SYSTEM Cited by 1 source
AWS Resource Access Manager (RAM)¶
Definition¶
AWS Resource Access Manager (RAM) is the AWS service that shares resources across AWS accounts without requiring resource duplication. Customers can share specific resources (transit gateways, subnets, license configurations, recovery points, etc.) with other accounts in their AWS Organization or with specific external accounts.
In cyber-resilience designs, RAM is the mechanism by which the Recovery Account shares logically-air-gapped-vault recovery points with the IRE for restore operations.
Verbatim from the canonicalising source:
"Share recovery points through AWS Resource Access Management (AWS RAM) for restore. You share recovery points across accounts through AWS RAM. You can initiate restores from the owning account or from any account with which you share the vault. This is how the Recovery Account makes recovery points available to the IRE." (Source: sources/2026-05-20-aws-cyber-resilience-on-aws-a-reference-approach-for-recovery-from-ransomware-and-destructive-events)
Role in the three-account topology¶
| Account | RAM role |
|---|---|
| Production | Pushes backups to the Recovery Account vault (writes are cross-account; sharing is one-way) |
| Recovery Account | Owns the vault; shares it via RAM with the IRE |
| IRE | Receives shared vault access from RAM; initiates restores into IRE infrastructure |
What RAM provides¶
- Resource share — a named container of shared resources + principal grants (which accounts can use them).
- Cross-account access without duplicating the resource.
- Granular permissions on what shared accounts can do (e.g. read-only access to a recovery point).
Composition with logically air-gapped vault¶
The vault → IRE access pattern:
- Recovery Account creates a logically air-gapped vault.
- Recovery Account creates a resource share in RAM that includes the vault.
- Recovery Account adds the IRE account ID as a principal on the share.
- IRE account accepts the share invitation.
- IRE can now initiate restores from the shared vault.
The MPA gate still applies — IRE-initiated restores still require MPA approval before proceeding. RAM grants access, not authorisation to bypass MPA.
Generalisation beyond AWS¶
Equivalent cross-account / cross-tenant resource sharing:
- GCP — IAM cross-project bindings for resources.
- Azure — Azure RBAC across subscriptions.
- On-prem — directory services (LDAP) with cross-domain trust.
The structural property: declarative cross-tenant sharing of specific resources with granular access controls.
Seen in¶
- sources/2026-05-20-aws-cyber-resilience-on-aws-a-reference-approach-for-recovery-from-ransomware-and-destructive-events — canonical wiki reference; first wiki canonicalisation as a dedicated system page; named as the Recovery-Account → IRE vault sharing primitive.
Related¶
- systems/aws-backup — sibling backup primitive.
- systems/aws-backup-logically-air-gapped-vault — the resource shared via RAM in cyber-resilience.
- systems/aws-organizations — the multi-account container RAM operates within.
- concepts/cyber-resilience — the parent posture.
- patterns/three-account-cyber-recovery-topology — the topology RAM enables.