# AWS managed views
A *managed view* is how other AWS services can access resource information indexed by Resource Explorer for your AWS account or organization with your consent.
**Topics**
+ [About managed views](#about-managed-views)
+ [Listing managed views](listing-managed-views.md)
+ [Deleting managed views](deleting-managed-views.md)
## About managed views
Managed views can be updated or deleted only by the service that created the managed view. An AWS service creates a managed view using [IAM forward access sessions (FAS)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) or a [service-linked role (SLR)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html).
Resource Explorer uses a [resource-based policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) to control access to the managed view. When an AWS service creates a managed view, Resource Explorer attaches the resource-based policy to the view. This policy allows the managing AWS service to use and delete the view and allows view's resource owners to list and retrieve details about the view. The following is an example resource-based policy attached to a managed view:
Managed views can only be updated or deleted by the service that created the managed view. An AWS service creates a managed view using [IAM forward access sessions (FAS)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) or a [service-linked role (SLR)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html).
Resource Explorer uses a [resource-based policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) to control access to the managed view. When an AWS service creates a managed view, Resource Explorer attaches the resource-based policy to the view. This policy allows the managing AWS service to use and delete the view and allows view's resource owners to list and retrieve details about the view. The following is an example resource-based policy attached to a managed view:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "view_UUID_ACCESS_TO_SERVICE_PRINCIPAL",
"Effect": "Allow",
"Principal": {
"Service": "sampleservice.amazonaws.com"
},
"Action": [
"resource-explorer-2:GetManagedView",
"resource-explorer-2:Search"
],
"Resource": "arn:aws:resource-explorer-2:us-east-1:111122223333:managed-view/ExampleManagedViewName/EXAMPLE8-90ab-cdef-fedc-EXAMPLE11111",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
},
{
"Sid": "view_UUID_DENY_ACCESS_TO_NON_SERVICE_PRINCIPAL",
"Effect": "Deny",
"Principal": "*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:PrincipalServiceNamesList": [
"sampleservice.amazonaws.com"
]
}
},
"NotAction": [
"resource-explorer-2:GetManagedView"
],
"Resource": "arn:aws:resource-explorer-2:us-east-1:111122223333:managed-view/ExampleManagedViewName/EXAMPLE8-90ab-cdef-fedc-EXAMPLE11111"
}
]
}
```
------
# Listing managed views
You can see which managed views you have access to on the **Views** page in the Resource Explorer console. You can also run AWS CLI commands or their equivalent API operations in an AWS SDK to list the managed views you have access to in your currently selected AWS Region and retrieve view details.
To run these commands, you must have the following permissions:
+ **Action**: `resource-explorer-2:GetManagedView`
**Resource**: The ARN of the specified view.
+ **Action**: `resource-explorer-2:ListManagedViews`
**Resource**: The ARN of the specified view.
**To list your available managed views**
Run the following command to list managed views in the specified AWS Region:
```
aws resource-explorer-2 list-managed-views --region region
```
The command output is a list of ARNs.
```
{
"ManagedViews": [
"arn:aws:resource-explorer-2:us-east-1:111122223333:managed-view/ManagedViewNameA/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111",
"arn:aws:resource-explorer-2:us-east-1:444455556666:managed-view/ManagedViewNameB/1a2b3c4d-5d6e-7f8a-9b0c-abcd22222222"
]
}
```
**To retrieve managed view details**
Run the following command to retrieve details about a specified managed view using the view's ARN:
```
aws resource-explorer-2 get-managed-view \
--managed-view-arn arn:aws:resource-explorer-2:us-east-1:111122223333:managed-view/ManagedViewNameA/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111
```
The command output provides details about the specified managed view, similar to the following:
```
{
"ManagedView": {
"ManagedViewArn": "arn:aws:resource-explorer-2:us-east-1:111122223333:managed-view/ManagedViewNameA/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111",
"ManagedViewName": "ManagedViewNameA",
"TrustedService": "sampleservice.amazonaws.com",
"LastUpdatedAt": "2024-01-01T01:01:01.100000+00:00",
"Owner": "111111111111",
"Scope": "arn:aws:iam::111111111111:root",
"Filters": {
"FilterString": ""
},
"IncludedProperties": [
{
"Name": "tags"
}
],
"ResourcePolicy": "{\"Version\":\"YYYY-MM-DD\",\"Statement\":[{\"Sid\":\"EXAMPLE8-90ab-cdef-fedc-EXAMPLE11111_ACCESS_TO_SERVICE_PRINCIPAL\",\"Effect\":\"Allow\",\"PrincipalGroup\":{\"AWS\":\"sservicea.amazonaws.com\"},\"Action\":[\"resource-explorer-2:GetManagedView\",\"resource-explorer-2:DeleteManagedView\",\"resource-explorer-2:Search\"],\"Resource\":\"arn:aws:resource-explorer-2:us-east-1:111122223333:managed-view/ExampleManagedViewName/EXAMPLE8-90ab-cdef-fedc-EXAMPLE11111\",\"Condition\":{\"StringEquals\":{\"aws:SourceAccount\":\"111122223333\"}}},{\"Sid\":\"EXAMPLE8-90ab-cdef-fedc-EXAMPLE11111_DENY_ACCESS_TO_NON_SERVICE_PRINCIPAL\",\"Effect\":\"Deny\",\"Principal\":\"*\",\"NotAction\":\"resource-explorer-2:GetManagedView\",\"Resource\":\"arn:aws:resource-explorer-2:us-east-1:111122223333:managed-view/ExampleManagedViewName/EXAMPLE8-90ab-cdef-fedc-EXAMPLE11111\",\"Condition\":{\"ForAllValues:StringNotEquals\":{\"aws:PrincipalServiceNamesList\":\"servicea.amazonaws.com\"}}}]}",
"Version": "1"
}
}
```
# Deleting managed views
Managed views can only be deleted by the AWS service that manages them. Before the managing service can delete the view, you may need to perform service-specific tasks to remove a managed view from your account.
Resource Explorer managed views use the AWS Systems Manager `AWSManagedViewForSSM` unified console resource, which allows Systems Manager to access resource information indexed by Resource Explorer for your organization. If you want to delete the managed view, you must disable the unified console in Systems Manager. For instructions, see [Disabling the Systems Manager unified console](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-disable-integrated-console.html) in the *AWS Systems Manager User Guide*.
Managed views can only be deleted by the AWS service that manages them. Before the managing service can delete the view, you may need to perform service-specific tasks to remove a managed view from your account.
Resource Explorer managed views use the AWS Systems Manager `AWSManagedViewForSSM` unified console resource, which allows Systems Manager to access resource information indexed by Resource Explorer for your organization. If you want to delete the managed view, you must disable the unified console in Systems Manager. For instructions, see [Disabling the Systems Manager unified console](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-disable-integrated-console.html) in the *AWS Systems Manager User Guide*.