associate the permission with the resource type.

RAM permission object specifically for transit gateway,

Name: AWSRAMDefaultPermissionTransitGateway

ARN arnn:aws:ram::aws:permission/AWSRAMDefaultPermissionTransitGateway

Allowed actions:
ec2:DescribeTransitGateways
ec2:CreateTransitGatewayVpcAttachment
ec2:ModifyTransitGatewayVpcAttachment
ec2:DeleteTransitGatewayVpcAttachment

Using Shared Resource

The recipient principal should already have allowed actions listed above.

let’s validate to add VPC attachment from AWS account “SecondAccountForTest”, the account is a member of the organization, and we already shared the transit gateway in the entire organization.

Transit gateway resource share is region specific, so make sure select the right region to show the resource shared with you.

After add VPC attachment to the share resource transit gateway, the transit gateway attachment shows “pending acceptance” status.

Let’s check from the source AWS account VPC console, in source account from where we create the resource share, the transit gateway attachment shows pending status as well, it’s the same attachment ID as shown in the “SecondAccountForTest” account. We accepted the attachment, now the status turns to “pending”.

After wait for less than one minute, refresh the console, finally the status turns to green.

Conclusion

In Azure, creating management group and adding Azure subscriptions to the management group hierarchy is relatively easier.

Under AAD tenant root gropu, you may create multiple management groups, you may move multiple subscriptions under a management group as long as you have the required RBAC permission on the management group and the subscriptions. There is no root account email for each subscription, and there is no need to validate email or accept the invitation.

Also in Azure, you wouldn’t need share resource. You should be able to reference a resource from another subscription, as long as

  • The specific service supports to be referenced from different subscription
  • You have the required RBAC permission on the resources from multiple subscriptions

Fundamental difference is that Azure user is authenticated at AAD tenant level, and Azure RBAC permission can be granted at management group scope, subscription scope, resource group scope or resource scope.

Additional Info

It’s best practice to add MFA to IAM user, from IAM console, select “Operator”, manage MFA device. In my case, I have Google Authenticator app already installed in my smart phone, so I start to scan the QR code.

Input MFA code for two times, the click “Assign MFA”.

References

New — Use an AWS Transit Gateway to Simplify Your Network Architecture | AWS News Blog (amazon.com)

Using VPC Sharing for a Cost-Effective Multi-Account Microservice Architecture | AWS Architecture Blog (amazon.com)

Control VPC sharing in an AWS multi-account setup with service control policies | AWS Security Blog (amazon.com)

New AWS Resource Access Manager — Cross-Account Resource Sharing | AWS News Blog (amazon.com)

AWS RAM managed permissions — AWS Resource Access Manager (amazon.com)

How to use service control policies to set permission guardrails across accounts in your AWS Organization | AWS Security Blog (amazon.com)

Resolve errors when trying to join an organization

You didn't accept the invitation to the organization, or the organization didn't send you one. Be sure to accept the…

aws.amazon.com

Actions, resources, and condition keys for AWS Resource Access Manager

Lists all of the available service-specific resources, actions, and condition keys that can be used in IAM policies to…

docs.aws.amazon.com

AWS
Azure
Identity Management
Cloud Computing
Aws Ram

--

--

Cloud Journey
Cloud Journey

Written by Cloud Journey

158 Followers
15 Following

All blogs are strictly personal and do not reflect the views of my employer. https://github.com/Ronnie-personal

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams