Troubleshooting Resource Explorer - Amazon Resource Explorer
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Troubleshooting Resource Explorer

If you encounter issues when working with Resource Explorer, consult the topics in this section. Also see Troubleshooting Amazon Resource Explorer permissions in the Security section of this guide.

General issues

Why does unified search in the console cause "access denied" errors in my CloudTrail logs?

Unified search in the Amazon Web Services Management Console lets users search from any page in the Amazon Web Services Management Console. The results can include resources from the user's account if Resource Explorer is turned on and configured to support unified search. Whenever you start typing in the unified search bar, unified search attempts to call resource-explorer-2:ListIndexes operation to check whether it can include resources from the user's account in the results.

Unified search uses the currently signed-in user's permissions to perform this check. If that user doesn't have permission to call resource-explorer-2:ListIndexes granted in an attached Amazon Identity and Access Management (IAM) permission policy, then the check fails. That failure is added as an Access denied entry in your CloudTrail logs.

This CloudTrail log entry has the following characteristics:

  • Event source: resource-explorer-2.amazonaws.com

  • Event name: ListIndexes

  • Error code: 403 (Access denied)

The following Amazon managed policies include permission to call resource-explorer-2:ListIndexes. If you attach any of these to the user, or any other policy that includes this permission, then this error does not occur: