Troubleshooting Resource Explorer - Amazon Resource Explorer
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshooting Resource Explorer

If you encounter issues when working with Resource Explorer, consult the topics in this section. Also see Troubleshooting Amazon Resource Explorer permissions in the Security section of this guide.

General issues

I received a link to Resource Explorer but when I open it, the console shows only an error.

Some third-party tools produce link URLs to pages in Resource Explorer. In some cases, those URLs don't include the parameter that directs the console to a specific Amazon Web Services Region. If you open such a link, the Resource Explorer console isn't told which Region to use, and defaults to using the last Region the user signed in to. If the user doesn't have permissions to access Resource Explorer in that Region, then the console attempts to use US East (N. Virginia) (us-east-1) Region, or US West (Oregon) (us-west-2) if the console can't reach us-east-1.

If the user doesn't have permission to access the index in any of those Regions, then the Resource Explorer console returns an error.

You can prevent this issue by ensuring that all users have the following permissions:

  • ListIndexes – no specific resource; use *.

  • GetIndex for the ARN of the each index created in the account. To avoid having to redo permission policies if you delete and recreate an index, we recommend that you use *.

The minimum policy to achieve this might look like this example:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "resource-explorer-2:GetIndex", "resource-explorer-2:ListIndexes", ], "Resource": "*" } ] }

Alternatively, you might consider attaching the Amazon managed permission AWSResourceExplorerReadOnlyAccess to all users who need to use Resource Explorer. That grants these required permissions, plus the permissions needed see the available views in the Region and search using those views.

Why does unified search in the console cause "access denied" errors in my CloudTrail logs?

Unified search in the Amazon Web Services Management Console lets principals search from any page in the Amazon Web Services Management Console. The results can include resources from the principal's account if Resource Explorer is turned on and configured to support unified search. Whenever you start typing in the unified search bar, unified search attempts to call resource-explorer-2:ListIndexes operation to check whether it can include resources from the user's account in the results.

Unified search uses the currently signed-in user's permissions to perform this check. If that user doesn't have permission to call resource-explorer-2:ListIndexes granted in an attached Amazon Identity and Access Management (IAM) permission policy, then the check fails. That failure is added as an Access denied entry in your CloudTrail logs.

This CloudTrail log entry has the following characteristics:

  • Event source:

  • Event name: ListIndexes

  • Error code: 403 (Access denied)

The following Amazon managed policies include permission to call resource-explorer-2:ListIndexes. If you assign any of these to the principal, or any other policy that includes this permission, then this error does not occur: