AWS managed policies for AWS Resource Explorer
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
General AWS managed policies that include Resource Explorer permissions
-
AdministratorAccess
– Grants full access to AWS services and resources. -
ReadOnlyAccess
– Grants read-only access to AWS services and resources. -
ViewOnlyAccess
– Grants permissions to view resources and basic metadata for AWS services. Note
The Resource Explorer
Get*
permissions included in theViewOnlyAccess
policy perform likeList
permissions although they return only a single value, because a Region can contain only one index and one default view.
AWS managed policies for Resource Explorer
AWS managed policy: AWSResourceExplorerFullAccess
You can assign the AWSResourceExplorerFullAccess
policy to your IAM
identities.
This policy grants permissions that allow full administrative control of the Resource Explorer service. You can perform all tasks involved in turning on and managing Resource Explorer in the AWS Regions in your account. With this policy, the Resource Explorer console shows information from other integrated AWS services and allows you to perform actions such as creating an application.
Permissions details
This policy includes permissions that allow all actions for Resource Explorer, including turning on and turning off Resource Explorer in AWS Regions, creating or deleting an aggregator index for the account, creating, updating, and deleting views, and searching. This policy also includes permissions that are not part of Resource Explorer:
-
ec2:DescribeRegions
– allows Resource Explorer to access the details about the Regions in your account. -
ram:ListResources
– allows Resource Explorer to list the resource shares that resources are part of. -
ram:GetResourceShares
– allows Resource Explorer to identify details about the resource shares that you own or that are shared with you. -
iam:CreateServiceLinkedRole
– allows Resource Explorer to create the required service-linked role when you turn on Resource Explorer by creating the first index. -
organizations:DescribeOrganization
– allows Resource Explorer to access information about your organization.
To see the latest version of this AWS managed policy, see AWSResourceExplorerFullAccess
in the AWS Managed Policy
Reference Guide.
AWS managed policy: AWSResourceExplorerReadOnlyAccess
You can assign the AWSResourceExplorerReadOnlyAccess
policy to your IAM
identities.
This policy grants read-only permissions that allows users to discover their resources with basic search access, and access other integrated AWS services in the Resource Explorer console.
Permissions details
This policy includes permissions that allow users to perform the Resource Explorer
Get*
, List*
, and Search
operations to view
information about Resource Explorer components and configuration settings, but doesn't allow users
to change them. Users can also search. This policy also includes two permissions that
are not part of Resource Explorer:
-
ec2:DescribeRegions
– allows Resource Explorer to access the details about the Regions in your account. -
ram:ListResources
– allows Resource Explorer to list the resource shares that resources are part of. -
ram:GetResourceShares
– allows Resource Explorer to identify details about the resource shares that you own or that are shared with you. -
organizations:DescribeOrganization
– allows Resource Explorer to access information about your organization.
To see the latest version of this AWS managed policy, see AWSResourceExplorerReadOnlyAccess
in the AWS Managed Policy
Reference Guide.
AWS managed policy: AWSResourceExplorerServiceRolePolicy
You can't attach AWSResourceExplorerServiceRolePolicy
to any IAM entities yourself.
This policy can be attached only to a service-linked role that allows Resource Explorer to perform
actions on your behalf. For more information, see Using service-linked roles for
Resource Explorer.
This policy grants the permissions required for Resource Explorer to retrieve information about your resources. Resource Explorer populates the indexes it maintains in each AWS Region that you register.
To see the latest version of this AWS managed policy, see AWSResourceExplorerServiceRolePolicy
in the IAM console.
AWS managed policy: AWSResourceExplorerOrganizationsAccess
You can assign AWSResourceExplorerOrganizationsAccess
to your IAM identities.
This policy grants administrative permissions to Resource Explorer and grants read-only permissions to other AWS services to support this access. The AWS Organizations administrator needs these permissions to set up and manage multi-account search in the console.
