Hey everyone! I've set up a transit gateway (TGW) attachment with an external account using the peering method, and it's working great for connecting our client's VPC to our on-premises infrastructure through Direct Connect. Now, I've been reading about Resource Access Manager (RAM) and I'm considering sharing my TGW with others outside my organization without needing to use peering. My concern is about what the external account can access—specifically, will they be able to see or delete my existing TGW attachments? I get that this could help scale as we might have more clients in the future, but I can't find clear info on what permissions they'd have with the shared TGW. Ideally, I want them to be limited to just creating attachments and managing their routes. Any insights? Thanks!
1 Answer
When you share your TGW using RAM, the other account will have limited visibility and control. They can't view, modify, or delete your existing attachments. They also won't see things like your TGW route tables or propagations. Only you, as the owner, can manage those aspects, which should give you peace of mind when sharing it out.
That sounds reassuring! If they can't access my existing setups, I think sharing might indeed be the way to go instead of peering.