# What are resource groups?
You can use *resource groups* to organize your AWS resources. AWS Resource Groups is the service that lets you manage and automate tasks on large numbers of resources at one time. This guide shows you how to create and manage resource groups in AWS Resource Groups. The tasks that you can perform on a resource vary based on the AWS service you're using. For a list of the services that support AWS Resource Groups and a brief description of what each service allows you to do with a resource group, see [AWS services that work with AWS Resource Groups](integrated-services-list.md).
You can access Resource Groups through any of the following entry points.
+ In the [AWS Management Console](https://console.aws.amazon.com/console/home), in the top navigation bar, choose **Services**. Then, under **Management & Governance**, choose **Resource Groups & Tag Editor**.
Direct link: [AWS Resource Groups console](https://console.aws.amazon.com/resource-groups)
+ By using the Resource Groups API, in AWS CLI commands or AWS SDK programming languages. See the [https://docs.aws.amazon.com/ARG/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/ARG/latest/APIReference/Welcome.html) for more information.
**To work with resource groups on the AWS Management Console home**
1. Sign in to the AWS Management Console.
1. On the navigation bar, choose **Services**.
1. Under **Management & Governance**, choose **Resource Groups & Tag Editor**.
1. In the navigation pane on the left, choose **Saved Resource Groups** to work with an existing group, or **Create a Group** to create a new one.
## Resources and their group types
In AWS, a *resource* is an entity that you can work with. Examples include an Amazon EC2 instance, an AWS CloudFormation stack, or an Amazon S3 bucket. If you work with multiple resources, you might find it useful to manage them as a group rather than move from one AWS service to another for each task. If you manage large numbers of related resources, such as EC2 instances that make up an application layer, you likely need to perform bulk actions on these resources at one time. Examples of bulk actions include:
+ Applying updates or security patches.
+ Upgrading applications.
+ Opening or closing ports to network traffic.
+ Collecting specific log and monitoring data from your fleet of instances.
A *resource group* is a collection of AWS resources that are all in the same AWS Region, and that match the criteria specified in the group's query. In Resource Groups, there are two types of queries you can use to build a group. Both query types include resources that are specified in the format `AWS::service::resource`.
+ **Tag-based**
A tag-based resource group bases its membership on a query that specifies a list of resource types and tags. *Tags* are keys that help identify and sort your resources within your organization. Optionally, tags include values for keys.
**Important**
Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. We use tags to provide you with billing and administration services. Tags are not intended to be used for private or sensitive data.
+ **CloudFormation stack-based**
An CloudFormation stack-based resource group bases its membership on a query that specifies an CloudFormation stack in your account in the current region. You can optionally choose resource types within the stack that you want to be in the group. You can base your query on only one CloudFormation stack.
**Service-linked resource groups**
Some AWS services define resource groups that you can create and manage only by using that service's console and APIs. You are limited in what you can do with these groups in the Resource Groups console. For more information, see [Service configurations for resource groups](https://docs.aws.amazon.com/ARG/latest/APIReference/about-slg.html) in the *AWS Resource Groups API Reference Guide*.
Resource groups can be *nested*; a resource group can contain existing resource groups in the same region.
### Use cases for resource groups
By default, the AWS Management Console is organized by AWS service. But with Resource Groups, you can create a custom console that organizes and consolidates information based on criteria specified in tags, or the resources in an CloudFormation stack. The following list describes some of the cases in which resource grouping can help organize your resources.
+ An application that has different phases, such as development, staging, and production.
+ Projects managed by multiple departments or individuals.
+ A set of AWS resources that you use together for a common project or that you want to manage or monitor as a group.
+ A set of resources related to applications that run on a specific platform, such as Android or iOS.
For example, you are developing a web application, and you are maintaining separate sets of resources for your alpha, beta, and release stages. Each version runs on Amazon EC2 with an Amazon Elastic Block Store storage volume. You use Elastic Load Balancing to manage traffic and Route 53 to manage your domain. Without Resource Groups, you might have to access multiple consoles just to check the status of your services or modify the settings for one version of your application.
With Resource Groups, you use a single page to view and manage your resources. For example, let’s say you use the tool to create a resource group for each version—alpha, beta, and release—of your application. To check your resources for the alpha version of your application, open your resource group. Then view the consolidated information on your resource group page. To modify a specific resource, choose the resource's links on your resource group page to access the service console that has the settings that you need.
## AWS Resource Groups and permissions
Resource Groups feature permissions are at the account level. As long as IAM principals, such as roles and users, who are sharing your account have the correct IAM permissions, they can work with resource groups that you create.
Tags are properties of a resource, so they are shared across your entire account. Users in a department or specialized group can draw from a common vocabulary (tags) to create resource groups that are meaningful to their roles and responsibilities. Having a common pool of tags also means that when users share a resource group, they don't have to worry about missing or conflicting tag information.
## AWS Resource Groups resources
In Resource Groups, the only available resource is a group. Groups have unique Amazon Resource Names (ARNs) associated with them. For more information about ARNs, see [Amazon Resource Names (ARN) and AWS Service Namespaces](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) in the *Amazon Web Services General Reference*.
| Resource Type | ARN Format |
| --- | --- |
| Resource Group | `arn:aws:resource-groups:region:account:group/group-name` |
## How tagging works
Tags are key and value pairs that act as metadata for organizing your AWS resources. With most AWS resources, you have the option of adding tags when you create the resource, whether it's an Amazon EC2 instance, an Amazon S3 bucket, or other resource. However, you can also add tags to multiple, supported resources at once by using Tag Editor. You build a query for resources of various types, and then add, remove, or replace tags for the resources in your search results. Tag-based queries assign an `AND` operator to tags, so any resource that matches the specified resource types and all specified tags is returned by the query.
**Important**
Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. We use tags to provide you with billing and administration services. Tags are not intended to be used for private or sensitive data.
For more information about tagging, see the [Tag Editor User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide). You can tag [supported resources](supported-resources.md) by using Tag Editor, and some additional resources by using tagging functionality in the service console in which you create and manage the resource.
# Getting started with AWS Resource Groups
In AWS, a *resource* is an entity that you can work with. Examples include an Amazon EC2 instance, an Amazon S3 bucket, or an Amazon Route 53 hosted zone. If you work with multiple resources, you might find it useful to manage them as a group rather than move from one AWS service to another for each task.
This section shows you how to get started with AWS Resource Groups. First, organize AWS resources by tagging them in Tag Editor. Then build queries in Resource Groups that include the resource types you want in a group, and tags that you've applied to resources.
After you've created resource groups in Resource Groups, use AWS Systems Manager tools such as Automation to simplify management tasks on your groups of resources.
For more information about getting started with AWS Systems Manager features and tools, see the [https://docs.aws.amazon.com//systems-manager/latest/userguide/what-is-systems-manager.html](https://docs.aws.amazon.com//systems-manager/latest/userguide/what-is-systems-manager.html).
**Topics**
+ [Prerequisites for working with AWS Resource Groups](gettingstarted-prereqs.md)
+ [Learn more about AWS Resource Groups authorization and access control](rg-auth-access.md)
# Prerequisites for working with AWS Resource Groups
Before you get started working with resource groups, be sure you have an active AWS account with existing resources and appropriate rights to tag resources and create groups.
**Topics**
+ [Sign up for AWS](#gettingstarted-prereqs-signup)
+ [Create resources](#gettingstarted-prereqs-create)
+ [Set up permissions](gettingstarted-prereqs-permissions.md)
## Sign up for AWS
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
## Create resources
You can create an empty resource group, but won't be able to perform any tasks on resource group members until there are resources in the group. For more information about the supported resource types, see [Resource types you can use with AWS Resource Groups and Tag Editor](supported-resources.md).
# Set up permissions
To make full use of Resource Groups and Tag Editor, you might need additional permissions to tag resources or to see a resource's tag keys and values. These permissions fall into the following categories:
+ Permissions for individual services so that you can tag resources from those services and include them in resource groups.
+ Permissions that are required to use the Tag Editor console
+ Permissions that are required to use the AWS Resource Groups console and API.
If you are an administrator, you can provide permissions for your users by creating policies through the AWS Identity and Access Management (IAM) service. You first create your principals, such as IAM roles or users, or associate external identities with your AWS environment using a service like AWS IAM Identity Center. Then you apply policies with the permissions that your users need. For information about creating and attaching IAM policies, see [Working with policies](https://docs.aws.amazon.com//IAM/latest/UserGuide/ManagingPolicies.html).
## Permissions for individual services
**Important**
This section describes permissions that are required if you want to tag resources from other service consoles and APIs, and add those resources to resource groups.
As described in [Resources and their group types](resource-groups.md#resource-groups-intro), each resource group represents a collection of resources of specified types that share one or more tag keys or values. To add tags to a resource, you need the permissions required for the service to which the resource belongs. For example, to tag Amazon EC2 instances, your must have permissions to the tagging actions in that service's API, such as those listed in the [Amazon EC2 User Guide](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_CLI).
To make full use of the Resource Groups feature, you need other permissions that allow you to access a service's console and interact with the resources there. For examples of such policies for Amazon EC2, see [Example policies for working in the Amazon EC2 console](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/iam-policies-ec2-console.html) in the *Amazon EC2 User Guide*.
## Required permissions for Resource Groups and Tag Editor
To use Resource Groups and Tag Editor, the following permissions must be added to a user's policy statement in IAM. You can add either AWS-managed policies that are maintained and kept up-to-date by AWS, or you can create and maintain your own custom policy.
### Using AWS managed policies for Resource Groups and Tag Editor permissions
AWS Resource Groups and Tag Editor support the following AWS managed policies that you can use to provide a predefined set of permissions to your users. You can attach these managed policies to any user, role or group just as you would any other policy that you create.
**[ResourceGroupsandTagEditorReadOnlyAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ResourceGroupsandTagEditorReadOnlyAccess)**
This policy grants the attached IAM role or user permission to call the read-only operations for both Resource Groups and Tag Editor. To read a resource's tags, you must also have permissions for that resource through a separate policy (see the following Important note).
**[ResourceGroupsandTagEditorFullAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ResourceGroupsandTagEditorFullAccess)**
This policy grants the attached IAM role or user permission to call any Resource Groups operation and the read and write tag operations in Tag Editor. To read or write a resource's tags, you must also have permissions for that resource through a separate policy (see the following Important note).
**Important**
The two previous policies grant permission to call the Resource Groups and Tag Editor operations and use those consoles. For Resource Groups operations, those policies are sufficient and grant all the permissions needed to work with any resource in the Resource Groups console.
However, for tagging operations and the Tag Editor console, permissions are more granular. You must have permissions not only to invoke the operation, but also appropriate permissions to the specific resource whose tags you're trying to access. To grant that access to the tags, you must also attach one of the following policies:
The AWS-managed policy [ReadOnlyAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess) grants permissions to the read-only operations for every service's resources. AWS automatically keeps this policy up to date with new AWS services as they become available.
Many services provide a service-specific read-only AWS-managed policies that you can use to limit access to only the resources provided by that service. For example, Amazon EC2 provides [AmazonEC2ReadOnlyAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess).
You could create your own policy that grants access to only the very specific read-only operations for the few services and resources you want your users to access. This policy use either an "allow list" strategy or a deny list strategy.
An allow list strategy takes advantage of the fact that access is denied by default until you ***explicitly allow*** it in a policy. So you can use a policy like the following example:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "resource-groups:*" ],
"Resource": "arn:aws:resource-groups:*:123456789012:group/*"
}
]
}
```
Alternatively, you could use a "deny list" strategy that allows access to all resources except those that you explicitly block.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [ "resource-groups:*" ],
"Resource": "arn:aws:resource-groups:*:123456789012:group/*"
}
]
}
```
### Adding Resource Groups and Tag Editor permissions manually
+ `resource-groups:*` (This permission allows all Resource Groups actions. If you instead want to restrict actions that are available to a user, you can replace the asterisk with a [specific Resource Groups action](https://docs.aws.amazon.com//IAM/latest/UserGuide/list_awsresourcegroups.html), or to a comma-separated list of actions)
+ `cloudformation:DescribeStacks`
+ `cloudformation:ListStackResources`
+ `tag:GetResources`
+ `tag:TagResources`
+ `tag:UntagResources`
+ `tag:getTagKeys`
+ `tag:getTagValues`
+ `resource-explorer:*`
**Note**
The `resource-groups:SearchResources` permission allows Tag Editor to list resources when you filter your search using tag keys or values.
The `resource-explorer:ListResources` permission allows Tag Editor to list resources when you search resources without defining search tags.
To use Resource Groups and Tag Editor in the console, you also need permission to run the `resource-groups:ListGroupResources` action. This permission is necessary for listing available resource types in the current Region. Using policy conditions with `resource-groups:ListGroupResources` is not currently supported.
# Granting permissions for using AWS Resource Groups and Tag Editor
To add a policy for using AWS Resource Groups and Tag Editor to a user, do the following.
1. Open the [IAM console](https://console.aws.amazon.com/iam).
1. In the navigation pane, choose **Users**.
1. Find the user to whom you want to grant AWS Resource Groups and Tag Editor permissions. Choose the user's name to open the user properties page.
1. Choose **Add permissions**.
1. Choose **Attach existing policies directly**.
1. Choose **Create policy**.
1. On the **JSON** tab, paste the following policy statement.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"resource-groups:*",
"cloudformation:DescribeStacks",
"cloudformation:ListStackResources",
"tag:GetResources",
"tag:TagResources",
"tag:UntagResources",
"tag:getTagKeys",
"tag:getTagValues",
"resource-explorer:*"
],
"Resource": "*"
}
]
}
```
------
**Note**
This example policy statement grants permissions only for AWS Resource Groups and Tag Editor actions. It does not allow access to AWS Systems Manager tasks in the AWS Resource Groups console. For example, this policy does not grant permissions for you to use Systems Manager Automation commands. To perform Systems Manager tasks on resource groups, you must have Systems Manager permissions attached to your policy (such as `ssm:*`). For more information about granting access to Systems Manager, see [Configuring access to Systems Manager](https://docs.aws.amazon.com//systems-manager/latest/userguide/systems-manager-access.html) in the *AWS Systems Manager User Guide*.
1. Choose **Review policy**.
1. Give the new policy a name and description. (for example, `AWSResourceGroupsQueryAPIAccess`).
1. Choose **Create policy**.
1. Now that the policy is saved in IAM, you can attach it to other users. For more information about how to add a policy to a user, see [Adding permissions by attaching policies directly to the user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#by-direct-attach-policy) in the *IAM User Guide*.
# Learn more about AWS Resource Groups authorization and access control
Resource Groups supports the following.
+ **Action-based policies.** For example, you can create a policy that allows users to perform [https://docs.aws.amazon.com//ARG/latest/APIReference/API_ListGroups.html](https://docs.aws.amazon.com//ARG/latest/APIReference/API_ListGroups.html) operations, but no others.
+ **Resource-level permissions.** Resource Groups supports using [ARNs](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) to specify individual resources in the policy.
+ **Authorization based on tags.** Resource Groups supports using resource tags in the condition of a policy. For example, you can create a policy that allows Resource Groups users full access to a group that you have tagged.
+ **Temporary credentials.** Users can assume a role with a policy that allows AWS Resource Groups operations.
Resource Groups doesn't support resource-based policies.
For more information about how Resource Groups and Tag Editor integrate with AWS Identity and Access Management (IAM), see the following topics in the *AWS Identity and Access Management User Guide*.
+ [AWS services that work with IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html#management_svcs)
+ [Actions, resources, and condition keys for AWS Resource Groups](https://docs.aws.amazon.com//IAM/latest/UserGuide/list_awsresourcegroups.html)
+ [Controlling access using policies](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_controlling.html)
# AWS services that work with AWS Resource Groups
You can use the following AWS services with AWS Resource Groups.
****
| AWS service | Using with Resource Groups |
| --- | --- |
| [AWS CloudFormation](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/) – Create resource groups in CloudFormation by using a stack template. | Provision and organize AWS resources at the same time. Organize resources by tags. Organize resources from another stack. Gather insights on your AWS resources in resource groups using Amazon CloudWatch or take operational actions using AWS Systems Manager. For more information, see [ResourceGroups resource type reference](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/AWS_ResourceGroups.html) in the *AWS CloudFormation User Guide*. |
| [CloudTrail](https://docs.aws.amazon.com//awscloudtrail/latest/userguide/) – Capture all resource group actions using AWS CloudTrail. | Capture information about actions performed on your resource groups including details like who performed the action (IAM principal, such as a role, user, or an AWS service), when the action was performed, where the action occurred (the source IP address) and more. These records can then be used for analysis or to trigger follow-up actions. For more information, see [Viewing events with CloudTrail Event history](https://docs.aws.amazon.com//awscloudtrail/latest/userguide/view-cloudtrail-events.html). |
| [Amazon CloudWatch](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html) – Enable real-time monitoring of your AWS resources and the applications you run on AWS. | Focus your view to display metrics and alarms from a single resource group. For more information, see [Focus on metrics and alarms in a resource group](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/CloudWatch_Automatic_Dashboards_Resource_Group.html) in the *Amazon CloudWatch User Guide.* |
| [Amazon CloudWatch application insights](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/appinsights-what-is.html) – Detect common problems with your .NET and SQL Server-based applications. | Monitor your .NET and SQL Server application resources that belong to a resource group. For more information, see [Supported application components](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/appinsights-what-is.html#appinsights-components) in the *Amazon CloudWatch User Guide*. |
| [Amazon DynamoDB table groups](https://docs.aws.amazon.com//amazondynamodb/latest/developerguide/Introduction.html) – Organize your DynamoDB tables into logical groupings so you can more easily manage your resources. | Create, edit, and delete groups of DynamoDB tables from the DynamoDB **Action** menu. For more information, see the [https://docs.aws.amazon.com//amazondynamodb/latest/developerguide/Introduction.html](https://docs.aws.amazon.com//amazondynamodb/latest/developerguide/Introduction.html) |
| [Amazon EC2 dedicated hosts](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/dedicated-hosts-overview.html) – Use your existing per-socket, per-core, or per-VM software licenses, including Windows Server, Microsoft SQL Server, SUSE, and Linux Enterprise Server. | Launch Amazon EC2 instances into host resource groups to help maximize your utilization of Dedicated Hosts. For more information, see [Working with dedicated hosts](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/how-dedicated-hosts-work.html) in the *Amazon EC2 User Guide.* |
| [Amazon EC2 capacity reservations](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/ec2-capacity-reservations.html) – Reserve capacity for your Amazon EC2 instances to be used when you need it. You can specify attributes for the capacity reservation so that it only works with Amazon EC2 instances that launch with matching attributes. | Launch your Amazon EC2 instances into resource groups that contain one or more capacity reservations. If the group doesn't have a capacity reservation with matching attributes and available capacity for a requested instance, the instance runs as an on-demand instance. If you later add a matching capacity reservation to the targeted group, the instance is automatically matched with and moved into the reserved capacity. For more information, see [Work with Capacity Reservation groups](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/capacity-reservations-using.html#create-cr-group) in the *Amazon EC2 User Guide.* |
| [AWS License Manager](https://docs.aws.amazon.com//license-manager/latest/userguide/license-manager.html) – Streamline the process of bringing software vendor licenses to the cloud. | Configure a host resource group to enable License Manager to manage your Dedicated Hosts. For more information, see [Host Resource Groups in License Manager](https://docs.aws.amazon.com//license-manager/latest/userguide/host-resource-groups.html) in the *License Manager User Guide.* |
| [AWS Resilience Hub](https://docs.aws.amazon.com//resilience-hub/latest/userguide/) – Prepare and protect your applications from disruptions. | Discover your applications that are defined using Resource Groups. For more information, see [Measure and Improve Your Application Resilience with AWS Resilience Hub](https://aws.amazon.com/blogs/aws/monitor-and-improve-your-application-resiliency-with-resilience-hub/) in the *AWS News Blog*. |
| [AWS Resource Access Manager](https://docs.aws.amazon.com//ram/latest/userguide/) – Share specified AWS resources that you own with other accounts. | Share host resource groups using AWS RAM. For more information, see [Shareable resources](https://docs.aws.amazon.com//ram/latest/userguide/shareable.html#shareable-arg) in the *AWS RAM User Guide.* |
| [AWS Service Catalog AppRegistry](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/appregistry.html) – Define and manage your applications and their metadata. | When you create an application in AppRegistry, that service automatically creates an resource group for that application. The application resource group is a collection of all of the resources in your application. The service also creates a CloudFormation stack-based resource group for every stack associated with the application. For more information, see [Using AppRegistry](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/appregistry.html) in the *AWS Service Catalog Administrator Guide*. |
| [AWS Systems Manager](https://docs.aws.amazon.com//systems-manager/latest/userguide/what-is-systems-manager.html) – Enable visibility and control of your AWS resources. | Gather operational insights and take bulk actions on your applications that are based on resource groups. In the AWS Systems Manager console, the Application Manager **Custom applications** page automatically imports and displays operations data for applications that are based on resource groups. You can use the information in Application Manager to help you determine which resources in an application are compliant and working correctly and which resources require action. For more information, see [Working with applications in Application Manager](https://docs.aws.amazon.com//systems-manager/latest/userguide/application-manager-working-applications.html) in the *AWS Systems Manager User Guide*. |
| [Amazon VPC Network Access Analyzer](https://docs.aws.amazon.com/vpc/latest/network-access-analyzer/) – Identify unwanted network access to your resources on AWS. | You can specify the sources and destinations for your network access requirements by using AWS Resource Groups. This lets you govern network access across your AWS environment, independent of how you configure your network. For more information, see [Use Resource Groups with Network Access Scopes](https://docs.aws.amazon.com/vpc/latest/network-access-analyzer/working-with-network-access-scopes.html) in the *Amazon Virtual Private Cloud User Guide*. |
# Service configurations for resource groups
Resource groups enable you to manage collections of your AWS resources as a unit. Some AWS services support this by performing requested operations on all members of the group. Such services can store the settings to be applied to group members as a *configuration* in the form of a [JSON](https://www.json.org/) data structure that is attached to the group.
This topic describes the available configuration settings for supported AWS services.
**Topics**
+ [How to access the service configuration attached to a resource group](#about-slg-how-to-access)
+ [JSON syntax of a service configuration](#about-slg-config-syntax)
+ [Supported configuration types and parameters](about-slg-types.md)
## How to access the service configuration attached to a resource group
Services that support service-linked groups typically set the configuration for you when you use the tools provided by that service, such as that service's management console or its AWS CLI and AWS SDK operations. Some services fully manage their service-linked groups and you can't modify them in any way except as allowed by the console or commands provided by the owning AWS service. However, in some cases, you can interact with the service configuration by using the following API operations in the AWS SDKs or their AWS CLI equivalents:
+ You can attach your own configuration to a group when you create the group by using the [CreateGroup](https://docs.aws.amazon.com//ARG/latest/APIReference/API_CreateGroup.html) operation.
+ You can modify the current configuration attached to a group by using the [PutGroupConfiguration](https://docs.aws.amazon.com//ARG/latest/APIReference/API_PutGroupConfiguration.html) operation.
+ You can view the current configuration of a resource group by calling the [GetGroupConfiguration](https://docs.aws.amazon.com//ARG/latest/APIReference/API_GetGroupConfiguration.html) operation.
## JSON syntax of a service configuration
A resource group can contain a *configuration* that defines service-specific settings that apply to the resources that are members of that group.
A configuration is expressed as a [JSON](https://www.json.org/) object. At the top-most level, a configuration is an array of [group configuration items](https://docs.aws.amazon.com//ARG/latest/APIReference/API_GroupConfigurationItem.html). Each group configuration item contains two elements: a `Type` for the configuration and a set of `Parameters` defined by that type. Each parameter contains a `Name` and an array of one or more `Values`. The following example with *placeholders* shows the basic syntax for a configuration for a single sample resource type. This example shows a type with two parameters, and each parameter with two values. The actual valid types, parameters, and values are discussed in the next section.
```
[
{
"Type": "configuration-type",
"Parameters": [
{
"Name": "parameter1-name",
"Values": [
"value1",
"value2"
]
},
{
"Name": "parameter2-name",
"Values": [
"value3",
"value4"
]
}
]
}
]
```
# Supported configuration types and parameters
Resource Groups supports using the following configuration types. Each configuration type has a set of parameters that are valid for that type.
**Topics**
+ [`AWS::ResourceGroups::Generic`](#about-slg-types-generic)
+ [`AWS::AppRegistry::Application`](#about-slg-types-appregistry)
+ [`AWS::CloudFormation::Stack`](#about-slg-types-cloudformation)
+ [`AWS::EC2::CapacityReservationPool`](#about-slg-types-ec2-capacityreservation)
+ [`AWS::EC2::HostManagement`](#about-slg-types-resourcegroups-ec2-hostmanagement)
+ [`AWS::NetworkFirewall::RuleGroup`](#about-slg-types-network-firewall-rulegroup)
## `AWS::ResourceGroups::Generic`
This configuration type specifies settings that enforce membership requirements on the resource group, rather than configuring the behavior of a specific resource type for an AWS service. This configuration type is automatically added by those service-linked groups that need it, such as the `AWS::EC2::CapacityReservationPool` and `AWS::EC2::HostManagment` types.
The following `Parameters` are valid for the `AWS::ResourceGroups::Generic` service-linked group `Type`.
+ **`allowed-resource-types`**
This parameter specifies that the resource group can consist of resources of only the specified type or types.
**Data type of values:** String
**Permitted values:**
+ `AWS::EC2::Host` – A `Configuration` with this parameter and value is required when the service configuration also contains a `Configuration` of type `AWS::EC2::HostManagement`. This ensures that the `HostManagement` group can contain only Amazon EC2 dedicated hosts.
+ `AWS::EC2::CapacityReservation` – A `Configuration` with this parameter and value is required when the service configuration also contains a `Configuration` item of type `AWS::EC2::CapacityReservationPool`. This ensures that a `CapacityReservation` group can contain only Amazon EC2 capacity reservation capacity.
**Required:** Conditional, based on other `Configuration` elements that are attached to the resource group. See the previous entry for **Permitted values**.
The following example restricts group members to only Amazon EC2 host instances.
```
[
{
"Type": "AWS::ResourceGroups::Generic",
"Parameters": [
{
"Name": "allowed-resource-types",
"Values": [
"AWS::EC2::Host"
]
}
]
}
]
```
+ **`deletion-protection`**
This parameter specifies that the resource group can't be deleted unless it contains no members. For more information, see [Delete a host resource group](https://docs.aws.amazon.com//license-manager/latest/userguide/host-resource-groups.html#host-resource-group-delete) in the *License Manager User Guide*
**Data type of values:** Array of string
**Permitted values:** The only permitted value is `[ "UNLESS_EMPTY" ]` (the value must be upper case).
**Required:** Conditional, based on other `Configuration` elements that are attached to the resource group. This parameter is required only when the resource group also has another `Configuration` element with the `Type` of `AWS::EC2::HostManagement`.
The following example enables delete protection for the group unless the group has no members.
```
[
{
"Type": "AWS::ResourceGroups::Generic",
"Parameters": [
{
"Name": "deletion-protection",
"Values": [
"UNLESS_EMPTY"
]
}
]
}
]
```
## `AWS::AppRegistry::Application`
This `Configuration` type specifies that the resource group represents an application created by AWS Service Catalog AppRegistry.
Resource groups of this type are fully managed by the AppRegistry service, and can't be created, updated, or deleted by users other than by using the tools provided by AppRegistry.
**Note**
Because resource groups of this type are automatically created and maintained by AWS and not managed by the user, these resource groups do not count against your quota limit for the [maximum number of resource groups that you can create in your AWS account](https://console.aws.amazon.com/servicequotas/home/services/resource-groups/quotas).
For more information, see [Using AppRegistry](https://docs.aws.amazon.com//servicecatalog/latest/adminguide/appregistry.html) in the *Service Catalog User Guide*.
When AppRegistry creates a service-linked resource group of this type, it also automatically creates a separate, additional [CloudFormation service-linked group](#about-slg-types-cloudformation) for each AWS CloudFormation stack associated with the application.
AppRegistry automatically names the service-linked groups of this type that its creates with the prefix `AWS_AppRegistry_Application-` followed by the name of the application: `AWS_AppRegistry_Application-MyAppName`
The following parameters are supported for the `AWS::AppRegistry::Application` service-linked group type.
+ **`Name`**
This parameter specifies the friendly name of the application that was assigned by the user when it was created in AppRegistry.
**Data type of values:** String
**Permitted values:** any text string permitted by the AppRegistry service for an application name.
**Required:** Yes
+ **`Arn`**
This parameter specifies the [Amazon Resource Name (ARN)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) path of the application assigned by AppRegistry.
**Data type of values:** String
**Permitted values:** a valid ARN.
**Required:** Yes
**Note**
To change any of these elements, you must modify the application using the AppRegistry console or that service's AWS SDK and AWS CLI operations.
This application resource group automatically includes as group members the [resource groups created for the CloudFormation stacks](#about-slg-types-cloudformation) that are associated with the AppRegistry application. You can use the [ListGroupResources](https://docs.aws.amazon.com//ARG/latest/APIReference/API_ListGroupResources.html) operation to see those child groups.
The following example shows what the configuration section of a `AWS::AppRegistry::Application` service-linked group looks like.
```
[
{
"Type": "AWS::AppRegistry::Application",
"Parameters": [
{
"Name": "Name",
"Values": [
"MyApplication"
]
},
{
"Name": "Arn",
"Values": [
"arn:aws:servicecatalog:us-east-1:123456789012:/applications/"
]
}
]
}
]
```
## `AWS::CloudFormation::Stack`
This `Configuration` type specifies that the group represents an AWS CloudFormation stack and its members are the AWS resources created by that stack.
Resource groups of this type are automatically created for you when you associate a CloudFormation stack with the AppRegistry service. You can't create, update, or delete these groups except by using the tools provided by AppRegistry.
AppRegistry automatically names the service-linked groups of this type that its creates with the prefix `AWS_CloudFormation_Stack-` followed by the name of the stack: `AWS_CloudFormation_Stack-MyStackName`
**Note**
Because resource groups of this type are automatically created and maintained by AWS and not managed by the user, these resource groups do not count against your quota limit for the [maximum number of resource groups that you can create in your AWS account](https://console.aws.amazon.com/servicequotas/home/services/resource-groups/quotas).
For more information, see [Using AppRegistry](https://docs.aws.amazon.com//servicecatalog/latest/adminguide/AppRegistry.html) in the *Service Catalog User Guide*.
AppRegistry automatically creates a service-linked resource group of this type for every CloudFormation stack that you associate with the AppRegistry application. These resource groups become child members of the parent [resource group for the AppRegistry application](#about-slg-types-appregistry).
The members of this CloudFormation resource group are the AWS resources created as part of the stack.
The following parameters are supported for the `AWS::CloudFormation::Stack` service-linked group type.
+ **`Name`**
This parameter specifies the friendly name of the CloudFormation stack assigned by the user when the stack was created.
**Data type of values:** String
**Permitted values:** any text string permitted by the CloudFormation service for a stack name.
**Required:** Yes
+ **`Arn`**
This parameter specifies the [Amazon Resource Name (ARN)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) path of the CloudFormation stack attached to the application in AppRegistry.
**Data type of values:** String
**Permitted values:** a valid ARN.
**Required:** Yes
**Note**
To change any of these elements, you must modify the application using the AppRegistry console or equivalent AWS SDK and AWS CLI operations.
The following example shows what the configuration section of an `AWS::CloudFormation::Stack` service-linked group looks like.
```
[
{
"Type": "AWS::CloudFormation::Stack",
"Parameters": [
{
"Name": "Name",
"Values": [
"MyStack"
]
},
{
"Name": "Arn",
"Values": [
"arn:aws:cloudformation:us-east-1:123456789012:stack/MyStack/"
]
}
]
}
]
```
## `AWS::EC2::CapacityReservationPool`
This `Configuration` type specifies that the resource group represents a common pool of capacity provided by the group's members. The members of this resource group are required to be Amazon EC2 capacity reservations. A resource group can include both capacity reservations that you own in your account and capacity reservations that are shared with you from other accounts by using AWS Resource Access Manager. This lets you launch an Amazon EC2 instance using this resource group as the value for the capacity reservation parameter. When you do this, the instance uses the available reserved capacity in the group.
If the resource group has no available capacity, the instance launches as a stand alone on-demand instance outside of the pool unless you configure the resource group to use Amazon EC2 UltraServer Capacity Blocks. For more information, see [Working with Capacity Reservation groups](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/create-cr-group.html) in the *Amazon EC2 User Guide*.
If you configure a service-linked resource group with a `Configuration` item of this type, then you must also specify separate `Configuration` items with the following values:
+ An `AWS::ResourceGroups::Generic` type with one parameter:
+ The parameter `allowed-resource-types` and a single value of `AWS::EC2::CapacityReservation`. This ensures that only Amazon EC2 capacity reservations can be members of the resource group.
+ A `AWS::EC2::CapacityReservationPool` type with two parameters:
+ `reservation-type`— Only required when you configure a Capacity Reservation Group for Amazon EC2 UltraServer Capacity Blocks. The only allowed value in this field is `capacity-block`.
+ `instance-type`— Only required when you configure a Capacity Reservation Group for Amazon EC2 UltraServer Capacity Blocks. The allowed values in this field are `trn2u.48xlarge` and `p6e-gb200.36xlarge`.
The following example shows the `Configuration` section of an On-Demand Capacity Reservation:
```
{
"Configuration": [
{
"Type": "AWS::EC2::CapacityReservationPool",
"Parameters": []
},
{
"Type": "AWS::ResourceGroups::Generic",
"Parameters": [
{
"Name": "allowed-resource-types",
"Values": [
"AWS::EC2::CapacityReservation"
]
}
]
}
]
}
```
The following example shows the `Configuration` section supporting Amazon EC2 UltraServer Capacity Blocks:
```
{
"Configuration": [
{
"Type": "AWS::EC2::CapacityReservationPool",
"Parameters": [
{
"Name": "instance-type",
"Values": [
"trn2u.48xlarge"
]
},
{
"Name": "reservation-type",
"Values": [
"capacity-block"
]
}
]
},
{
"Type": "AWS::ResourceGroups::Generic",
"Parameters": [
{
"Name": "allowed-resource-types",
"Values": [
"AWS::EC2::CapacityReservation"
]
}
]
}
]
}
```
After adding `instance-type` and `reservation-type` to a resource group configuration when you use Amazon EC2 UltraServer Capacity Blocks, the following behaviors apply to that resource group:
+ You can add additional capacity reservations into this resource group configuration but additional reservations must also have the `reservation-type` set to `capacity-block` and the `instance-type` set to `trn2u.48xlarge` or `p6e-gb200.48xlarge`.
+ Currently, the only allowable value for `reservation-type` is `capacity-block`, and the only allowable values for `instance-type` are `trn2u.48xlarge` and `p6e-gb200.48xlarge`.
+ You can't add Amazon EC2 Capacity Blocks for ML into a resource group that does not include the `reservation-type` and `instance-type` configurations.
+ Adding the `reservation-type` and `capacity-block` configuration parameters does not change the process of adding or removing group reservations.
+ If you remove the capacity reservation from the group, or delete the group, the reservations inside the group remain in use until the instances are terminated.
+ Currently, resource groups with the `reservation-type` and `instance-type` configuration parameters can't be updated after initial setup. To change or remove the configuration, you must delete the group and then create a new group with new configurations.
+ You can't launch an instance into an empty group or modify an instance to target an empty group.
## `AWS::EC2::HostManagement`
This identifier specifies settings for Amazon EC2 host management and AWS License Manager that are enforced for the group's members. For more information, see [Host resource groups in AWS License Manager](https://docs.aws.amazon.com//license-manager/latest/userguide/host-resource-groups.html).
If you configure a service-linked resource group with a `Configuration` item of this type, then you must also specify separate `Configuration` items with the following values:
+ An `AWS::ResourceGroups::Generic` type, with a parameter of `allowed-resource-types` and a single value of `AWS::EC2::Host`. This ensures that only Amazon EC2 dedicated hosts can be members of the group.
+ An `AWS::ResourceGroups::Generic` type, with a parameter of `deletion-protection` and a single value of `UNLESS_EMPTY`. This ensures that the group can't be deleted unless the group is empty.
The following parameters are supported for the `AWS::EC2::HostManagement` service-linked group type.
+ **`auto-allocate-host`**
This parameter specifies whether instances are launched onto a specific dedicated host, or onto any available host that has a matching configuration. For more information, see [Understanding auto-placement and affinity](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/how-dedicated-hosts-work.html#dedicated-hosts-understanding) in the *Amazon EC2 User Guide*.
**Data type of values:** Boolean
**Permitted values:** "true" or "false" (must be lower case).
**Required:** No
```
[
{
"Type": "AWS::EC2::HostManagement",
"Parameters": [
{
"Name": "auto-allocate-host",
"Values": [
"true"
]
},
{
"Name": "any-host-based-license-configuration",
"Values": [
"true"
]
}
]
},
{
"Type": "AWS::ResourceGroups::Generic",
"Parameters": [
{
"Name": "allowed-resource-types",
"Values": [
"AWS::EC2::Host"
]
},
{
"Name": "deletion-protection",
"Values": [
"UNLESS_EMPTY"
]
}
]
}
]
```
+ **`auto-release-host`**
This parameter specifies whether a dedicated host in the group is automatically released after its last running instance is terminated. For more information, see [Releasing Dedicated Hosts](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/how-dedicated-hosts-work.html#dedicated-hosts-releasing) in the *Amazon EC2 User Guide*.
**Data type of values:** Boolean
**Permitted values:** "true" or "false" (must be lower case).
**Required:** No
```
[
{
"Type": "AWS::EC2::HostManagement",
"Parameters": [
{
"Name": "auto-release-host",
"Values": [
"false"
]
},
{
"Name": "any-host-based-license-configuration",
"Values": [
"true"
]
}
]
},
{
"Type": "AWS::ResourceGroups::Generic",
"Parameters": [
{
"Name": "allowed-resource-types",
"Values": [
"AWS::EC2::Host"
]
},
{
"Name": "deletion-protection",
"Values": [
"UNLESS_EMPTY"
]
}
]
}
]
```
+ **`allowed-host-families`**
This parameter specifies which instance type families can be used by instances that are members of this group.
**Data type of values:** An array of String.
**Permitted values:** Each must be a valid [Amazon EC2 instance type family identifier](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/instance-types.html#AvailableInstanceTypes), such as `C4`, `M5`, `P3dn`, or `R5d`.
**Required:** No
The following example configuration item specifies that launched instances can be only members of the C5 or M5 instance type families.
```
[
{
"Type": "AWS::EC2::HostManagement",
"Parameters": [
{
"Name": "allowed-host-families",
"Values": [
"c5",
"m5"
]
},
{
"Name": "any-host-based-license-configuration",
"Values": [
"true"
]
}
]
},
{
"Type": "AWS::ResourceGroups::Generic",
"Parameters": [
{
"Name": "allowed-resource-types",
"Values": [
"AWS::EC2::Host"
]
},
{
"Name": "deletion-protection",
"Values": [
"UNLESS_EMPTY"
]
}
]
}
]
```
+ **`allowed-host-based-license-configurations`**
This parameter specifies the [Amazon Resource Name (ARN)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) paths of one or more core/socket based license configurations that you want applied to members of the group.
