Prerequisites for working with Amazon Resource Groups
Before you get started working with resource groups, be sure you have an active Amazon account with existing resources and appropriate rights to tag resources and create groups.
Sign up for Amazon
If you do not have an Amazon Web Services account, use the following procedure to create one.
To sign up for Amazon Web Services
Open http://www.amazonaws.cn/
and choose Sign Up. Follow the on-screen instructions.
Create resources
You can create an empty resource group, but won't be able to perform any tasks on resource group members until there are resources in the group. For more information about the supported resource types, see Resource types you can use with Amazon Resource Groups and Tag Editor.
Set up permissions
To make full use of Resource Groups and Tag Editor, you might need additional permissions to tag resources or to see a resource's tag keys and values. These permissions fall into the following categories:
-
Permissions for individual services so that you can tag resources from those services and include them in resource groups.
-
Permissions that are required to use the Tag Editor console
-
Permissions that are required to use the Amazon Resource Groups console and API.
If you are an administrator, you can provide permissions for your users by creating policies through the Amazon Identity and Access Management (IAM) service. You first create your principals, such as IAM roles or users, or associate external identities with your Amazon environment using a service like Amazon IAM Identity Center. Then you apply policies with the permissions that your users need. For information about creating and attaching IAM policies, see Working with policies.
Permissions for individual services
Important
This section describes permissions that are required if you want to tag resources from other service consoles and APIs, and add those resources to resource groups.
As described in What are resource groups?, each resource group represents a collection of resources of specified types that share one or more tag keys or values. To add tags to a resource, you need the permissions required for the service to which the resource belongs. For example, to tag Amazon EC2 instances, your must have permissions to the tagging actions in that service's API, such as those listed in the Amazon EC2 User Guide.
To make full use of the Resource Groups feature, you need other permissions that allow you to access a service's console and interact with the resources there. For examples of such policies for Amazon EC2, see Example policies for working in the Amazon EC2 console in the Amazon EC2 User Guide for Linux Instances.
Required permissions for Resource Groups and Tag Editor
To use Resource Groups and Tag Editor, the following permissions must be added to a user's policy statement in IAM. You can add either Amazon-managed policies that are maintained and kept up-to-date by Amazon, or you can create and maintain your own custom policy.
Using Amazon managed policies for Resource Groups and Tag Editor permissions
Amazon Resource Groups and Tag Editor support the following Amazon managed policies that you can use to provide a predefined set of permissions to your users. You can attach these managed policies to any user, role or group just as you would any other policy that you create.
- ResourceGroupsandTagEditorReadOnlyAccess
-
This policy grants the attached IAM role or user permission to call the read-only operations for both Resource Groups and Tag Editor. To read a resource's tags, you must also have permissions for that resource through a separate policy (see the following Important note).
- ResourceGroupsandTagEditorFullAccess
-
This policy grants the attached IAM role or user permission to call any Resource Groups operation and the read and write tag operations in Tag Editor. To read or write a resource's tags, you must also have permissions for that resource through a separate policy (see the following Important note).
Important
The two previous policies grant permission to call the Resource Groups and Tag Editor operations and use those consoles. For Resource Groups operations, those policies are sufficient and grant all the permissions needed to work with any resource in the Resource Groups console.
However, for tagging operations and the Tag Editor console, permissions are more granular. You must have permissions not only to invoke the operation, but also appropriate permissions to the specific resource whose tags you're trying to access. To grant that access to the tags, you must also attach one of the following policies:
-
The Amazon-managed policy ReadOnlyAccess
grants permissions to the read-only operations for every service's resources. Amazon automatically keeps this policy up to date with new Amazon services as they become available. -
Many services provide a service-specific read-only Amazon-managed policies that you can use to limit access to only the resources provided by that service. For example, Amazon EC2 provides AmazonEC2ReadOnlyAccess
. -
You could create your own policy that grants access to only the very specific read-only operations for the few services and resources you want your users to access. This policy use either an "allow list" strategy or a deny list strategy.
An allow list strategy takes advantage of the fact that access is denied by default until you explicitly allow it in a policy. So you can use a policy like the following example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "resource-groups:*" ], "Resource": "arn:aws-cn:resource-groups:*:123456789012:group/*" } ] }Alternatively, you could use a "deny list" strategy that allows access to all resources except those that you explicitly block.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "resource-groups:*" ], "Resource": "arn:aws-cn:resource-groups:*:123456789012:group/*" } ] }
Adding Resource Groups and Tag Editor permissions manually
-
resource-groups:*(This permission allows all Resource Groups actions. If you instead want to restrict actions that are available to a user, you can replace the asterisk with a specific Resource Groups action, or to a comma-separated list of actions) -
cloudformation:DescribeStacks -
cloudformation:ListStackResources -
tag:GetResources -
tag:TagResources -
tag:UntagResources -
tag:getTagKeys -
tag:getTagValues -
resource-explorer:*
Note
The resource-groups:SearchResources permission allows Tag Editor to list resources when
you filter your search using tag keys or values.
The resource-explorer:ListResources permission allows Tag Editor to list resources
when you search resources without defining search tags.
To use Resource Groups and Tag Editor in the console, you also need permission to run the
resource-groups:ListGroupResources action. This permission is
necessary for listing available resource types in the current Region. Using
policy conditions with resource-groups:ListGroupResources is not
currently supported.
Granting permissions for using Amazon Resource Groups and Tag Editor
To add a policy for using Amazon Resource Groups and Tag Editor to a user, do the following.
-
Open the IAM console
. -
In the navigation pane, choose Users.
-
Find the user to whom you want to grant Amazon Resource Groups and Tag Editor permissions. Choose the user's name to open the user properties page.
-
Choose Add permissions.
-
Choose Attach existing policies directly.
-
Choose Create policy.
-
On the JSON tab, paste the following policy statement.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "resource-groups:*", "cloudformation:DescribeStacks", "cloudformation:ListStackResources", "tag:GetResources", "tag:TagResources", "tag:UntagResources", "tag:getTagKeys", "tag:getTagValues", "resource-explorer:*" ], "Resource": "*" } ] }Note
This example policy statement grants permissions only for Amazon Resource Groups and Tag Editor actions. It does not allow access to Amazon Systems Manager tasks in the Amazon Resource Groups console. For example, this policy does not grant permissions for you to use Systems Manager Automation commands. To perform Systems Manager tasks on resource groups, you must have Systems Manager permissions attached to your policy (such as
ssm:*). For more information about granting access to Systems Manager, see Configuring access to Systems Manager in the Amazon Systems Manager User Guide. -
Choose Review policy.
-
Give the new policy a name and description. (for example,
AWSResourceGroupsQueryAPIAccess). -
Choose Create policy.
-
Now that the policy is saved in IAM, you can attach it to other users. For more information about how to add a policy to a user, see Adding permissions by attaching policies directly to the user in the IAM User Guide.
Learn more about Amazon Resource Groups authorization and access control
Resource Groups supports the following.
-
Action-based policies. For example, you can create a policy that allows users to perform ListGroups operations, but no others.
-
Resource-level permissions. Resource Groups supports using ARNs to specify individual resources in the policy.
-
Authorization based on tags. Resource Groups supports using resource tags in the condition of a policy. For example, you can create a policy that allows Resource Groups users full access to a group that you have tagged.
-
Temporary credentials. Users can assume a role with a policy that allows Amazon Resource Groups operations.
Resource Groups doesn't support resource-based policies.
Resource Groups doesn't use any service-linked roles.
For more information about how Resource Groups and Tag Editor integrate with Amazon Identity and Access Management (IAM), see the following topics in the Amazon Identity and Access Management User Guide.