Amazon managed policies for Amazon Resource Explorer
To add permissions to users, groups, and roles, it is easier to use Amazon managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our Amazon managed policies. These policies cover common use cases and are available in your Amazon Web Services account. For more information about Amazon managed policies, see Amazon managed policies in the IAM User Guide.
Amazon Web Services maintain and update Amazon managed policies. You can't change the permissions in Amazon managed policies. Services occasionally add additional permissions to an Amazon managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an Amazon managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an Amazon managed policy, so policy updates won't break your existing permissions.
Additionally, Amazon supports managed policies for job functions that span multiple
services. For example, the ViewOnlyAccess Amazon managed policy provides read-only access to many Amazon Web Services and resources. When a service launches a new feature, Amazon adds read-only
permissions for new operations and resources. For a list and descriptions of job function
policies, see Amazon managed policies for job functions in
the IAM User Guide.
General Amazon managed policies that include Resource Explorer permissions
-
AdministratorAccess
– Grants full access to Amazon Web Services and resources. -
ReadOnlyAccess
– Grants read-only access to Amazon Web Services and resources. -
ViewOnlyAccess
– Grants permissions to view resources and basic metadata for Amazon Web Services. Note The Resource Explorer
Get*permissions included in theViewOnlyAccesspolicy perform likeListpermissions although they return only a single value, because a Region can contain only one index and one default view.
Amazon managed policies for Resource Explorer
Amazon managed policy: AWSResourceExplorerFullAccess
You can assign the AWSResourceExplorerFullAccess policy to your IAM
identities.
This policy grants permissions that allow full administrative control of the Resource Explorer service. You can perform all tasks involved in turning on and managing Resource Explorer in the Amazon Web Services Regions in your account.
Permissions details
This policy includes permissions that allow all actions for Resource Explorer, including turning on and turning off Resource Explorer in Amazon Web Services Regions, creating or deleting an aggregator index for the account, creating, updating, and deleting views, and searching. This policy also includes two permissions that are not part of Resource Explorer:
-
ec2:DescribeRegions– allows Resource Explorer to access the details about the Regions in your account. -
ram:ListResources– allows Resource Explorer to list the resource shares that resources are part of. -
iam:CreateServiceLinkedRole– allows Resource Explorer to create the required service-linked role when you turn on Resource Explorer by creating the first index.
To see the latest version of this Amazon managed policy, see AWSResourceExplorerFullAccess in the IAM console.
Amazon managed policy: AWSResourceExplorerReadOnlyAccess
You can assign the AWSResourceExplorerReadOnlyAccess policy to your IAM
identities.
This policy grants read-only permissions that allow users basic search access to discover their resources.
Permissions details
This policy includes permissions that allow users to perform the Resource Explorer
Get*, List*, Describe*, and
Search operations to view information about Resource Explorer components and
configuration settings, but doesn't allow users to change them. Users can also search.
This policy also includes two permissions that are not part of Resource Explorer:
-
ec2:DescribeRegions– allows Resource Explorer to access the details about the Regions in your account. -
ram:ListResources– allows Resource Explorer to list the resource shares that resources are part of.
To see the latest version of this Amazon managed policy, see AWSResourceExplorerReadOnlyAccess in the IAM console.
Amazon managed policy: AWSResourceExplorerServiceRolePolicy
You can't attach AWSResourceExplorerServiceRolePolicy to any IAM entities yourself.
This policy can be attached only to a service-linked role that allows Resource Explorer to perform
actions on your behalf. For more information, see Using service-linked roles for
Resource Explorer.
This policy grants the permissions required for Resource Explorer to retrieve information about your resources so it can populate the indexes it maintains in each Amazon Web Services Region that you register.
To see the latest version of this Amazon managed policy, see AWSResourceExplorerServiceRolePolicy in the IAM console.
Resource Explorer updates to Amazon managed policies
View details about updates to Amazon managed policies for Resource Explorer since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Resource Explorer Document history page.
| Change | Description | Date |
|---|---|---|
|
AWSResourceExplorerServiceRolePolicy – Updated policy with to support additional resource types |
Resource Explorer added permissions to the service-linked role policy
|
March 7, 2023 |
| New managed policies |
Resource Explorer added the following Amazon managed policies: |
November 7, 2022 |
|
Resource Explorer started tracking changes |
Resource Explorer started tracking changes for its Amazon managed policies. |
November 7, 2022 |