SEC03-BP08: Share resources securely within your organization

As the number of workloads grows, you might need to share access to resources in those workloads, or you might own resources that other workloads need to access. When you share resources with other teams, maintain least privilege access and avoid sharing credentials. Define clear ownership for resources to avoid confusion during an incident response. Monitor shared resource access.

Implementation guidance

Secure resource sharing within your organization enables collaboration while maintaining security boundaries. By implementing proper sharing mechanisms, you can provide necessary access without compromising security or creating management overhead.

Key steps for implementing this best practice:

1. Establish resource sharing governance:
   • Define policies for resource sharing within the organization
   • Establish approval processes for sharing requests
   • Document resource ownership and responsibilities
   • Create guidelines for different types of shared resources
   • Implement regular reviews of shared resource access
2. Use AWS Resource Access Manager (RAM):
   • Share resources across AWS accounts within your organization
   • Implement centralized sharing for common resources
   • Use resource shares to group related resources
   • Apply appropriate permissions to shared resources
   • Monitor resource share usage and access patterns
3. Implement cross-account access with IAM roles:
   • Create dedicated roles for cross-account access
   • Use external IDs for additional security
   • Implement time-limited access where appropriate
   • Apply conditions to restrict access based on context
   • Avoid sharing long-term credentials
4. Secure shared storage resources:
   • Use S3 bucket policies for controlled sharing
   • Implement encryption for shared data
   • Use S3 Access Points for fine-grained access control
   • Monitor access to shared storage resources
   • Implement data classification and handling requirements
5. Monitor and audit shared resource access:
   • Track all access to shared resources
   • Set up alerts for unusual access patterns
   • Generate regular reports on resource sharing
   • Implement automated compliance checks
   • Maintain audit trails for shared resource usage
6. Implement secure sharing patterns:
   • Use service-to-service authentication where possible
   • Implement network-level controls for shared resources
   • Use encryption in transit and at rest
   • Apply least privilege principles to shared access
   • Regularly validate sharing configurations

Implementation examples

Example 1: Sharing resources using AWS Resource Access Manager

Code snippet hidden for website display

Example 2: Cross-account IAM role for secure resource access

Code snippet hidden for website display

Example 3: S3 bucket policy for secure cross-account sharing

Code snippet hidden for website display

Example 4: Monitoring shared resource access with CloudWatch and Lambda

Code snippet hidden for website display

AWS services to consider

AWS Resource Access Manager (RAM)

Helps you securely share your resources across AWS accounts within your organization or organizational units (OUs) and with IAM roles and users for supported resource types.

AWS Identity and Access Management (IAM)

Enables you to manage access to AWS services and resources securely. Use IAM roles for secure cross-account access without sharing credentials.

AWS Organizations

Helps you centrally manage and govern your environment as you scale your AWS resources. Use Organizations to define trusted relationships for resource sharing.

Amazon S3

Object storage service that offers industry-leading scalability, data availability, security, and performance. Use S3 bucket policies and Access Points for secure data sharing.

AWS CloudTrail

Records API calls for your account and delivers log files to you. Use CloudTrail to monitor and audit shared resource access across accounts.

Amazon CloudWatch

Monitors your AWS resources and the applications you run on AWS in real time. Set up metrics and alarms for shared resource usage and access patterns.

Benefits of sharing resources securely within your organization

• Enhanced collaboration: Enables teams to work together while maintaining security boundaries
• Reduced duplication: Eliminates the need to duplicate resources across accounts
• Centralized management: Provides centralized control over shared resource access
• Improved security: Maintains least privilege access while enabling necessary sharing
• Cost optimization: Reduces costs by sharing common resources instead of duplicating them
• Operational efficiency: Streamlines resource management across multiple teams and accounts
• Better governance: Provides clear ownership and accountability for shared resources

Related resources

Related Resources

• AWS Well-Architected Framework - Share resources securely within your organization
• AWS Resource Access Manager User Guide
• Tutorial: Delegate access across AWS accounts using IAM roles
• Managing data access with Amazon S3 access points
• How to use AWS Resource Access Manager to share your VPC subnets with your organization
• How to monitor and visualize failed SSH access attempts to Amazon EC2 Linux instances