Granting access to Resource Explorer views for search - Amazon Resource Explorer
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Granting access to Resource Explorer views for search

Before users can search with a new view, you must grant access to Amazon Resource Explorer views. To do this, attach an identity-based permission policy to the Amazon Identity and Access Management (IAM) principals that need to search with the view.

You can use either of the following methods:

  • Attach an existing Amazon managed policy. Resource Explorer provides several pre-defined Amazon managed policies for your use. For details of all of the available Amazon managed policies, see Amazon managed policies for Amazon Resource Explorer.

    For example, you could attach the AWSResourceExplorerReadOnlyAccess policy to grant search permissions to all views in the account.

    For more information about how to attach a permission policy, such as an Amazon managed policy to a principal, see Adding and removing IAM identity permissions.

  • Create your own permission policy and attach it to the principals. If you create your own policy, you can restrict access to a single view, or a subset of the available views by specifying the Amazon resource name (ARN) of each view in the Resource element of the policy statement. For example, You can attach the following example policy to a principal to grant that principal the ability to search using only that one view.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "resource-explorer-2:Search", "resource-explorer-2:GetView" ], "Resource": "arn:aws-cn:resource-explorer-2:cn-north-1:123456789012:view/MyTestView/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111 } ] }

    Use the IAM console to create the permission policies and to attach them to the principals that need those permissions. For more information about IAM permission policies, see the following topics:

Using tag-based authorization to control access to your views

If you choose to create multiple views with filters that return results with only certain resources, then you might also want to restrict access to those views to only the principals who need to see those resources. You can provide this type of security for the views in your account by using an attribute-based access control (ABAC) strategy. The attributes used by ABAC are the tags attached both to the principals attempting to perform operations in Amazon and to the resources they attempt to access.

ABAC uses standard IAM permission policies attached to the principals. The policies use Condition elements in the policy statements to allow access only when both the tags attached to the requesting principal and the tags attached to the affected resource match the requirements in the policy.

For example, you could attach a tag "Environment" = "Production" to all of the Amazon resources that support your company's production application. To ensure that only principals that are authorized to access the production environment can see those resources, create a Resource Explorer view that uses that tag as a filter. Then, to restrict access to the view to only the appropriate principals, you grant permissions using a policy that has a condition similar to the following example elements.

{ "Effect": "Allow", "Action": [ "service:Action1", "service:Action2" ], "Resource": "arn:aws-cn:arn-of-a-resource", "Condition": { "StringEquals": {"aws:ResourceTag/Environment": "${aws:PrincipalTag/Environment}"} } }

That Condition in the previous example specifies that the request is allowed only if the Environment tag attached to the principal making the request matches the Environment tag attached to the resource specified in the request. If those two tags don't exactly match, or if either tag is missing, then the Resource Explorer denies the request.

Important

To successfully use ABAC to secure access to your resources, you must first restrict access to the ability to add or modify the tags attached to your principals and resources. If a user can add or modify the tags attached an Amazon principal or resource then that user can affect the permissions controlled by those tags. In a secure ABAC environment, only approved security administrators have permission to add or modify the tags attached to principals, and only security administrators and resource owners can add or modify the tags attached to resources.

For more information about how to successfully implement an ABAC strategy, see the following topics in the IAM User Guide:

After you have the necessary ABAC infrastructure in place, you can use start using tags to control who can search using the Resource Explorer views in your account. For example policies that illustrate the principle, see the following example permission policies: