Terms and concepts for Resource Explorer
You should understand the following concepts to successfully administer and configure Amazon Resource Explorer for your users.
Concepts
The terms and concepts discussed in this topic refer to the following diagram.
| Legend | |
|
Resource Explorer is turned on in this Amazon Web Services Region and information about the Region's resources is stored in a local index in that Region. Every Region's local index is also replicated (indicated by the arrows) to the Region that contains the aggregator index. |
|
The index in this Amazon Web Services Region is configured to be the aggregator index for the account. Resource Explorer replicates the resource information collected in the local indexes of all other Regions where Resource Explorer is turned on into the aggregator index in this Region. Searches made in this Region can include results from all Regions in the account. |
|
The default view created by Quick Setup includes all resources in all Amazon Web Services Regions. |
The diagram shows three Amazon Web Services Regions in which the administrator turned on Resource Explorer, and one Region the administrator chose not to turn on. The Region where Resource Explorer isn't turned on doesn't have an index. Therefore, its resources can't be searched by Resource Explorer queries.
In this example scenario, the administrator chose the US West (Oregon) Region
(us-west-2) to contain the aggregator index for the account. All Regions
that you turn on replicate their local indexes to the Region with the aggregator index.
The default view created by Resource Explorer doesn't have any filters. Therefore, results from searching with this view can include resources of any type in all Regions in the account where Resource Explorer is turned on.
Resource Explorer administrator
A Resource Explorer administrator is an Amazon Identity and Access Management (IAM) principal who has the permission to manage Resource Explorer and its settings in the Amazon Web Services account. The Resource Explorer administrator can configure the following features:
-
Turn on Resource Explorer for individual Amazon Web Services Regions in the Amazon Web Services account by creating indexes in those Regions. This lets Resource Explorer discover resources and populate the index with information about those resources so that users can search for resources in that Region.
-
Update the index type in one Amazon Web Services Region to make it the aggregator index for its Amazon Web Services account. The aggregator index in this Region receives replicated copies of the resource information from all other Regions in the account where Resource Explorer is turned on.
-
Create views that define the subset of indexed information users can search and discover in Resource Explorer.
-
While not part of the Resource Explorer actions, the Resource Explorer administrator must also be able to grant search permissions to the principals in the account. The administrator can grant these permissions to principals by adding the relevant permissions to existing IAM permission policies, or by using the Resource Explorer read only Amazon managed policy.
To provide access, add permissions to your users, groups, or roles:
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-
-
The administrator typically has all Resource Explorer permissions
(resource-explorer-2:*) on all Resource Explorer resources, including the indexes
and views. These permissions can be granted by using the Resource Explorer full access Amazon
managed policy.
Resource Explorer user
A Resource Explorer user is an IAM principal that has permission to do one or more of the following tasks:
-
Perform a search for resources by using a view to query Resource Explorer. A Resource Explorer user wants to discover and find Amazon resources and typically uses the Resource Explorer console, or the Resource Explorer
Searchoperations provided by the Amazon SDKs or the Amazon CLI.A role or user can use IAM get permission to search with one of two methods:
-
The Resource Explorer read only Amazon managed policy to the IAM role, group, or user.
-
An IAM permission policy with a statement containing the following minimum permissions to the IAM role, group, or user.
{ "Effect": "Allow", "Action": [ "resource-explorer-2:Search", "resource-explorer-2:GetView", "Resource": "<ARN of the view>" }
-
-
Although typically considered an administrator task, you can delegate to trusted users the ability to define create views. To do this, the administrator can grant permission to call the
resource-explorer-2:CreateViewoperation in an IAM permission policy attached to the relevant roles, groups, or users. If the view requires specific permissions, then provision for adding or modifying the IAM policies for the relevant users must be made.
For information about how to search for resources using Resource Explorer, see Using Amazon Resource Explorer to search for resources.
Index
An index is the collection of information maintained by Resource Explorer about all of the Amazon resources in one Amazon Web Services Region in your Amazon Web Services account. Resource Explorer maintains an index in each Region in which you turn on Resource Explorer. Resource Explorer updates the index automatically as you create and delete resources in your Amazon Web Services account. In the earlier diagram, the boxes under the Amazon Web Services Region names represent the Resource Explorer indexes maintained in each Amazon Web Services Region. The index in a Region is the source of information for any views created in that Region. Users can't directly query the index. Instead, they must always query using a view.
There are two types of indexes:
- Local index
-
There is one local index in every Amazon Web Services Region in which you turn on Resource Explorer. A local index contains information about only the resources in the same Region.
- Aggregator index
-
The Resource Explorer administrator can also designate the index in one Amazon Web Services Region to be the aggregator index for the Amazon Web Services account. The aggregator index receives and stores a copy of the index for every other Region where Resource Explorer is turned on in the account. The aggregator index also receives and stores information about the resources in its own Region. In the earlier diagram, the Region
us-west-2contains the aggregator index for the account. The primary reason to designate an aggregator index for the account is so that you can create views that can include resources from all Regions in the account. There can be only one aggregator index in an Amazon Web Services account.When you turn on Resource Explorer, you can specify which Amazon Web Services Region is to contain the aggregator index. You can also change the Amazon Web Services Region used for the aggregator index later. For information about how to promote a local index to make it the aggregator index for its Amazon Web Services account, see Turning on cross-Region search by creating an aggregator index.
