Skip to content

CrossAccountResourceSharer

Utility class for sharing AWS resources across accounts using AWS Resource Access Manager (RAM).

This class provides static methods to securely share AWS resources between accounts within the same AWS Organization. It handles the complexity of RAM resource sharing configuration, including permission management and principal specification for cross-account access patterns.

The class is designed to work with the MARE foundation infrastructure where resources from foundation accounts need to be shared with application accounts or vice-versa, in a controlled manner.

Source code in mare_aws_common_lib/helpers/cross_account_resource_sharer.py 
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
class CrossAccountResourceSharer:
    """
    Utility class for sharing AWS resources across accounts using AWS Resource Access Manager (RAM).

    This class provides static methods to securely share AWS resources between accounts within
    the same AWS Organization. It handles the complexity of RAM resource sharing configuration,
    including permission management and principal specification for cross-account access patterns.

    The class is designed to work with the MARE foundation infrastructure where resources from
    foundation accounts need to be shared with application accounts or vice-versa, in a controlled manner.
    """
    @staticmethod
    def share_ssm_parameter(scope: Construct, consumer_account_id: str, resource_arn: str, resource_name: str, logical_id: str) -> None:
        """
        Share an SSM parameter with another AWS account using AWS Resource Access Manager.

        Creates a RAM resource share that grants read-only access to an SSM parameter to a
        specified consumer account. This enables secure parameter sharing across account
        boundaries without requiring complex IAM cross-account roles or hardcoded values.

        The resource share uses AWS's default SSM parameter read-only permission and is
        configured for internal organization use only (external principals not allowed).

        Args:
            scope (Construct): CDK construct scope where the RAM resource share will be created
            consumer_account_id (str): AWS account ID that should receive access to the parameter.
                Typically this is the devops account or application account that needs the parameter
            resource_arn (str): Complete ARN of the SSM parameter to be shared. Should follow the
                format: arn:aws:ssm:{region}:{account}:parameter/{parameter_name}
            resource_name (str): Human-readable name for the resource share. This will be visible
                in the RAM console and should describe the purpose of the share
            logical_id (str): CloudFormation logical ID for the RAM resource share construct.
                Must be unique within the stack scope

        Returns:
            None: This method creates the RAM resource share construct but does not return a value

        Raises:
            ValueError: If any of the required parameters are invalid or malformed
            AttributeError: If the scope is not a valid CDK construct

        Note:
            - The consumer account must be within the same AWS Organization
            - External principals are explicitly disabled (allow_external_principals=False)
            - Uses AWS's default read-only permission for SSM parameters
            - The consumer account will need to accept the resource share invitation
            - Once shared, the consumer can access the parameter using standard SSM APIs
            - The resource share will appear in both accounts' RAM consoles

        Security Considerations:
            - Only grants read-only access to the specified parameter
            - Limited to organization accounts only
            - Consumer account still needs appropriate IAM permissions to use RAM
            - Parameter access is logged in CloudTrail for audit purposes
        """
        ram.CfnResourceShare(
            scope, logical_id,
            name=resource_name,
            allow_external_principals=False,
            permission_arns=[
                "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSSMParameterReadOnly"
            ],
            principals=[consumer_account_id], # normally should be the devops account id for the majority of our needs
            resource_arns=[resource_arn]
        )

Functions

share_ssm_parameter(scope, consumer_account_id, resource_arn, resource_name, logical_id) staticmethod

Share an SSM parameter with another AWS account using AWS Resource Access Manager.

Creates a RAM resource share that grants read-only access to an SSM parameter to a specified consumer account. This enables secure parameter sharing across account boundaries without requiring complex IAM cross-account roles or hardcoded values.

The resource share uses AWS's default SSM parameter read-only permission and is configured for internal organization use only (external principals not allowed).

Parameters:

Name Type Description Default
scope Construct

CDK construct scope where the RAM resource share will be created

 required
consumer_account_id str

AWS account ID that should receive access to the parameter. Typically this is the devops account or application account that needs the parameter

 required
resource_arn str

Complete ARN of the SSM parameter to be shared. Should follow the format: arn:aws:ssm:{region}:{account}:parameter/{parameter_name}

 required
resource_name str

Human-readable name for the resource share. This will be visible in the RAM console and should describe the purpose of the share

 required
logical_id str

CloudFormation logical ID for the RAM resource share construct. Must be unique within the stack scope

 required

Returns:

Name Type Description
None None

This method creates the RAM resource share construct but does not return a value

Raises:

Type Description
ValueError

If any of the required parameters are invalid or malformed
AttributeError

If the scope is not a valid CDK construct
Note
  • The consumer account must be within the same AWS Organization
  • External principals are explicitly disabled (allow_external_principals=False)
  • Uses AWS's default read-only permission for SSM parameters
  • The consumer account will need to accept the resource share invitation
  • Once shared, the consumer can access the parameter using standard SSM APIs
  • The resource share will appear in both accounts' RAM consoles
Security Considerations
  • Only grants read-only access to the specified parameter
  • Limited to organization accounts only
  • Consumer account still needs appropriate IAM permissions to use RAM
  • Parameter access is logged in CloudTrail for audit purposes
Source code in mare_aws_common_lib/helpers/cross_account_resource_sharer.py 
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
@staticmethod
def share_ssm_parameter(scope: Construct, consumer_account_id: str, resource_arn: str, resource_name: str, logical_id: str) -> None:
    """
    Share an SSM parameter with another AWS account using AWS Resource Access Manager.

    Creates a RAM resource share that grants read-only access to an SSM parameter to a
    specified consumer account. This enables secure parameter sharing across account
    boundaries without requiring complex IAM cross-account roles or hardcoded values.

    The resource share uses AWS's default SSM parameter read-only permission and is
    configured for internal organization use only (external principals not allowed).

    Args:
        scope (Construct): CDK construct scope where the RAM resource share will be created
        consumer_account_id (str): AWS account ID that should receive access to the parameter.
            Typically this is the devops account or application account that needs the parameter
        resource_arn (str): Complete ARN of the SSM parameter to be shared. Should follow the
            format: arn:aws:ssm:{region}:{account}:parameter/{parameter_name}
        resource_name (str): Human-readable name for the resource share. This will be visible
            in the RAM console and should describe the purpose of the share
        logical_id (str): CloudFormation logical ID for the RAM resource share construct.
            Must be unique within the stack scope

    Returns:
        None: This method creates the RAM resource share construct but does not return a value

    Raises:
        ValueError: If any of the required parameters are invalid or malformed
        AttributeError: If the scope is not a valid CDK construct

    Note:
        - The consumer account must be within the same AWS Organization
        - External principals are explicitly disabled (allow_external_principals=False)
        - Uses AWS's default read-only permission for SSM parameters
        - The consumer account will need to accept the resource share invitation
        - Once shared, the consumer can access the parameter using standard SSM APIs
        - The resource share will appear in both accounts' RAM consoles

    Security Considerations:
        - Only grants read-only access to the specified parameter
        - Limited to organization accounts only
        - Consumer account still needs appropriate IAM permissions to use RAM
        - Parameter access is logged in CloudTrail for audit purposes
    """
    ram.CfnResourceShare(
        scope, logical_id,
        name=resource_name,
        allow_external_principals=False,
        permission_arns=[
            "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSSMParameterReadOnly"
        ],
        principals=[consumer_account_id], # normally should be the devops account id for the majority of our needs
        resource_arns=[resource_arn]
    )