**Data type of values:** An array of ARNs.
**Permitted values:** Each must be a valid [License Manager configuration ARN](https://docs.aws.amazon.com//service-authorization/latest/reference/about-service-linked-groups.xmllist_awslicensemanager.html#awslicensemanager-resources-for-iam-policies).
**Required:** Conditional. You must specify either this parameter or `any-host-based-license-configuration`, but not both. They are mutually exclusive.
The following example configuration item specifies that group members can use the two specified License Manager configurations.
```
[
{
"Type": "AWS::EC2::HostManagement",
"Parameters": [
{
"Name": "allowed-host-based-license-configurations",
"Values": [
"arn:aws:license-manager:us-west-2:123456789012:license-configuration:lic-6eb6586f508a786a2ba41EXAMPLE1111",
"arn:aws:license-manager:us-west-2:123456789012:license-configuration:lic-8a786a26f50ba416eb658EXAMPLE2222"
]
}
]
},
{
"Type": "AWS::ResourceGroups::Generic",
"Parameters": [
{
"Name": "allowed-resource-types",
"Values": [
"AWS::EC2::Host"
]
},
{
"Name": "deletion-protection",
"Values": [
"UNLESS_EMPTY"
]
}
]
}
]
```
+ **`any-host-based-license-configuration`**
This parameter specifies that you do not want to associate a specific license configuration to your group. In this case, all core/socket based license configurations are available to your members of your host resource group. Use this setting if you have an unlimited number of licenses and want to optimize for host utilization.
**Data type of values:** Boolean
**Permitted values:** "true" or "false" (must be lower case).
**Required:** Conditional. You must specify either this parameter or `allowed-host-based-license-configurations`, but not both. They are mutually exclusive.
The following example configuration item specifies that group members can use any core/socket based license configuration.
```
[
{
"Type": "AWS::EC2::HostManagement",
"Parameters": [
{
"Name": "any-host-based-license-configuration",
"Values": [
"true"
]
}
]
},
{
"Type": "AWS::ResourceGroups::Generic",
"Parameters": [
{
"Name": "allowed-resource-types",
"Values": [
"AWS::EC2::Host"
]
},
{
"Name": "deletion-protection",
"Values": [
"UNLESS_EMPTY"
]
}
]
}
]
```
The following example illustrates how to include all of the host management settings together in a single configuration.
```
[
{
"Type": "AWS::EC2::HostManagement",
"Parameters": [
{
"Name": "auto-allocate-host",
"Values": [
"true"
]
},
{
"Name": "auto-release-host",
"Values": [
"false"
]
},
{
"Name": "allowed-host-families",
"Values": [
"c5",
"m5"
]
},
{
"Name": "allowed-host-based-license-configurations",
"Values": [
"arn:aws:license-manager:us-west-2:123456789012:license-configuration:lic-6eb6586f508a786a2ba41EXAMPLE1111",
"arn:aws:license-manager:us-west-2:123456789012:license-configuration:lic-8a786a26f50ba416eb658EXAMPLE2222"
]
}
]
},
{
"Type": "AWS::ResourceGroups::Generic",
"Parameters": [
{
"Name": "allowed-resource-types",
"Values": [
"AWS::EC2::Host"
]
},
{
"Name": "deletion-protection",
"Values": [
"UNLESS_EMPTY"
]
}
]
}
]
```
## `AWS::NetworkFirewall::RuleGroup`
This identifier specifies settings for AWS Network Firewall rule groups that are enforced for the group's members. Firewall administrators can specify the ARN of a resource group of this type to automatically resolve the IP addresses of the group's members for a firewall rule instead of having to list each address manually. For more information, see [Using tag-based resource groups in AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/resource-groups.html).
You can create resource groups of this configuration type by using the Network Firewall console or by running a AWS CLI command or AWS SDK operation.
Resource groups of this configuration type have the following restrictions:
+ The group's members consist of only resources of types supported by Network Firewall.
+ The group must contain a tag-based query to manage the group's membership; any resources of supported types with tags that match the query are automatically members of the group.
+ There are no `Parameters` supported for this configuration type.
+ To delete a resource group of this configuration type, it can't be referenced by any Network Firewall rule group.
The following example illustrates the `Configuration` and `ResourceQuery` sections for a group of this type.
```
{
"Configuration": [
{
"Type": "AWS::NetworkFirewall::RuleGroup",
"Parameters": []
}
],
"ResourceQuery": {
"Query": "{\"ResourceTypeFilters\":[\"AWS::EC2::Instance\"],\"TagFilters\":[{\"Key\":\"environment\",\"Values\":[\"production\"]}]}",
"Type": "TAG_FILTERS_1_0"
}
}
```
The following example AWS CLI command creates a resource group with the previous configuration and query.
```
$ aws resource-groups create-group \
--name test-group \
--resource-query '{"Type": "TAG_FILTERS_1_0", "Query": "{\"ResourceTypeFilters\": [\"AWS::EC2::Instance\"], \"TagFilters\": [{\"Key\": \"environment\", \"Values\": [\"production\"]}]}"}' \
--configuration '[{"Type": "AWS::NetworkFirewall::RuleGroup", "Parameters": []}]'
{
"Group":{
"GroupArn":"arn:aws:resource-groups:us-west-2:123456789012:group/test-group",
"Name":"test-group",
"OwnerId":"123456789012"
},
"Configuration": [
{
"Type": "AWS::NetworkFirewall::RuleGroup",
"Parameters": []
}
],
"ResourceQuery": {
"Query": "{\"ResourceTypeFilters\":[\"AWS::EC2::Instance\"],\"TagFilters\":[{\"Key\":\"environment\",\"Values\":[\"production\"]}]}",
"Type": "TAG_FILTERS_1_0"
}
}
```