Transit Gateway shared with AWS Resource Access Manager (AWS RAM) identify all accounts as external
Customer has an AWS Landing Zone (ALZ) implementation where they are sharing a Transit Gateway (TGW) between accounts. Sharing a TGW results in error unless Allow external accounts is checked, even though the account is in the same organization.
The account that they are trying to share the TGW with, is under the same root Organization by ALZ and AWS Control Tower configuration Why these accounts are considered externals?. Once allow external accounts is checked the TGW can be shared and the principal type shows "Account (External)"
- Newest
- Most votes
- Most comments
AWS RAM must be integrated with AWS Organizations. Once this is done from the management account, RAM will have permissions to access AWS Organizations and enable sharing with Organization IDs and OUs. It will also properly identify accounts within the Organization and no longer require you to enable External sharing if the account is within the same Org. Enable sharing with AWS Organizations docs cover how to enable from the management account.
Relevant content
- Accepted Answerasked 9 months ago
- Accepted Answerasked 4 years ago
- How do I monitor my transit gateway and Site-to-Site VPN on a transit gateway using Network Manager?
AWS OFFICIALUpdated 2 years ago - AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
