Transit Gateway shared with AWS Resource Access Manager (AWS RAM) identify all accounts as external


Customer has an AWS Landing Zone (ALZ) implementation where they are sharing a Transit Gateway (TGW) between accounts. Sharing a TGW results in error unless Allow external accounts is checked, even though the account is in the same organization.

The account that they are trying to share the TGW with, is under the same root Organization by ALZ and AWS Control Tower configuration Why these accounts are considered externals?. Once allow external accounts is checked the TGW can be shared and the principal type shows "Account (External)"

asked 5 years ago718 views
1 Answer
Accepted Answer

AWS RAM must be integrated with AWS Organizations. Once this is done from the management account, RAM will have permissions to access AWS Organizations and enable sharing with Organization IDs and OUs. It will also properly identify accounts within the Organization and no longer require you to enable External sharing if the account is within the same Org. Enable sharing with AWS Organizations docs cover how to enable from the management account.

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions