AWS Resource Access Manager (RAM) Flashcards
What is AWS Resource Access Manager?
It is the manager in AWS thet enables the sharing of resources such as VPC’s across AWS accounts.
What are the two modes of sharing you can have and can be configured in resource access manager?
You can in the setting to have handshake between account for sharing resources of you can have no handshake and you can share in the org.
What is an owner and participant in reference to RAM?
Owner is the owner of a resource and a participant is the user of the shared resource.
What resource types can you share in AWS?
- VPC
- Transit GW
- Resolver Rules
- Licence Configurations
Can you also share the resources outside you orgnization to other accounts?
Yes, this is an option.
When using shared resources who are responsible for creating managing and deleting the resource?
The resource owner, it also means the owner is responsible for any subresource the VPC is using, like subnets, VPN GW, IGW, etc.
Who is responsible for the cost of data transfer out of the VPC?
The resource owner.
When you create an EC2 instance and use a share VPC who is responsible for data out charges?
The VPC owner.
When you create an EC2 instance and use a share VPC who is responsible for EC2 charges?
The participant.
As I can share resources with resource access manager can I share my VPC to an external acccont?
Yes, you can share resources but not VPC with an external account, only within an orgnization.
If I want to have the resources shared to know you, how would I do this?
You would use the Access Resource Manager’s policy to define yourself as having access to the resource.
There is a security team within the organization that wants access to resources for auditing purposes across multiple accounts within the organization. How can I give them access to these resources efficiently?
Using AWS Access Resource Manager, I can create a policy with read-only access to resources and make those available to the users in the Security Team. This will be done with a policy and in JSON within the Access Resource Manager UI.
A company has a hybrid cloud environment with resources both in AWS and on-premises. They want to extend their existing on-premises Active Directory to manage access to certain AWS resources. How can they use AWS RAM in conjunction with other AWS services to achieve this centralized identity management?
They use AWS Directory Service to extend their on-premises Active Directory to the AWS cloud. Then, they use AWS RAM to share specific AWS resources with those Active Directory users and groups. This way, the on-premises Active Directory becomes the central place to manage access to both on-premises and AWS resources.
A company wants to share resources with external AWS accounts owned by their business partners. However, they need to ensure that these partners only have access to specific resources and cannot access any other resources within their AWS environment. How can they use AWS RAM to securely share resources with external accounts while maintaining strong isolation and access control?
Using AWS RAM they can share resources with external accounts by specifying the external account IDs in the resource share. They can also use conditions in the RAM policy to restrict access to specific resources and actions, ensuring strong isolation and control.
A company has a complex AWS environment with resources spread across multiple accounts and regions. They need to share a specific set of resources with a particular team, but they want to ensure that the team can only access those resources from within a specific VPC. How can they use AWS RAM in combination with other AWS services to achieve this level of network-based access control?
They’d create a RAM policy with a condition that checks the source, VPC ID, of the request. This ensures only requests originating from that specific VPC are allowed access to the shared resources.
A company is developing a new application that will use resources from multiple AWS accounts. They want to grant the application’s EC2 instances temporary access to these resources without embedding long-term credentials. How can they use AWS RAM in conjunction with other AWS services to achieve this secure and dynamic access management?
They’d use AWS IAM roles for EC2 instances. These roles provide temporary security credentials so the instances can access resources in other accounts without long-term credentials. RAM can be used to grant the necessary permissions to these roles.
A company has a multi-tenant application where each customer’s data is stored in a separate AWS account. They want to allow their support engineers who have their own dedicated AWS account to access customer data for troubleshooting purposes. How can they use AWS RAM to securely grant support engineers temporary access to customer accounts without requiring them to switch accounts or manage individual credentials for each customer?
Okay, they can use cross-account IAM roles. Each customer account would have an IAM role that grants access to the necessary data. The support engineer’s account would then be granted permission to assume those roles in the customer accounts, allowing them temporary access without needing individual credentials.
The company wants to share a specific set of EC2 instances with a partner organization for a limited time. They need to ensure that the partner organization can only access those instances during a specific maintenance window, and that access is automatically revoked afterward. How can they use AWS RAM in combination with other AWS services to achieve this time-based access control?
Create a RAM Policy with a condition that specifies the start and end times for access. They can use the AWS current time condition key to define this time window. After the maintenance window ends, access is automatically revoked as the condition is no longer met.
Next question. A company has a centralized logging system in AWS that collects logs from various services and applications across multiple accounts. They want to grant their security analysts who have their own dedicated AWS account read-only access to these logs for security monitoring and analysis. How can they use AWS RAM to securely share the log data with the security analyst’s account while ensuring they cannot modify or delete any log entries?
They can use AWS RAM to share the log data with the security analyst’s account by creating a resource share and granting read-only permissions through a RAM policy. This ensures the analysts can access the logs for monitoring and analysis without the ability to modify or delete them.
Ok, here’s your next question. A company is using AWS organizations to manage multiple accounts and wants to share a set of resources with all accounts in a specific organizational unit, OU. They need to ensure that any new accounts added to that OU automatically inherit access to the shared resources. How can they use AWS RAM to achieve this dynamic and scalable resource sharing at the OU level?
They’d create a RAM policy that shares the resources with the entire OU. Any new accounts added to that OU will automatically inherit the permissions defined in the policy.
