Amazon Resource Explorer and Amazon Organizations - Amazon Organizations
Service-linked rolesService principalsEnable trusted accessDisable trusted accessEnabling a delegated administrator account for Resource ExplorerDisabling a delegated administrator for Resource Explorer
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Resource Explorer and Amazon Organizations

Amazon Resource Explorer is a resource search and discovery service. With Resource Explorer, you can explore your resources, such as Amazon Elastic Compute Cloud instances, Amazon Kinesis Data Streams, or Amazon DynamoDB tables, using an internet search engine-like experience. You can search for your resources using resource metadata such as names, tags, and IDs. Resource Explorer works across Amazon Regions in your account to simplify your cross-Region workloads.

When you integrate Resource Explorer with Amazon Organizations, you can gather evidence from a broader source by including multiple Amazon Web Services accounts from your organization within the scope of your assessments.

Use the following information to help you integrate Amazon Resource Explorer with Amazon Organizations.

Service-linked roles created when you enable integration

The following service-linked role is automatically created in your organization's management account when you enable trusted access. This role allows Resource Explorer to perform supported operations within your organization's accounts in your organization.

You can delete or modify this role only if you disable trusted access between Resource Explorer and Organizations, or if you remove the member account from the organization.

For more information about how Resource Explorer uses this role, see Using service-linked roles in the Amazon Resource Explorer Users Guide.

  • AWSServiceRoleForResourceExplorer

Service principals used by the service-linked roles

The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Resource Explorer grant access to the following service principals:

  • resource-explorer-2.amazonaws.com

To enable trusted access with Amazon Resource Explorer

For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.

Resource Explorer requires trusted access to Amazon Organizations before you can designate a member account to be the delegated administrator for your organization.

You can enable trusted access using either the Resource Explorer console or the Organizations console. We strongly recommend that whenever possible, you use the Resource Explorer console or tools to enable integration with Organizations. This lets Amazon Resource Explorer perform any configuration that it requires, such as creating resources needed by the service.

To enable trusted access using the Resource Explorer console

For instructions about enabling trusted access, see Prerequisites to using Resource Explorer in the Amazon Resource Explorer User Guide.

Note

If you configure a delegated administrator using the Amazon Resource Explorer console, then Amazon Resource Explorer automatically enables trusted access for you.

You can enable trusted access by running a Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.

Amazon CLI, Amazon API
To enable trusted service access using the Organizations CLI/SDK

You can use the following Amazon CLI commands or API operations to enable trusted service access:

  • Amazon CLI: enable-aws-service-access

    You can run the following command to enable Amazon Resource Explorer as a trusted service with Organizations.

    $ aws organizations enable-aws-service-access \
    --service-principal resource-explorer-2.amazonaws.com

    This command produces no output when successful.

  • Amazon API: EnableAWSServiceAccess

To disable trusted access with Resource Explorer

For information about the permissions needed to disable trusted access, see Permissions required to disable trusted access.

Only an administrator in the Amazon Organizations management account can disable trusted access with Amazon Resource Explorer.

You can disable trusted access using either the Amazon Resource Explorer or Amazon Organizations tools.

Important

We strongly recommend that whenever possible, you use the Amazon Resource Explorer console or tools to disable integration with Organizations. This lets Amazon Resource Explorer perform any clean up that it requires, such as deleting resources or access roles that are no longer needed by the service. Proceed with these steps only if you can’t disable integration using the tools provided by Amazon Resource Explorer.

If you disable trusted access by using the Amazon Resource Explorer console or tools then you don’t need to complete these steps.

You can disable trusted access by running a Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.

Amazon CLI, Amazon API
To disable trusted service access using the Organizations CLI/SDK

You can use the following Amazon CLI commands or API operations to disable trusted service access:

  • Amazon CLI: disable-aws-service-access

    You can run the following command to disable Amazon Resource Explorer as a trusted service with Organizations.

    $ aws organizations disable-aws-service-access \
    --service-principal resource-explorer-2.amazonaws.com

    This command produces no output when successful.

  • Amazon API: DisableAWSServiceAccess

Enabling a delegated administrator account for Resource Explorer

Use your delegated administrator account to create multi-account resource views and scope it to an organizational unit or your entire organization. You can share multi-account views with any account in your organization via Amazon Resource Access Manager by creating resource shares.

Minimum permissions

Only a user or role in the Organizations management account with the following permission can configure a member account as a delegated administrator for Resource Explorer in the organization:

resource-explorer:RegisterAccount

For instruction about enabling a delegated administrator account for Resource Explorer, see Setting Up in the Amazon Resource Explorer User Guide.

If you configure a delegated administrator using the Amazon Resource Explorer console, then Resource Explorer automatically enables trusted access for you.

Amazon CLI, Amazon API

If you want to configure a delegated administrator account using the Amazon CLI or one of the Amazon SDKs, you can use the following commands:

  • Amazon CLI: 

    $ aws organizations register-delegated-administrator \
    --account-id 123456789012 \
    --service-principal resource-explorer-2.amazonaws.com

  • Amazon SDK: Call the Organizations RegisterDelegatedAdministrator operation and the member account's ID number and identify the account service resource-explorer-2.amazonaws.com as parameters.

Disabling a delegated administrator for Resource Explorer

Only an administrator in the Organizations management account or in the Resource Explorer delegated administrator account can remove a delegated administrator for Resource Explorer. You can disable trusted access using the Organizations DeregisterDelegatedAdministrator CLI or SDK operation.