Configuring an Resource Explorer view to provide access to resource searches - AWS Resource Explorer
Default views

Configuring an Resource Explorer view to provide access to resource searches

Views are the key to searching for your resources. Every AWS Resource Explorer search operation must use a view. Views are the method the administrator can use to control access to the information about resources in your AWS account.

A view can be accessed by only principals (IAM roles or users) that have permission to use that view. To search successfully with Resource Explorer, a principal must have Allow access to both the resource-explorer-2:GetView and resource-explorer-2:Search operations on the view's ARN.

Views contain built-in filters that the administrator can use to limit results to only items of interest. For example, you can create a view that includes only resources related to a certain project. Users who don't need to see information about other projects can use this view to see only those resources of interest.

A view is a Regional resource. The view is created and stored in a specific AWS Region and returns in its results only information from the index in that Region. To include results from across all Regions in the account, the view must reside in the Region that contains the aggregator index. That Region contains a replica of the indexes from all other Regions in the account.

There are several key elements to every view:

Permissions to search

You can use standard AWS permission policies to control who can use each view. This is provided by identity-based permission policies attached to the principals that give you granular control over who can see the information provided by each view. For example, you can grant access to the Production-resources view to allow searching only by the engineers that operate your production services. Then, you can grant different permissions to the Pre-production-resources view to allow searching for pre-production resources by your developers.

If you use the AWS managed policy named AWSResourceExplorerReadOnlyAccess with your principals, it grants them the ability to search using any view in the account.

Alternatively, you can create your own permissions policy and grant the following permissions for only specified views:

  • resource-explorer-2:GetView

  • resource-explorer-2:Search

To provide access, add permissions to your users, groups, or roles:

For more information about permissions related to views, see Granting access to Resource Explorer views for search.

Filtering the search

A view serves as a virtual window through which the user can see the resources in the account. You can create multiple views, each presenting a different view of the larger picture. For example, you can create a view that allows searching only resources associated with your pre-production environment, as identified by tags attached to your resources. Then, you could create a separate view that allows searching only resources in your production environment, based on different values in the tags. If you configure multiple views with different FilterString values, you don't have to re-enter those query parameters every time you Search.

Views also can specify which optional pieces of information about the resources to include in the results. The default list of fields is always included in results. In addition to the default list, you can request that the view also include any tags attached to the resource.

Scope of the search

  • Region scope – When you search in an AWS Region with Resource Explorer, the results can include only resources that are indexed in that Region. The index in most Regions is labelled LOCAL because it contains information about resources within only that Region. Searches in those Regions can return only those resources.

  • Account scope – You can promote one local index to be the aggregator index for the account. When you do this, all other Regions where Resource Explorer is turned on replicate their index information to the Region with the aggregator index. If you search in that Region, those results include resources from all Regions in the account. When you use the Quick setup option to configure the server, Resource Explorer automatically creates an aggregator index in the Region you specify. Also, the Quick Setup option creates a default view in that Region to support searching all resources in the account across all Regions.

Default views

If a user attempts to search without explicitly specifying a view, Resource Explorer uses the default view defined for that AWS Region.

If a default view doesn't exist for that Region and the user didn't specify a view to use, then the search fails and generates an exception.

Resource Explorer automatically creates a default view as follows:

  • If you turn on Resource Explorer using the AWS Management Console and choose the Quick setup option, you must specify which Region contains the aggregator index for the account. Resource Explorer automatically creates a default view in the specified aggregator index Region.

  • If you register Resource Explorer using the AWS Management Console and choose the Advanced setup option, you can optionally choose to create the aggregator index for the account in a specified Region. If you do this, Resource Explorer creates a default view automatically in the aggregator index Region.

  • If you register Resource Explorer by using the console and choose not to register an aggregator index Region, Resource Explorer creates a default view for the local index in each Region.

  • If you register Resource Explorer by using the AWS CLI or the API operations, Resource Explorer doesn't automatically create a default view. Instead, you must configure the default view manually for each Region where you expect users to search from.