An index is a resource with an Amazon resource name (ARN). However, you can use this ARN only in permission policies to grant access to operations that interact directly with the index. With those operations, you can create views and set them as the default in a Region, turn on or turn off Resource Explorer in a Region, and create an aggregator index for the account. The ARN of an index looks similar to the following example:
arn:aws-cn:resource-explorer-2:cn-north-1:123456789012:index/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111
View
A view is the mechanism used to query the resources listed in an index. The view defines what information in the index is visible and available for search and discovery purposes. A user never directly queries the Resource Explorer index. Instead, queries must always go through a view which lets the view creator limit which resources the user can see in search results.
When you create a view, you specify filters that restrict which resources are included in search results. For example, you could choose to include only resources of a few specified resource types that are used by those to whom you grant access to this view. Results from queries that users make with a view are always automatically filtered to include only those resources that match the view's criteria.
To grant access to use a view, you can use assign permissions using one of the following methods.
To provide access, add permissions to your users, groups, or roles:
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-
Grant permission to allow your roles, groups, or users to invoke the
resource-explorer-2:GetView and resource-explorer-2:Search
operations on a view identified by its Amazon resource name (ARN). Alternatively, you can use the
Resource Explorer read only
Amazon managed policy for all principals who need to use the view to search.
You can create multiple views that have different filters and scopes and thus return
different subsets of your resource information. Then, you can grant permissions for each
view to those users who need to see the information included by that view's
results.
To search with Resource Explorer, each user must have permission to use at least one view. You can't perform a search in Resource Explorer without using a view.
Views are stored on a per-Region basis. A view can access only the Resource Explorer index in that Amazon Web Services Region. To access account-wide search results, you must use a view in the Region that contains the aggregator index for the account. The Quick setup option creates a default view in the Amazon Web Services Region with the aggregator index and with filters that include all resources in all Amazon Web Services Regions used by the account.
For information about how to create views, see Managing Resource Explorer views to provide access to search. For information about how to use views in a query, see Using Amazon Resource Explorer to search for resources.
Every view has an Amazon resource name (ARN) that you can reference in permission policies to grant access to individual views. You can also pass a view's ARN as a parameter to any API or Amazon CLI operation that interacts with a view. The ARN of a view looks similar to the following example.
arn:aws-cn:resource-explorer-2:cn-north-1:123456789012:view/My-View-Name/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111
Every view ARN includes an Amazon generated UUID at the end. This helps to ensure that users who might have had access to views with a specific name that was deleted can't automatically access a new view created with the same name.
Resource
A resource is an entity in Amazon that you can work with. Resources are created by Amazon Web Services as you use the features of the service. Examples include an Amazon EC2 instance, an Amazon S3 bucket, or an Amazon CloudFormation stack. Some resource types can contain customer data. All resource types have attributes or metadata to describe the resource, including a name, description, and the Amazon resource name (ARN) that you use to uniquely reference a resource. Most resource types also support tags. Tags are custom metadata that you can attach to your resources for a variety of purposes, such as cost allocation in your billing, security authorization using attribute-based access control, or to support your other categorization needs.
The primary purpose of Resource Explorer is to help you find the resources that exist in your Amazon Web Services account. Resource Explorer uses a variety of techniques to discover all of your resources and place information about them in an index. Then, you can query the index through whatever views that your administrator makes available to you.
Resource Explorer excludes intentionally those resources types whose inclusion would expose customer data. The following resource types are not indexed by Resource Explorer and are therefore never returned in search results.
-
Amazon S3 objects that are contained within a bucket
-
Amazon DynamoDB table items
-
DynamoDB attribute values
Unified search in the Amazon Web Services Management Console
At the top of the Amazon Web Services Management Console, in every Amazon Web Service, there is a search bar that you can use to search for a variety of Amazon related things. You can search for services and features, and get links directly to the relevant page in that service's console. You can also search for documentation and blog articles related to your search term.
After you turn on Resource Explorer and create an aggregator index and a default view, unified search can also include your account's resources in the search results. Unified search automatically uses the default view in the Amazon Web Services Region that contains the aggregator index for the account. This lets you search for a resource from any page in the Amazon Web Services Management Console, without having to first open Resource Explorer. If you don't promote a local index to be the aggregator index for the account, or if you don't create a default view in the aggregator index Region, unified search doesn't include resources in its search results. Also, any principal performing a search must have permission to use the default view in the Region that contains the aggregator index or unified search doesn't include resources in its search results.
Unified search automatically inserts a wildcard character (*) operator at the
end of the first keyword in the string. This means that unified search results include resources
that match any string that starts with the specified keyword.
The search performed by the Query text box on the Resource search* manually after
any term in the search string.
For more information about unified search and its integration with Resource Explorer, see Using unified search in the Amazon Web Services Management Console.