Amazon managed policies for Amazon Resource Explorer - Amazon Resource Explorer
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Amazon managed policies for Amazon Resource Explorer

To add permissions to users, groups, and roles, it is easier to use Amazon managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our Amazon managed policies. These policies cover common use cases and are available in your Amazon Web Services account. For more information about Amazon managed policies, see Amazon managed policies in the IAM User Guide.

Amazon Web Services maintain and update Amazon managed policies. You can't change the permissions in Amazon managed policies. Services occasionally add additional permissions to an Amazon managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an Amazon managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an Amazon managed policy, so policy updates won't break your existing permissions.

Additionally, Amazon supports managed policies for job functions that span multiple services. For example, the ViewOnlyAccess Amazon managed policy provides read-only access to many Amazon Web Services and resources. When a service launches a new feature, Amazon adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see Amazon managed policies for job functions in the IAM User Guide.

Amazon managed policy: AWSResourceExplorerFullAccess

You can attach the AWSResourceExplorerFullAccess policy to your IAM identities.

This policy grants permissions that allow full administrative control of the Resource Explorer service. You can perform all tasks involved in turning on and managing Resource Explorer in the Amazon Web Services Regions in your account.

Permissions details

This policy includes permissions that allow all actions for Resource Explorer, including turning on and turning off Resource Explorer in Amazon Web Services Regions, creating or deleting an aggregator index for the account, creating, updating, and deleting views, and searching. This policy also includes two permissions that are not part of Resource Explorer:

  • ec2:DescribeRegions – allows Resource Explorer to access the details about the Regions in your account.

  • ram:ListResources – allows Resource Explorer to list the resource shares that resources are part of.

  • iam:CreateServiceLinkedRole – allows Resource Explorer to create the required service-linked role when you turn on Resource Explorer by creating the first index.

To see the latest version of this Amazon managed policy, see AWSResourceExplorerFullAccess in the IAM console.

Amazon managed policy: AWSResourceExplorerReadOnlyAccess

You can attach the AWSResourceExplorerReadOnlyAccess policy to your IAM identities.

This policy grants read-only permissions that allow users basic search access to discover their resources.

Permissions details

This policy includes permissions that allow users to perform the Resource Explorer Get*, List*, Describe*, and Search operations to view information about Resource Explorer components and configuration settings, but doesn't allow users to change them. Users can also search. This policy also includes two permissions that are not part of Resource Explorer:

  • ec2:DescribeRegions – allows Resource Explorer to access the details about the Regions in your account.

  • ram:ListResources – allows Resource Explorer to list the resource shares that resources are part of.

To see the latest version of this Amazon managed policy, see AWSResourceExplorerReadOnlyAccess in the IAM console.

Amazon managed policy: AWSResourceExplorerServiceRolePolicy

You can't attach AWSResourceExplorerServiceRolePolicy to any IAM entities yourself. This policy can be attached only to a service-linked role that allows Resource Explorer to perform actions on your behalf. For more information, see Using service-linked roles for Resource Explorer.

This policy grantš the permissions required for Resource Explorer to retrieve information about your resources so it can populate the indexes it maintains in each Amazon Web Services Region that you register.

To see the latest version of this Amazon managed policy, see AWSResourceExplorerServiceRolePolicy in the IAM console.

Resource Explorer updates to Amazon managed policies

View details about updates to Amazon managed policies for Resource Explorer since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Resource Explorer Document history page.

Change Description Date
New managed policies

Resource Explorer added the following Amazon managed policies:

November 7, 2022

Resource Explorer started tracking changes

Resource Explorer started tracking changes for its Amazon managed policies.

November 7, 2022