Permissions details
This policy includes permissions that allow administrators to set up multi-account search for the organization:
-
ec2:DescribeRegions
– Allows Resource Explorer to access the details about the Regions in your account. -
ram:ListResources
– Allows Resource Explorer to list the resource shares that resources are part of. -
ram:GetResourceShares
– Allows Resource Explorer to identify details about the resource shares that you own or that are shared with you. -
organizations:ListAccounts
– Allows Resource Explorer to identify the accounts within an organization. -
organizations:ListRoots
– Allows Resource Explorer to identify the root accounts within an organization. -
organizations:ListOrganizationalUnitsForParent
– Allows Resource Explorer to identify the organizational units (OUs) in a parent organizational unit or root. -
organizations:ListAccountsForParent
– Allows Resource Explorer to identify the accounts in an organization that are contained by the specified target root or an OU. -
organizations:ListDelegatedAdministrators
– Allows Resource Explorer to identify the AWS accounts that are designated as delegated administrators in this organization. -
organizations:ListAWSServiceAccessForOrganization
– Allows Resource Explorer to identify a list of the AWS services that are enabled to integrate with your organization. -
organizations:DescribeOrganization
– Allows Resource Explorer to retrieve information about the organization that the user's account belongs to. -
organizations:EnableAWSServiceAccess
– Allows Resource Explorer to enable the integration of an AWS service (the service that is specified byServicePrincipal
) with AWS Organizations. -
organizations:DisableAWSServiceAccess
– Allows Resource Explorer to disable the integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations. -
organizations:RegisterDelegatedAdministrator
– Allows Resource Explorer to enable the specified member account to administer the organization's features of the specified AWS service. -
organizations:DeregisterDelegatedAdministrator
– Allows Resource Explorer to remove the specified member AWS account as a delegated administrator for the specified AWS service. -
iam:GetRole
– Allows Resource Explorer to retrieve information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role. -
iam:CreateServiceLinkedRole
– Allows Resource Explorer to create the required service-linked role when you turn on Resource Explorer by creating the first index.
To see the latest version of this AWS managed policy, see AWSResourceExplorerOrganizationsAccess
in the IAM console.
Resource Explorer updates to AWS managed policies
View details about updates to AWS managed policies for Resource Explorer since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Resource Explorer Document history page.
Change | Description | Date |
---|---|---|
AWSResourceExplorerServiceRolePolicy - Updated policy permissions to view additional resource types |
Resource Explorer added permissions to the service-linked role policy AWSResourceExplorerServiceRolePolicy that allows Resource Explorer to view additional resource types:
|
November 21, 2024 |
AWSResourceExplorerServiceRolePolicy - Updated policy permissions to view additional resource types |
Resource Explorer added permissions to the service-linked role policy AWSResourceExplorerServiceRolePolicy that allows Resource Explorer to view additional resource types:
|
December 12, 2023 |
New managed policy |
Resource Explorer added the following AWS managed policy: |
November 14, 2023 |
Updated managed policies |
Resource Explorer updated the following AWS managed policies to support multi-account search: |
November 14, 2023 |
AWSResourceExplorerServiceRolePolicy – Updated policy to support multi-account search with Organizations |
Resource Explorer added permissions to the service-linked role policy
|
November 14, 2023 |
AWSResourceExplorerServiceRolePolicy – Updated policy to support additional resource types |
Resource Explorer added permissions to the service-linked role policy
|
October 17, 2023 |
AWSResourceExplorerServiceRolePolicy – Updated policy to support additional resource types |
Resource Explorer added permissions to the service-linked role policy
|
August 1, 2023 |
AWSResourceExplorerServiceRolePolicy – Updated policy to support additional resource types |
Resource Explorer added permissions to the service-linked role policy
|
March 7, 2023 |
New managed policies |
Resource Explorer added the following AWS managed policies: |
November 7, 2022 |
Resource Explorer started tracking changes |
Resource Explorer started tracking changes for its AWS managed policies. |
November 7, 2022 |