Menu
AWS Resource Groups
User Guide

Prerequisites for Working with AWS Resource Groups

Before you get started working with resource groups, be sure you have an active AWS account with existing resources, and appropriate rights to tag resources and create groups.

Sign Up for AWS

If you do not have an AWS account, use the following procedure to create one.

To sign up for AWS

  1. Open https://aws.amazon.com/ and choose Create an AWS Account.

  2. Follow the online instructions.

Create Resources

You can create an empty resource group, but won't be able to see insights or perform any tasks on resource group members until there are resources in the group. For more information about the supported resource types, see Supported Resources.

Setting Up Permissions

To make full use of Resource Groups and Tag Editor, you might need additional permissions to tag resources or to see a resource's tag keys and values. These permissions fall into the following categories:

  • Permissions for individual services so that you can tag resources from those services and include them in resource groups.

  • Permissions that are are required to use the Tag Editor console and API.

  • Permissions that are required to use the new AWS Resource Groups console and API.

Note

The managed policies that were used for legacy Resource Groups, ResourceGroupsandTagEditorFullAccess and ResourceGroupsandTagEditorReadOnlyAccess, do not grant access to AWS Resource Groups.

If you are an administrator, you can provide permissions for your users by creating policies through the AWS Identity and Access Management (AWS IAM) service. You first create IAM users or groups, and then apply the policies with the permissions that they need. For general information about creating and attaching IAM policies, see Working with Policies.

Permissions for Individual Services

Important

This section describes permissions required for individual services if you want to tag resources from those services' consoles and APIs and include them in resource groups.

As described in What Are Resource Groups?, each resource group represents a collection of resources of specified types that share one or more tag keys or values. To add tags to a resource, you need the necessary permissions for the service to which the resource belongs. For example, to tag Amazon EC2 instances, your must have permissions to the tagging actions in that service's API, such as those listed in the Amazon EC2 user guide.

To make full use of the Resource Groups feature, you need other permissions that allow you to access a service's console and interact with the resources there. For examples of such policies for Amazon EC2, see Example Policies for Working in the Amazon EC2 Console in the Amazon EC2 User Guide for Linux Instances.

Granting Permissions for Using Tag Editor

For information about how to grant permissions for Tag Editor and the legacy Resource Groups console, see Obtaining Permissions for Resource Groups and Tag Editor in the AWS Management Console Help. Permissions shown in this topic are for using the new AWS Resource Groups service.

Granting Permissions for Using AWS Resource Groups

This section describes required permissions for the new AWS Resource Groups service. For information about how to assign permissions for using legacy Resource Groups, see Obtaining Permissions for Resource Groups and Tag Editor. The managed policies that were used for legacy Resource Groups, ResourceGroupsandTagEditorFullAccess and ResourceGroupsandTagEditorReadOnlyAccess, do not grant access to AWS Resource Groups.

To add a policy for using AWS Resource Groups to a user, do the following.

  1. Open the IAM console.

  2. In the navigation pane, choose Users.

  3. Find the user to whom you want to grant AWS Resource Groups permissions. Choose the user's name to open the user properties page.

  4. Choose Add permissions.

  5. Choose Attach existing policies directly.

    
                        IAM attach policies.
  6. Choose Create policy.

  7. On the JSON tab, paste the following policy statement.

    Copy
    { "Version" : "2012-10-17", "Statement" : [{ "Effect" : "Allow", "Action" : "resource-groups:*", "Resource" : "*" }] }
  8. Choose Review policy.

  9. Give the new policy a name and description. To distinguish this policy from any policies for legacy Resource Groups, the name should be different from ResourceGroupsandTagEditorFullAccess. For example, AWSResourceGroupsQueryAPIAccess.

    
                        IAM review policy name and description.
  10. Choose Create policy.

  11. Now that the policy is saved in IAM, you can attach it to other users. For more information about how to add a policy to a user, see Adding Permissions by Attaching Policies Directly to the User in the IAM User Guide.