AWS Managed Views

A managed view is how other AWS services can access resource information indexed by Resource Explorer for your AWS account or organization with your consent. Managed views can only be updated or deleted by the service that created the managed view. An AWS service creates a managed view using IAM forward access sessions (FAS) or a service-linked role (SLR).

Resource Explorer uses a resource-based policy to control access to the managed view. When an AWS service creates a managed view, Resource Explorer attaches the resource-based policy to the view. This policy allows the managing AWS service to use and delete the view and allows view's resource owners to list and retrieve details about the view. The following is an example resource-based policy attached to a managed view:


{
  Version:"2012-10-17",
  Statement:[
    {
      Sid:"view_UUID_ACCESS_TO_SERVICE_PRINCIPAL",
      Effect:"Allow",
      Principal:{
        Service:"sampleservice.amazonaws.com"
      },
      Action:[
        "resource-explorer-2:GetManagedView",
        "resource-explorer-2:DeleteManagedView",
        "resource-explorer-2:Search"
      ],
      Resource:"managed_view_ARN",
      Condition:{
        StringEquals:{
          'aws:SourceAccount':"owner_accountID"
        }
      }
    },
    {
      Sid:"view_UUID_DENY_ACCESS_TO_NON_SERVICE_PRINCIPAL",
      Effect:"Deny",
      Principal:"*",
      Condition:{
        'ForAllValues:StringNotEquals':{
          'aws:PrincipalServiceNamesList':[
            "sampleservice.amazonaws.com"
          ]
        }
      },
      NotAction:[
        "resource-explorer-2:GetManagedView"
      ],
      Resource:"managed_view_ARN"
    }
  ]
}

Viewing managed views and their details

You can view the managed views you have access to in your currently selected AWS Region and retrieve details about a managed view by running AWS CLI commands or their equivalent API operations in an AWS SDK.

To run these procedures, you must have the following permissions:

Action: resource-explorer-2:GetManagedView

Resource: The ARN of the specified view.
Action: resource-explorer-2:ListManagedViews

Resource: The ARN of the specified view.

To list your available managed views

Run the following command to list managed views in the specified AWS Region:


aws resource-explorer-2 list-managed-views  --region region

The command output is a list of ARNs.


{
  "ManagedViews": [
    "arn:aws:resource-explorer-2:us-east-1:111122223333:managed-view/ManagedViewNameA/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111",
    "arn:aws:resource-explorer-2:us-east-1:444455556666:managed-view/ManagedViewNameB/1a2b3c4d-5d6e-7f8a-9b0c-abcd22222222"
  ]
}

To retrieve details of a managed view

Run the following command to retrieve details about a specified managed view using the view's ARN:


aws resource-explorer-2 get-managed-view \
    --managed-view-arn arn:aws:resource-explorer-2:us-east-1:111122223333:managed-view/ManagedViewNameA/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111

The command output is details about the specified managed view.


{
  "ManagedView": {
    "ManagedViewArn": "arn:aws:resource-explorer-2:us-east-1:111122223333:managed-view/ManagedViewNameA/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111",
    "ManagedViewName": "ManagedViewNameA",
    "TrustedService": "sampleservice.amazonaws.com",
    "LastUpdatedAt": "2024-01-01T01:01:01.100000+00:00",
    "Owner": "111111111111",
    "Scope": "arn:aws:iam::111111111111:root",
    "Filters": {
      "FilterString": ""
    },
    "IncludedProperties": [
      {
        "Name": "tags"
      }
    ],
    "ResourcePolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"EXAMPLE8-90ab-cdef-fedc-EXAMPLE11111_ACCESS_TO_SERVICE_PRINCIPAL\",\"Effect\":\"Allow\",\"PrincipalGroup\":{\"AWS\":\"sservicea.amazonaws.com\"},\"Action\":[\"resource-explorer-2:GetManagedView\",\"resource-explorer-2:DeleteManagedView\",\"resource-explorer-2:Search\"],\"Resource\":\"arn:aws:resource-explorer-2:us-east-1:111122223333:managed-view/ExampleManagedViewName/EXAMPLE8-90ab-cdef-fedc-EXAMPLE11111\",\"Condition\":{\"StringEquals\":{\"aws:SourceAccount\":\"111122223333\"}}},{\"Sid\":\"EXAMPLE8-90ab-cdef-fedc-EXAMPLE11111_DENY_ACCESS_TO_NON_SERVICE_PRINCIPAL\",\"Effect\":\"Deny\",\"Principal\":\"*\",\"NotAction\":\"resource-explorer-2:GetManagedView\",\"Resource\":\"arn:aws:resource-explorer-2:us-east-1:111122223333:managed-view/ExampleManagedViewName/EXAMPLE8-90ab-cdef-fedc-EXAMPLE11111\",\"Condition\":{\"ForAllValues:StringNotEquals\":{\"aws:PrincipalServiceNamesList\":\"servicea.amazonaws.com\"}}}]}",
    "Version": "1"
  }
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Deleting views

Supported resource types