# Getting started with Resource Explorer
Use the topics in this section to get a basic understanding of the concepts and terms used by AWS Resource Explorer. Learn how Resource Explorer is automatically enabled based on your permissions and how to access enhanced features for your AWS account.
## Accessing Resource Explorer
Resource Explorer is automatically enabled when you access the service through any of the following methods, with your experience determined by your IAM permissions:
+ **Full Experience:** Users with, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy and the `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy) get complete search results with automatic infrastructure creation on a Regional basis for indexes and views.
+ **Enhanced Experience:** Users with only the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy get immediate access to partial results (all tagged resources and supported untagged resources created after the [immediate resource discovery](https://docs.aws.amazon.com/resource-explorer/latest/userguide/manage-immediate-resource-discovery-experience.html) release).
+ **No Access:** Users without the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy receive access denied errors, respecting IAM boundaries.
You can interact with Resource Explorer in the following ways:
**Resource Explorer console**
Resource Explorer provides a web-based user interface, the Resource Explorer console. Simply navigating to or accessing the Resource Explorer console automatically triggers the setup process based on your permissions. You can access the Resource Explorer console by signing into the [AWS Management Console](https://console.aws.amazon.com/) and searching for it by name or choosing **View all services** and selecting **Resource Explorer** from the list.
You can also navigate in your browser directly to the **[Resource Explorer home page](https://console.aws.amazon.com/resource-explorer/home#/home)**, or to the **[Resource search](https://console.aws.amazon.com/resource-explorer/home#/search)** page. If you aren't already signed in, then you're asked to do so before the console appears.
The Resource Explorer console is a *global* console, meaning that you don't have to select an AWS Region to work in. However, when you use Resource Explorer to create an index or a view, you need to specify which Region the index or view is stored in. When you use Resource Explorer to search, you can choose any view you have access to. The results automatically come from the Region associated with the selected view. If the view is from the Region that contains the aggregator index, the results include resources from all Regions where you created Resource Explorer indexes.
**AWS Management Console [Unified Search](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/using-search.html)**
At the top of every page in the AWS Management Console, there is a search bar. Resource Explorer returns resource search results in Unified Search when you have the appropriate permissions. You can use [Resource Explorer search query syntax](using-search-query-syntax.md) in the Unified Search text box, and see matching resources in those search results. You can search for resources from the console of any AWS service without having to first switch to the Resource Explorer console.
Unified Search uses the default view in the aggregator Region if configured, or the default view in the current Region for regional results.
**Resource Explorer commands in the AWS CLI and Tools for Windows PowerShell**
The AWS CLI and Tools for PowerShell provide direct access to the Resource Explorer public API operations and automatically trigger setup based on your permissions when you invoke search operations. These tools work on Windows, macOS, and Linux. For more information about getting started, see the [AWS Command Line Interface User Guide](https://docs.aws.amazon.com/cli/latest/userguide/), or the [AWS Tools for Windows PowerShell User Guide](https://docs.aws.amazon.com/powershell/latest/userguide/). For more information about the commands for Resource Explorer, see the [AWS CLI Command Reference](https://docs.aws.amazon.com/cli/latest/reference/resource-explorer-2) or the [AWS Tools for Windows PowerShell Cmdlet Reference](https://docs.aws.amazon.com/powershell/latest/reference/index.html?page=ResourceExplorer2_cmdlets.html).
**Resource Explorer operations in the AWS SDKs**
AWS provides API commands for a broad set of programming languages that automatically enable Resource Explorer functionality when you have appropriate permissions. For more information about getting started, see [Using AWS Resource Explorer with an AWS SDK](sdk-general-information-section.md).
**Query API**
If you don't use one of the supported programming languages, the Resource Explorer HTTPS Query API gives you programmatic access to Resource Explorer. With the Resource Explorer API, you can issue HTTPS requests directly to the service. When you use the Resource Explorer API, you must include code that can digitally sign your requests using your AWS credentials. For more information, see the [AWS Resource Explorer API Reference](https://docs.aws.amazon.com/resource-explorer/latest/apireference/).
## Getting started immediately
You can start using Resource Explorer immediately with just the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy. This provides instant access to search functionality with partial results while automatic setup completes in the background.
