Terms and concepts for Resource Explorer
AWS Resource Explorer is a resource search and discovery service. With Resource Explorer, you can explore your resources by using an internet search engine-like experience. You can search for your resources, such as Amazon Elastic Compute Cloud instances, Amazon Kinesis streams, or Amazon DynamoDB tables by using resource metadata like names, tags, and IDs. Resource Explorer works across AWS Regions in your account to simplify your cross-Region workloads.
Resource Explorer provides fast responses to your search queries by using indexes that are created and maintained by the AWS Resource Explorer service. Resource Explorer uses a variety of data sources to gather information about resources in your AWS account. Resource Explorer stores that information in the indexes for Resource Explorer to search.
You should understand the following concepts to successfully administer and configure AWS Resource Explorer for your users.
Concepts
The following diagram shows three AWS Regions in which the administrator turned on Resource Explorer, and one Region the administrator chose not to turn on. The Region where Resource Explorer isn't turned on doesn't have an index. Therefore, its resources can't be searched by Resource Explorer queries.
In this example scenario, the administrator chose the US West (Oregon) Region
(us-west-2) to contain the aggregator index for the account. All Regions
that you turn on replicate their local indexes to the Region with the aggregator index.
The default view created by Resource Explorer doesn't have any filters. Therefore, results from searching with this view can include resources of any type in all Regions in the account where Resource Explorer is turned on.
| Legend | |
|
Resource Explorer is turned on in this AWS Region and information about the Region's resources is stored in a local index in that Region. Every Region's local index is also replicated (indicated by the arrows) to the Region that contains the aggregator index. |
|
The index in this AWS Region is configured to be the aggregator index for the account. Resource Explorer replicates the resource information collected in the local indexes of all other Regions where Resource Explorer is turned on into the aggregator index in this Region. Searches made in this Region can include results from all Regions in the account. |
|
The default view created by Quick Setup includes all resources in all AWS Regions. |
Resource Explorer administrator
A Resource Explorer administrator is an AWS Identity and Access Management (IAM) principal who has the permission to manage Resource Explorer and its settings in the AWS account. The Resource Explorer administrator can configure the following features:
-
Turn on Resource Explorer for individual AWS Regions in the AWS account by creating indexes in those Regions. This lets Resource Explorer discover resources and populate the index with information about those resources so that users can search for resources in that Region.
-
Update the index type in one AWS Region to make it the aggregator index for its AWS account. The aggregator index in this Region receives replicated copies of the resource information from all other Regions in the account where Resource Explorer is turned on.
-
Create views that define the subset of indexed information users can search and discover in Resource Explorer.
-
While not part of the Resource Explorer actions, the Resource Explorer administrator must also be able to grant search permissions to the principals in the account. The administrator can grant these permissions to principals by adding the relevant permissions to existing IAM permission policies, or by using the Resource Explorer read only AWS managed policy.
To provide access, add permissions to your users, groups, or roles:
-
Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in Create a permission set in the AWS IAM Identity Center User Guide.
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-
-
The administrator typically has all Resource Explorer permissions
(resource-explorer-2:*) on all Resource Explorer resources, including the indexes
and views. These permissions can be granted by using the Resource Explorer full access AWS
managed policy.
Resource Explorer user
A Resource Explorer user is an IAM principal that has permission to do one or more of the following tasks:
-
Perform a search for resources by using a view to query Resource Explorer. A Resource Explorer user wants to discover and find AWS resources and typically uses the Resource Explorer console, or the Resource Explorer
Searchoperations provided by the AWS SDKs or the AWS CLI.A role or user can use IAM get permission to search with one of two methods:
-
The Resource Explorer read only AWS managed policy to the IAM role, group, or user.
-
An IAM permission policy with a statement containing the following minimum permissions to the IAM role, group, or user.
{ "Effect": "Allow", "Action": [ "resource-explorer-2:Search", "resource-explorer-2:GetView", "Resource": "<ARN of the view>" }
-
-
Although typically considered an administrator task, you can delegate to trusted users the ability to define create views. To do this, the administrator can grant permission to call the
resource-explorer-2:CreateViewoperation in an IAM permission policy attached to the relevant roles, groups, or users. If the view requires specific permissions, then provision for adding or modifying the IAM policies for the relevant users must be made.
For information about how to search for resources using Resource Explorer, see Using AWS Resource Explorer to search for resources.
Index
An index is the collection of information maintained by Resource Explorer about all of the AWS resources in one AWS Region in your AWS account. Resource Explorer maintains an index in each Region in which you turn on Resource Explorer. Resource Explorer updates the index automatically as you create and delete resources in your AWS account. In the earlier diagram, the boxes under the AWS Region names represent the Resource Explorer indexes maintained in each AWS Region. The index in a Region is the source of information for any views created in that Region. Users can't directly query the index. Instead, they must always query using a view.
There are two types of indexes:
- Local index
-
There is one local index in every AWS Region in which you turn on Resource Explorer. A local index contains information about only the resources in the same Region.
- Aggregator index
-
The Resource Explorer administrator can also designate the index in one AWS Region to be the aggregator index for the AWS account. The aggregator index receives and stores a copy of the index for every other Region where Resource Explorer is turned on in the account. The aggregator index also receives and stores information about the resources in its own Region. In the earlier diagram, the Region
us-west-2contains the aggregator index for the account. The primary reason to designate an aggregator index for the account is so that you can create views that can include resources from all Regions in the account. There can be only one aggregator index in an AWS account.When you turn on Resource Explorer, you can specify which AWS Region is to contain the aggregator index. You can also change the AWS Region used for the aggregator index later. For information about how to promote a local index to make it the aggregator index for its AWS account, see Turning on cross-Region search by creating an aggregator index.
An index is a resource with an Amazon resource name (ARN). However, you can use this ARN only in permission policies to grant access to operations that interact directly with the index. With those operations, you can create views and set them as the default in a Region, turn on or turn off Resource Explorer in a Region, and create an aggregator index for the account. The ARN of an index looks similar to the following example:
arn:aws:resource-explorer-2:us-east-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111
View
A view is the mechanism used to query the resources listed in an index. The view defines what information in the index is visible and available for search and discovery purposes. A user never directly queries the Resource Explorer index. Instead, queries must always go through a view which lets the view creator limit which resources the user can see in search results.
When you create a view, you specify filters that restrict which resources are included in search results. For example, you could choose to include only resources of a few specified resource types that are used by those to whom you grant access to this view. Results from queries that users make with a view are always automatically filtered to include only those resources that match the view's criteria.
To grant access to use a view, you can use assign permissions using one of the following methods.
To provide access, add permissions to your users, groups, or roles:
-
Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in Create a permission set in the AWS IAM Identity Center User Guide.
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-
Grant permission to allow your roles, groups, or users to invoke the
resource-explorer-2:GetView and resource-explorer-2:Search
operations on a view identified by its Amazon resource name (ARN). Alternatively, you can use the
Resource Explorer read only
AWS managed policy for all principals who need to use the view to search.
You can create multiple views that have different filters and scopes and thus return
different subsets of your resource information. Then, you can grant permissions for each
view to those users who need to see the information included by that view's
results.
To search with Resource Explorer, each user must have permission to use at least one view. You can't perform a search in Resource Explorer without using a view.
Views are stored on a per-Region basis. A view can access only the Resource Explorer index in that AWS Region. To access account-wide search results, you must use a view in the Region that contains the aggregator index for the account. The Quick setup option creates a default view in the AWS Region with the aggregator index and with filters that include all resources in all AWS Regions used by the account.
For information about how to create views, see Managing Resource Explorer views to provide access to search. For information about how to use views in a query, see Using AWS Resource Explorer to search for resources.
Every view has an Amazon resource name (ARN) that you can reference in permission policies to grant access to individual views. You can also pass a view's ARN as a parameter to any API or AWS CLI operation that interacts with a view. The ARN of a view looks similar to the following example.
arn:aws:resource-explorer-2:us-east-1:123456789012:view/My-View-Name/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111
Note
Every view ARN includes an AWS generated UUID at the end. This helps to ensure that users who might have had access to views with a specific name that was deleted can't automatically access a new view created with the same name.
Resource
A resource is an entity in AWS that you can work with. Resources are created by AWS services as you use the features of the service. Examples include an Amazon EC2 instance, an Amazon S3 bucket, or an AWS CloudFormation stack. Some resource types can contain customer data. All resource types have attributes or metadata to describe the resource, including a name, description, and the Amazon resource name (ARN) that you use to uniquely reference a resource. Most resource types also support tags. Tags are custom metadata that you can attach to your resources for a variety of purposes, such as cost allocation in your billing, security authorization using attribute-based access control, or to support your other categorization needs.
The primary purpose of Resource Explorer is to help you find the resources that exist in your AWS account. Resource Explorer uses a variety of techniques to discover all of your resources and place information about them in an index. Then, you can query the index through whatever views that your administrator makes available to you.
Important
Resource Explorer excludes intentionally those resources types whose inclusion would expose customer data. The following resource types are not indexed by Resource Explorer and are therefore never returned in search results.
-
Amazon S3 objects that are contained within a bucket
-
Amazon DynamoDB table items
-
DynamoDB attribute values
Unified search in the AWS Management Console
At the top of the AWS Management Console, in every AWS service, there is a search bar that you can use to search for a variety of AWS related things. You can search for services and features, and get links directly to the relevant page in that service's console. You can also search for documentation and blog articles related to your search term.
After you turn on Resource Explorer and create an aggregator index and a default view, unified search can also include your account's resources in the search results. Unified search automatically uses the default view in the AWS Region that contains the aggregator index for the account. This lets you search for a resource from any page in the AWS Management Console, without having to first open Resource Explorer. If you don't promote a local index to be the aggregator index for the account, or if you don't create a default view in the aggregator index Region, unified search doesn't include resources in its search results. Also, any principal performing a search must have permission to use the default view in the Region that contains the aggregator index or unified search doesn't include resources in its search results.
Important
Unified search automatically inserts a wildcard character (*) operator at the
end of the first keyword in the string. This means that unified search results include resources
that match any string that starts with the specified keyword.
The search performed by the Query text box on the Resource search* manually after
any term in the search string.
For more information about unified search and its integration with Resource Explorer, see Using unified search in the AWS Management Console.
Multi-account search
With multi-account search, you can search and discover resources across AWS Organizations and AWS Regions with a single keyword search.
For more information about multi-account search and how to enable it for Resource Explorer, see Turning on multi-account search.
