Sharing without IAM acrobatics.

A genomics research org shared a Transit Gateway, a Glue Catalog, and three private hosted zones across nineteen accounts. The setup worked but every share required custom cross-account IAM and the platform team owned every change. We replaced the bespoke sharing with AWS Resource Access Manager.

INDUSTRY

Genomics research

DOMAIN

LANDING ZONE

DELIVERED

2025

STACK

AWS RAM·TRANSIT GATEWAY·GLUE CATALOG·ROUTE 53 PRIVATE HOSTED ZONES·IAM IDENTITY CENTER

RESULTS

What changed, by the numbers.

CUSTOM CROSS-ACCT IAM POLICIES

−93%

REPLACED BY RAM

NEW-SHARE TICKETS

−84%

AGAINST PLATFORM TEAM

SHARED RESOURCES

TGW, HZ, CATALOGS

AUDIT TRAIL

CLOUDTRAIL

PER-SHARE

HOW IT WENT

The bespoke sharing model had grown one custom IAM policy at a time. Every cross-account share — "let team B see catalog A," "let team C resolve hostnames in zone D" — was a hand-crafted policy with brittle resource ARN patterns. Adding a new team was a three-day project.

RAM replaced the entire pattern. The platform team published the shared resources once; consumer accounts accepted shares with no further IAM dance. Identity Center permission sets controlled who could initiate accepts. CloudTrail captured the audit trail per share.

Custom cross-account IAM policy count dropped 93%. The platform team’s new-share ticket queue dropped 84%. Adding a new team is now a one-hour task instead of a three-day project.

RELATED · SAME DOMAIN

Other engagements in this space.

MARLOW · 2024

Sandbox accounts that clean themselves.

−68%SANDBOX BILL

SAFFRON · 2024

A GovCloud footprint, established before the contract started.

ON TIMETIME TO CONTRACT START

PREVIOUSTARN — AWS Marketplace, with procurement in the loop again.NEXT AURUM — Azure to AWS, twenty-two services, no rewrite.

READY WHEN YOU ARE

Let's get your AWS bill (and architecture) in order.

The discovery call is free. You walk away with at least one concrete idea — even if we never work together.

Or email directly →