**Note**
Automatic setup can complete only if you have the necessary permissions. You must have, at minimum, the permissions in the `[AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html)` managed policy.
**To start searching immediately**
1. Ensure you have, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy. This permission is included in the `ResourceExplorerFullAccess` managed policy.
1. Navigate to the Resource Explorer console or use [Unified Search](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/using-search.html) from any AWS console page.
1. Begin searching immediately. You'll receive partial results (all tagged resources and supported untagged resources created after the [immediate resource discovery](https://docs.aws.amazon.com/resource-explorer/latest/userguide/manage-immediate-resource-discovery-experience.html) release) while indexing completes.
1. (Optional) For complete results, obtain the `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy). Once any user in your account creates the service-linked role, all users with search permission searching in a new Region can create an index and a view for full results.
## Enhanced setup for cross-Region search
While Resource Explorer provides immediate regional search functionality, you can optionally configure enhanced features like cross-Region search and custom views.
+ **Cross-Region search:** Create an aggregator index to search across all Regions from a single location.
+ **Custom views:** Create filtered views for specific resource types or access control requirements.
+ **Multi-account search:** Configure organization-wide resource discovery (requires management account or delegated administrator permissions).
For detailed setup instructions, see [Setting up and configuring Resource Explorer](getting-started-setting-up.md).
# Terms and concepts for Resource Explorer
AWS Resource Explorer is a resource search and discovery service. With Resource Explorer, you can explore your resources by using an internet search engine-like experience. You can search for your resources, such as Amazon Elastic Compute Cloud instances, Amazon Kinesis streams, or Amazon DynamoDB tables by using resource metadata like names, tags, and IDs. Resource Explorer works across AWS Regions in your account to simplify your cross-Region workloads.
Resource Explorer is available immediately when you have the appropriate permissions. Users with the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy can start searching for resources right away without any setup. Users with both the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy and the `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy) get complete search results with automatic infrastructure creation (index and view) on first search in a Region. The `iam:CreateServiceLinkedRole` permission is needed only by one user initially to create the service-linked role for the account. After the service-linked role exists in the account, all users with search permission searching in a new Region can create an index and a view for full results.
Resource Explorer provides fast responses to your search queries by using indexes that are created and maintained by the AWS Resource Explorer service. Resource Explorer uses a variety of data sources to gather information about resources in your AWS account. Resource Explorer stores that information in the indexes for Resource Explorer to search.
Resource Explorer operates in two modes: automatic setup and manual setup. With automatic setup, Resource Explorer creates the necessary infrastructure (indexes and views) when you first search in a Region, provided you have the required permissions. Manual setup allows administrators to pre-configure Resource Explorer infrastructure before users begin searching.
You should understand the following concepts to successfully use AWS Resource Explorer .
**Topics**
+ [Resource Explorer administrator](#term-admin)
+ [Resource Explorer user](#term-user)
+ [Index](#term-index)
+ [View](#term-view)
+ [Resource](#term-resource)
+ [Unified Search in the AWS Management Console](#term-unified-search)
+ [Multi-account search](#term-multi-account-search)
The following diagram shows three AWS Regions in which users have searched for resources, and one Region where no search has occurred yet. Regions with user-owned (local) indexes provide complete search results, while Regions with only Resource Explorer owned indexes provide partial results (all tagged resources and supported untagged resources created after the [immediate resource discovery](https://docs.aws.amazon.com/resource-explorer/latest/userguide/manage-immediate-resource-discovery-experience.html) release).
In this example scenario, a user selected the US West (Oregon) Region (`us-west-2`) to contain the aggregator index for the account. All Regions with user-owned (local) indexes replicate their local indexes to the Region with the aggregator index.
The default view created by Resource Explorer doesn't have any filters. Therefore, results from searching with this view can include resources of any type in all Regions in the account where Resource Explorer is turned on including Tags.
![\[4 Regions: Resource Explorer registered in 3. Default view, aggregator index, or AWS account in 1.\]](http://docs.aws.amazon.com/resource-explorer/latest/userguide/images/AREX-Overview-IAD.png)
| |
| --- |
| Legend |
| ![\[Gear icon with magnifying glass, representing system configuration or search settings.\]](http://docs.aws.amazon.com/resource-explorer/latest/userguide/images/AREX-Activated-Icon.png) | Resource Explorer is set up with a user-owned (local) index in this AWS Region. Information about the Region's resources is stored in a local index in that Region. Every Region's user-owned (local) index is also replicated (indicated by the arrows) to the Region that contains the aggregator index. |
| ![\[Notebook icon representing a document or file with lined pages.\]](http://docs.aws.amazon.com/resource-explorer/latest/userguide/images/Global-Index-Icon.png) | The index in this AWS Region is configured to be the aggregator index for the account. Resource Explorer replicates the resource information collected in the user-owned (local) indexes of all other Regions into the aggregator index in this Region. Searches made in this Region can include results from all Regions with user-owned (local) indexes in the account. |
| ![\[Blue square border with white interior, representing a placeholder for an image.\]](http://docs.aws.amazon.com/resource-explorer/latest/userguide/images/Default-Search-Scope.png) | The default view created by Quick Setup includes all resources in all AWS Regions with user-owned (local) indexes. |
## Resource Explorer administrator
A Resource Explorer *administrator* is an AWS Identity and Access Management (IAM) principal who has the permission to manage Resource Explorer and its settings in the AWS account. With Resource Explorer functionality available in an account by default, manual administrator setup is optional for basic functionality. Users with appropriate permissions can start searching immediately and Resource Explorer will automatically create the necessary infrastructure. The Resource Explorer administrator can configure the following features:
+ Complete setup for individual AWS Regions in the AWS account by creating user-owned indexes in those Regions by searching or in **Settings**. This provides complete search results and lets Resource Explorer discover all resources and populate the index with comprehensive information about those resources.
+ Enable cross-Region search by updating the index type in one AWS Region to make it the [aggregator index](#term-index) for its AWS account.. The aggregator index in this Region receives replicated copies of the resource information from all other Regions in the account where user-owned indexes exist.
+ Create [views](#term-view) that define the subset of indexed information users can search and discover in Resource Explorer.
+ While not part of the Resource Explorer actions, the Resource Explorer administrator must also be able to grant search permissions to the principals in the account. The administrator can grant these permissions to principals by adding the relevant permissions to existing IAM permission policies, or by using the [Resource Explorer read only AWS managed policy](security_iam_awsmanpol.md#security_iam_awsmanpol_AWSResourceExplorerReadOnlyAccess).
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
The administrator typically has all Resource Explorer permissions (`resource-explorer-2:*`) on all Resource Explorer resources, including the indexes and views. These permissions can be granted by using the [Resource Explorer full access AWS managed policy](security_iam_awsmanpol.md#security_iam_awsmanpol_AWSResourceExplorerFullAccess).
## Resource Explorer user
Resource Explorer provides three permission-based experience tiers for users:
**Full Experience**
**Permissions:** At minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy. If the service-linked role doesn't exist in the account, one user needs the `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy) to create it initially
**Experience:** Complete single-Region resource search results with automatic updates
**Enhancement:** Can optionally enable cross-Region search by selecting an aggregator index
**Enhanced Experience**
**Permissions:** At minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy
**Experience:** Partial results immediately (all tagged resources and supported untagged resources created after the [immediate resource discovery](https://docs.aws.amazon.com/resource-explorer/latest/userguide/manage-immediate-resource-discovery-experience.html) release)
**Enhancement:** Can upgrade to full experience by obtaining service-linked role creation permission or having another user with permissions create the service-linked role in the account
**No Access**
**Permissions:** Missing the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy
**Experience:** No resource search access
**Enhancement:** Must obtain proper permissions to access the service
A Resource Explorer *user* is an IAM principal that has permission to do one or more of the following tasks:
+ Perform a search for resources by using a view to query Resource Explorer. A Resource Explorer user wants to discover and find AWS resources and typically uses the Resource Explorer console, or the Resource Explorer `Search` operations provided by the AWS SDKs or the AWS CLI.
A role or user can get IAM get permission to search with one of two methods:
+ The [Resource Explorer read only AWS managed policy](security_iam_awsmanpol.md#security_iam_awsmanpol_AWSResourceExplorerReadOnlyAccess) to the IAM role, group, or user.
+ An IAM permission policy with a statement containing the following minimum permissions to the IAM role, group, or user.
```
{
"Effect": "Allow",
"Action": [
"resource-explorer-2:Search",
"resource-explorer-2:GetView",
"Resource": "*"
}
```
+ Although typically considered an administrator task, you can delegate to trusted users the ability to define create views. To do this, the administrator can grant permission to call the `resource-explorer-2:CreateView` operation in an IAM permission policy attached to the relevant roles, groups, or users. If the view requires specific permissions, then provision for adding or modifying the IAM policies for the relevant users must be made.
For information about how to search for resources using Resource Explorer, see [Using AWS Resource Explorer to search for resources](using-search.md).
## Index
An *index* is the collection of information maintained by Resource Explorer about all of the AWS resources in one AWS Region in your AWS account. Resource Explorer updates the index automatically as you create and delete resources in your AWS account. In the earlier diagram, the boxes under the AWS Region names represent the Resource Explorer indexes maintained in each AWS Region. The index in a Region is the source of information for any views created in that Region. Users can't directly query the index. Instead, they must always query using a view.
There are three types of indexes:
**Resource Explorer-owned index**
A *Resource Explorer owned index* exists in every AWS Region and is managed by the Resource Explorer service. These indexes cannot be deleted or modified by users. Resource Explorer owned indexes provide partial search results, including all tagged resources and supported untagged resources created after the [immediate resource discovery](https://docs.aws.amazon.com/resource-explorer/latest/userguide/manage-immediate-resource-discovery-experience.html) release. Users with only the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy access resources through these indexes.
**User-owned (local) index**
There is one *user-owned (local) index* in every AWS Region in which you complete setup for Resource Explorer. A user-owned index contains complete information about all resources in the same Region and provides full search results.
**Aggregator index**
The Resource Explorer administrator can also designate the index in one AWS Region to be the *aggregator index* for the AWS account. The aggregator index receives and stores a copy of the index for every other Region where user-owned indexes exist in the account. The aggregator index also receives and stores information about the resources in its own Region. In the earlier diagram, the Region `us-west-2` contains the aggregator index for the account. The primary reason to designate an aggregator index for the account is so that you can create views that can include resources from all Regions in the account. Using an aggregator index is optional but recommended for cross-region search capabilities. There can be ***only one*** aggregator index in an AWS account.
When you complete setup for Resource Explorer, you can specify which AWS Region contains the aggregator index. You can also change the AWS Region used for the aggregator index later. For information about how to promote a local index to make it the aggregator index for its AWS account, see [Enabling cross-Region search by creating an aggregator index](manage-aggregator-region.md).
After the service-linked role has been created in the account (created by a user with the `iam:CreateServiceLinkedRole` permission, which is included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy), automatic index creation occurs when users with, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy perform their first search in a Region that doesn't have a user-index set up already. If the service-linked role doesn't exist in the account, the user needs the `iam:CreateServiceLinkedRole` permission to create it. After the service-linked role exists in the account, any user with, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy can trigger automatic index creation for complete search results.
An index is a resource with an [Amazon resource name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html). However, you can use this ARN only in permission policies to grant access to operations that interact directly with the index. With those operations, you can create views and set them as the default in a Region, enable or disable Resource Explorer in a Region, and create an aggregator index for the account. The ARN of an index looks similar to the following example:
```
arn:aws:resource-explorer-2:us-east-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111
```
## View
A *view* is the mechanism used to query the resources listed in an index. The view defines what information in the index is visible and available for search and discovery purposes. A user never directly queries the Resource Explorer index. Instead, queries must always go through a view which lets the view creator limit which resources the user can see in search results.
For more information about views in Resource Explorer, see [Working with views](views.md).
## Resource
A *resource* is an entity in AWS that you can work with. Resources are created by AWS services as you use the features of the service. Examples include an Amazon EC2 instance, an Amazon S3 bucket, or an CloudFormation stack. Some resource types can contain customer data. All resource types have attributes or metadata to describe the resource, including a name, description, and the [Amazon resource name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) that you use to uniquely reference a resource. Most [resource types also support tags](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html). Tags are custom metadata that you can attach to your resources for a variety of purposes, such as [cost allocation in your billing](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/aws-tags.html), [security authorization using attribute-based access control](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html), or to support your other categorization needs.
The primary purpose of Resource Explorer is to help you find the resources that exist in your AWS account. Resource Explorer uses a variety of techniques to discover all of your resources and place information about them in an [index](#term-index). Then, you can query the index through whatever [views](#term-view) that your administrator makes available to you.
**Important**
Resource Explorer excludes intentionally those resources types whose inclusion would expose customer data. The following resource types are ***not*** indexed by Resource Explorer and are therefore never returned in search results.
Amazon S3 objects that are contained *within* a bucket
Amazon DynamoDB table items
DynamoDB attribute values
## Unified Search in the AWS Management Console
At the top of the AWS Management Console, in every AWS service, there is a search bar that you can use to search for a variety of AWS related things. You can search for services and features, and get links directly to the relevant page in that service's console. You can also search for documentation and blog articles related to your search term.
[Unified Search](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/using-search.html) automatically uses the default view in the AWS Region that contains the aggregator index for the account or the default or service view per Region. This lets you search for a resource from any page in the AWS Management Console, without having to first open Resource Explorer.
**Important**
Unified Search automatically inserts a wildcard character (`*`) operator at the end of the first keyword in the string. This means that unified search results include resources that match any string that starts with the specified keyword.
The search performed by the **Query** text box on the [Resource search](https://console.aws.amazon.com/resource-explorer/home#/explorer) page in the Resource Explorer console does ***not*** automatically append a wildcard character. You can insert a `*` manually after any term in the search string.
For more information about Unified Search and its integration with Resource Explorer, see [Using Unified Search in the AWS Management Console](using-unified-search.md).
## Multi-account search
With multi-account search, you can search and discover resources across AWS Organizations and AWS Regions with a single keyword search.
For more information about multi-account search and how to enable it for Resource Explorer, see [Turning on multi-account search](manage-service-multi-account.md).
# Prerequisites to using Resource Explorer
Before you use AWS Resource Explorer for the first time, complete the following tasks as required.
**Topics**
+ [Sign up for an AWS account](#sign-up-for-aws)
+ [Create a user with administrative access](#create-an-admin)
## Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.
## Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
**Secure your AWS account root user**
1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.
1. Turn on multi-factor authentication (MFA) for your root user.
For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.
**Create a user with administrative access**
1. Enable IAM Identity Center.
For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
1. In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.
**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.
**Assign access to additional users**
1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.
1. Assign users to a group, and then assign single sign-on access to the group.
For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.
# Setting up and configuring Resource Explorer
AWS Resource Explorer is available immediately when you have the appropriate permissions. Users with, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy can start searching for resources right away without any setup. Users with the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy and `iam:CreateServiceLinkedRole` permissions (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy) get complete search results with automatic infrastructure creation on first search.
**Note**
After the service-linked role is created in your account when any user with the `iam:CreateServiceLinkedRole` permission accesses Resource Explorer, subsequent users need only, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy to create an index and view for full results in a Region on first search.
Your search experience is automatically enabled based on your IAM permissions. For enhanced functionality like cross-Region search, multi-account configurations, or more control over your Resource Explorer configuration, you can use the manual setup options below.
Quick Setup and Advanced Setup options remain available for customers who want cross-Region search or more control over their Resource Explorer configuration.
**Note**
Multi-account search requires that your account is part of an AWS Organizations organization.
There are two ways to enhance your Resource Explorer configuration:
+ [**Enable Cross-Region Search**](#getting-started-setting-up-quick)
+ [**Enhanced Configuration Options**](#getting-started-setting-up-advanced)
**Important**
If you choose to create user-owned indexes using any option that says "all AWS Regions", it creates indexes only in those AWS Regions that exist and that are [enabled in the AWS account](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable) *at the time you perform the procedure*. User-owned indexes are ***not*** automatically created in any AWS Regions that AWS adds in the future. When AWS introduces a new Region, you can choose to create user-owned indexes in the Region manually when it appears in the **[Settings](https://console.aws.amazon.com/resource-explorer/home#/settings)** page of the Resource Explorer console, or by calling the [CreateIndex](https://docs.aws.amazon.com/resource-explorer/latest/apireference/API_CreateIndex.html) operation.
**Note**
Configuring Resource Explorer can enhance the ability to search for resources using the [Unified Search](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/using-search.html) bar on the AWS Management Console. Unified Search works with local Region indexes and does not require an aggregator index. For cross-Region search capabilities, you can optionally configure an aggregator index and default view. For more information, see [Using Unified Search in the AWS Management Console](using-unified-search.md).
## Enabling cross-Region search
To enable cross-Region search capabilities, you can complete setup to create user-owned indexes and configure an aggregator index. This procedure does the following:
+ Creates user-owned indexes in every AWS Region in your AWS account for complete search results.
+ Updates the index in the Region you specify to be the aggregator index for the account.
+ Creates a default view in the aggregator index Region. This view has no filters so it returns all resources found in the index.
**Minimum permissions**
To perform the steps in the following procedure, you must have the following permissions:
+ **Action**: `resource-explorer-2:*` – **Resource**: no specific resource (`*`)
+ **Action**: `iam:CreateServiceLinkedRole` – **Resource**: no specific resource (`*`)
------
#### [ AWS Management Console ]
**To enable cross-Region search**
1. Open the [AWS Resource Explorer console](https://console.aws.amazon.com/resource-explorer) at [https://console.aws.amazon.com/resource-explorer](https://console.aws.amazon.com/resource-explorer).
1. If you see the **Complete setup and enable cross-Region search** banner, proceed to the next step. Otherwise, navigate to **Settings** to access setup options. You can also access **Complete Setup** from the left navigation when available.
1. In the **Complete setup and enable cross-Region search** banner, select your preferred aggregator index from the list. Choose the Region that is appropriate for the geographic location of your users.
1. Choose **Enable cross-Region search in all Regions**. Alternatively, you can choose **Customize Region setup** for more granular control over which Regions to include.
1. Monitor the indexing progress.
1. Wait for the setup to complete. The indexing process creates user-owned indexes in all or selected Regions and configures the aggregator index in your selected Region.
After setup completes, you and your users can search for resources across all Regions. The cross-Region search capability will be fully available after indexing is complete.
**Note**
Tagged resources local to the index appear in search results within a few minutes. Untagged resources typically take less than two hours to appear, but can take longer when there is heavy demand. It can also can take up to an hour to complete the initial replication to a new aggregator index from all of the existing local indexes.
**Next steps:** Before your users can search with the default view you just created, you must grant them permissions to search with it. For more information, see [Granting access to Resource Explorer views for search](configure-views-grant-access.md).
------
#### [ AWS CLI ]
Setting up Resource Explorer in your AWS account by using the AWS CLI is, by definition, equivalent to the **Advanced setup** option. This is because the Resource Explorer CLI operations don't perform any of the steps for you automatically like the Resource Explorer console does. See the AWS CLI tab on the [Using enhanced configuration options](#getting-started-setting-up-advanced) to see what commands are the equivalent of using the console.
------
## Using enhanced configuration options
For more granular control over your Resource Explorer configuration, you can use Advanced setup options to:
+ Choose the AWS Regions in which to create user-owned indexes for complete search results.
+ Choose whether to configure one Region with an [aggregator index](getting-started-terms-and-concepts.md#term-index). If you do, you specify the AWS Region to place it in. This index allows you to create views that can include resources from all Regions in the account. For more information, see [ Enabling cross-Region search by creating an aggregator index](manage-aggregator-region.md).
+ Choose whether to create a default view. That view allows searching automatically for any AWS resource in the Regions where you have user-owned indexes. You must ensure that any principals who need to use the default view to search in Resource Explorer have permissions on the view. For more information, see [Granting access to Resource Explorer views for search](configure-views-grant-access.md).
**Minimum permissions**
To perform the steps in the following procedure, you must have the following permissions:
+ **Action**: `resource-explorer-2:*` – **Resource**: no specific resource (`*`)
+ **Action**: `iam:CreateServiceLinkedRole` – **Resource**: no specific resource (`*`)
------
#### [ AWS Management Console ]
**To configure Resource Explorer with enhanced options**
1. Open the [AWS Resource Explorer console](https://console.aws.amazon.com/resource-explorer) at [https://console.aws.amazon.com/resource-explorer](https://console.aws.amazon.com/resource-explorer).
1. Navigate to **Settings** to access enhanced configuration options, or choose **Customize Region setup** from the cross-Region setup banner. You can also access **Complete Setup** from the left navigation when available.
1. Select the specific Regions where you want to create user-owned indexes, or configure custom view settings as needed.
1. If enabling cross-Region search, review the "Confirm cross-Region setup" modal that explains: "By enabling cross-Region search, AWS performs the following steps:" followed by details about creating indexes in all AWS Regions, creating the aggregator index, and creating default view with filter.
1. Choose **Cancel** to return to the previous screen, or **Confirm and enable** to proceed with the cross-Region setup.
1. Monitor the setup progress and wait for indexing to complete. To continue using Resource Explorer with partial results during this process, choose **Proceed to Resource Search**.
------
#### [ AWS CLI ]
**To set up Resource Explorer using Advanced setup**
The Resource Explorer console performs many API operation calls on your behalf based on the choices you make. The following example AWS CLI commands illustrate how to perform the same basic procedures outside of the console using the AWS CLI.
**Example Step 1: Create user-owned indexes in the desired AWS Regions**
Run the following command in each AWS Region in which you want to activate Resource Explorer. The following example command enables Resource Explorer in the AWS Region that is the default for the AWS CLI.
```
$ aws resource-explorer-2 create-index
{
"Arn": "arn:aws:resource-explorer-2:us-east-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111",
"CreatedAt": "2022-07-27T16:17:12.130000+00:00",
"State": "CREATING"
}
```
**Example Step 2: Update the index in one AWS Region to be the aggregator index for the account**
Run the following command in the AWS Region in which you want Resource Explorer to update the local index to the aggregator index for the account. The following example command updates the aggregator index in the US East (N. Virginia) (`us-east-1`).
```
$ aws resource-explorer-2 update-index-type \
--arn arn:aws:resource-explorer-2:us-east-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111 \
--type AGGREGATOR
{
"Arn": "arn:aws:resource-explorer-2:us-east-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111",
"LastUpdatedAt": "2022-07-27T16:29:49.231000+00:00",
"State": "UPDATING",
"Type": "AGGREGATOR"
}
```
**Example Step 3: Create a view in the AWS Region that contains the aggregator index**
Run the following command in the AWS Region in which you created the aggregator index. The following example command creates a view identical to the one created by the Resource Explorer console setup process. This new view includes tags attached to the resource as part of the indexed information and supports searching for resources by tag key or value.
```
$ aws resource-explorer-2 create-view \
--view-name My-New-View \
--included-properties Name=tags
{
"View": {
"Filters": {
"FilterString": ""
},
"IncludedProperties": [
{
"Name": "tags"
}
],
"LastUpdatedAt": "2022-07-27T16:34:14.960000+00:00",
"Owner": "123456789012",
"Scope": "arn:aws:iam::123456789012:root",
"ViewArn": "arn:aws:resource-explorer-2:us-east-1:123456789012:view/My-New-View/1a2b3c4d-5d6e-7f8a-9b0c-abcd22222222"
}
}
```
**Example Step 4: Set your new view as the default for its AWS Region**
The following example sets the view you created in the previous step as the default for the Region. You must run the following command in the same AWS Region in which you created the default view.
```
$ aws resource-explorer-2 associate-default-view \
--view-arn arn:aws:resource-explorer-2:us-east-1:123456789012:view/My-New-View/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111
{
"ViewArn": "arn:aws:resource-explorer-2:us-east-1:123456789012:view/My-New-View/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111"
}
```
Before your users can search with a view, you must grant them permissions to use that view. For more information, see [Granting access to Resource Explorer views for search](configure-views-grant-access.md).
After you run those commands, Resource Explorer is running in the specified Regions in your AWS account. Resource Explorer builds and maintains an index in each Region with details of the resources located there. Resource Explorer replicates each of the individual Region indexes to the aggregator index in the specified Region. That Region also contains a view that allows any IAM role or user in the account to search for resources across all indexed Regions.
**Note**
Tagged resources local to the index appear in search results within a few minutes. Untagged resources typically take less than two hours to appear, but can take longer when there is heavy demand. It can also can take up to an hour to complete the initial replication to a new aggregator index from all of the existing local indexes.
------