Using service-linked roles for Resource Explorer - Amazon Resource Explorer
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Using service-linked roles for Resource Explorer

Amazon Resource Explorer uses Amazon Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Resource Explorer. Service-linked roles are predefined by Resource Explorer and include all the permissions that the service requires to call other Amazon Web Services on your behalf.

A service-linked role makes configuring Resource Explorer easier because you don’t have to manually add the necessary permissions. Resource Explorer defines the permissions of its service-linked roles, and unless defined otherwise, only Resource Explorer can assume its roles. The defined permissions include both the trust policy and the permissions policy, and that permissions policy can't be attached to any other IAM entity.

For information about other services that support service-linked roles, see Amazon services that work with IAM in the IAM User Guide. There, look for the services that have Yes in the Service-linked roles column. Choose a Yes with a link to view the service-linked role documentation for that service.

Service-linked role permissions for Resource Explorer

Resource Explorer uses the service-linked role named AWSServiceRoleForResourceExplorer. This role grants permissions to the Resource Explorer service to view resources and Amazon CloudTrail events in your Amazon Web Services account on your behalf and to index those resources to support searching.

The AWSServiceRoleForResourceExplorer service-linked role trusts only the service with the following service principal to assume the role:

  • resource-explorer-2.amazonaws.com

The role permissions policy named AWSResourceExplorerServiceRolePolicy allows Resource Explorer to complete the following actions on the specified resources:

  • All actions that retrieve resource names and properties for all supported types of resources in the Amazon Web Services account. For the complete list of all actions this role can perform, you can view the AWSResourceExplorerServiceRolePolicy policy in the IAM console.

A principal is an IAM entity such as a user, group, or role. If you let Resource Explorer create the service-linked role for you when it creates the index in the first Region of the account, then the principal performing the task needs only the permissions required to create the Resource Explorer index. To create the service-linked role manually using IAM, then the principal performing the task must have permission to create a service-linked role. For more information, see Service-linked role permissions in the IAM User Guide.

Creating a service-linked role for Resource Explorer

You don't need to manually create a service-linked role. When you turn on Resource Explorer in the Amazon Web Services Management Console, or run CreateIndex in the first Amazon Web Services Region in your account using the Amazon CLI or an Amazon API, Resource Explorer creates the service-linked role for you.

If you delete this service-linked role, and then need to create it again, you can use the same process to re-create the role in your account. When you RegisterResourceExplorer in the first Region in your account, Resource Explorer creates the service-linked role for you again.

Editing a service-linked role for Resource Explorer

Resource Explorer doesn't allow you to edit the AWSServiceRoleForResourceExplorer service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a service-linked role in the IAM User Guide.

Deleting a service-linked role for Resource Explorer

You can use the IAM console, the Amazon CLI, or the Amazon API to manually delete the service-linked role. To do this, you must first remove the Resource Explorer indexes from every Amazon Web Services Region in your account and then you can manually delete the service-linked role.

Note

If the Resource Explorer service is using the role when you try to delete the resources, the deletion fails. If that happens, ensure that all indexes from all Regions are deleted, then wait for a few minutes and try the operation again.

To manually delete the service-linked role using IAM

Use the IAM console, the Amazon CLI, or the Amazon API to delete the AWSServiceRoleForResourceExplorer service-linked role. For more information, see Deleting a service-linked role in the IAM User Guide.

Supported Regions for Resource Explorer service-linked roles

Resource Explorer supports using service-linked roles in all of the Regions where the service is available. For more information, see Amazon Web Service endpoints in the Amazon Web Services General Reference.