Amazon Resource Explorer identity-based policy examples - Amazon Resource Explorer
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Amazon Resource Explorer identity-based policy examples

By default, Amazon Identity and Access Management (IAM) users and roles don't have permission to create or modify Resource Explorer resources. They also can't perform tasks using the Amazon Web Services Management Console, Amazon Command Line Interface (Amazon CLI), or Amazon API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. Then, the administrator must attach those policies to the IAM users or groups that require those permissions.

To learn how to create an IAM identity-based policy using these example JSON policy documents, see Creating Policies on the JSON Tab in the IAM User Guide.

Policy best practices

Identity-based policies determine whether someone can create, access, or delete Resource Explorer resources in your account. These actions can incur costs for your Amazon Web Services account. When you create or edit identity-based policies, follow these guidelines and recommendations:

  • Get started with Amazon managed policies and move toward least-privilege permissions – To get started granting permissions to your users and workloads, use the Amazon managed policies that grant permissions for many common use cases. They are available in your Amazon Web Services account. We recommend that you reduce permissions further by defining Amazon customer managed policies that are specific to your use cases. For more information, see Amazon managed policies or Amazon managed policies for job functions in the IAM User Guide.

  • Apply least-privilege permissions – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as least-privilege permissions. For more information about using IAM to apply permissions, see Policies and permissions in IAM in the IAM User Guide.

  • Use conditions in IAM policies to further restrict access – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific Amazon Web Service, such as Amazon CloudFormation. For more information, see IAM JSON policy elements: Condition in the IAM User Guide.

  • Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see IAM Access Analyzer policy validation in the IAM User Guide.

  • Require multi-factor authentication (MFA) – If you have a scenario that requires IAM users or root users in your account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see Configuring MFA-protected API access in the IAM User Guide.

For more information about best practices in IAM, see Security best practices in IAM in the IAM User Guide.

Using the Resource Explorer console

For users to search in the Amazon Resource Explorer console, they must have a minimum set of permissions. If you don't create an identity-based policy with the minimum required permissions, then the Resource Explorer console doesn't function as intended for identities (IAM roles or users) in the account.

You can use the Amazon managed policy named AWSResourceExplorerReadOnlyAccess to grant the ability to use the Resource Explorer console to search using any view in the account. For information about how to attach a policy to a principal, see Adding permissions to a user in the IAM User Guide. To grant permissions to search with only a single view, see Granting access to Resource Explorer views for search, and the examples in the following two sections.

You don't need to allow minimum console permissions for users that are making calls only to the Amazon CLI or the Amazon API. Instead, you can choose to allow access to only those actions that match the API operations that the users need to perform.

Granting access to a view based on tags

In this example, you want to grant access to a Resource Explorer view in your Amazon Web Services account to the identities in the account. To do this you must use identity-based permissions, and you should first remove the resource-based permissions attached to the views. Then you can add IAM identity-based policies to the groups, roles, and users that you want to be able to search in Resource Explorer. The following example IAM policy grants access to any request where the Search-Group tag attached to the caller's identity exactly matches the value for that same tag attached to the view used in the request.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "resource-explorer-2:GetView", "resource-explorer-2:Search" ], "Resource": "arn:aws:resource-explorer-2:*:*:view/*", "Condition": { "StringEquals": {"aws:ResourceTag/Search-Group": "${aws:PrincipalTag/Search-Group}"} } } ] }

You can attach this policy to the IAM users in your account. If a user with the tag Search-Group=A attempts to search using a Resource Explorer view, the view must also be tagged Search-Group=A. If it's not, then the user is denied access. The condition tag key Search-Group matches both Search-group and search-group because condition key names are not case-sensitive. For more information, see IAM JSON Policy Elements: Condition in the IAM User Guide.

Important

To see your resources in unified search results in the Amazon Web Services Management Console, users must have both GetView and Search permissions for the default view in the Amazon Web Services Region that contains the aggregator index. The simplest way to grant those permissions is to leave the default resource-based permission that was attached to the view when you turned on Resource Explorer using Quick or Advanced setup.

For this scenario, you could consider setting the default view to filter out sensitive resources and then setting up additional views to which you grant tag-based access as described in the previous example.

Granting access to create a view based on tags

In this example, you want to allow only users that are tagged the same as the index to be able to create views in the Amazon Web Services Region that contains the index. As in the previous example, start by removing the resource-based permissions attached to any views. Then, as shown in the previous example, you can create identity-based permissions to allow users to search with views.

Now you're ready to grant permissions to create a view. You can add the statements in this example to the same permission policy that you use to grant Search permissions to your users. The actions are allowed or denied based on the tags attached to the identities calling the operations and index that the view is to be associated with. The following example IAM policy denies any request to create a view when the value of the Allow-Create-View tag attached to the caller's identity doesn't exactly match the value for that same tag attached to the index in the Region in which the view is created.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "resource-explorer-2:CreateView", "Resource": "*", "Condition": { "StringNotEquals": {"aws:ResourceTag/Allow-Create-View": "${aws:PrincipalTag/Allow-Create-View}"} } } ] }

Allow users to view their own permissions

This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the Amazon CLI or Amazon API.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws-cn:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }