AWS Resource Explorer and AWS Organizations
AWS Resource Explorer is a resource search and discovery service. With Resource Explorer, you can explore your resources, such as Amazon Elastic Compute Cloud instances, Amazon Kinesis Data Streams, or Amazon DynamoDB tables, using an internet search engine-like experience. You can search for your resources using resource metadata such as names, tags, and IDs. Resource Explorer works across AWS Regions in your account to simplify your cross-Region workloads.
When you integrate Resource Explorer with AWS Organizations, you can gather evidence from a broader source by including multiple AWS accounts from your organization within the scope of your assessments.
Use the following information to help you integrate AWS Resource Explorer with AWS Organizations.
Service-linked roles created when you enable integration
The following service-linked role is automatically created in your organization's management account when you enable trusted access. This role allows Resource Explorer to perform supported operations within your organization's accounts in your organization.
You can delete or modify this role only if you disable trusted access between Resource Explorer and Organizations, or if you remove the member account from the organization.
For more information about how Resource Explorer uses this role, see Using service-linked roles in the AWS Resource Explorer Users Guide.
-
AWSServiceRoleForResourceExplorer
Service principals used by the service-linked roles
The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Resource Explorer grant access to the following service principals:
-
resource-explorer-2.amazonaws.com
To enable trusted access with AWS Resource Explorer
For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.
Resource Explorer requires trusted access to AWS Organizations before you can designate a member account to be the delegated administrator for your organization.
You can enable trusted access using either the Resource Explorer console or the Organizations console. We strongly recommend that whenever possible, you use the Resource Explorer console or tools to enable integration with Organizations. This lets AWS Resource Explorer perform any configuration that it requires, such as creating resources needed by the service.
To enable trusted access using the Resource Explorer console
For instructions about enabling trusted access, see Prerequisites to using Resource Explorer in the AWS Resource Explorer User Guide.
Note
If you configure a delegated administrator using the AWS Resource Explorer console, then AWS Resource Explorer automatically enables trusted access for you.
You can enable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
To disable trusted access with Resource Explorer
For information about the permissions needed to disable trusted access, see Permissions required to disable trusted access.
Only an administrator in the AWS Organizations management account can disable trusted access with AWS Resource Explorer.
You can disable trusted access using either the AWS Resource Explorer or AWS Organizations tools.
Important
We strongly recommend that whenever possible, you use the AWS Resource Explorer console or tools to disable integration with Organizations. This lets AWS Resource Explorer perform any clean up that it requires, such as deleting resources or access roles that are no longer needed by the service. Proceed with these steps only if you can’t disable integration using the tools provided by AWS Resource Explorer.
If you disable trusted access by using the AWS Resource Explorer console or tools then you don’t need to complete these steps.
You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.
Enabling a delegated administrator account for Resource Explorer
Use your delegated administrator account to create multi-account resource views and scope it to an organizational unit or your entire organization. You can share multi-account views with any account in your organization via AWS Resource Access Manager by creating resource shares.
Minimum permissions
Only a user or role in the Organizations management account with the following permission can configure a member account as a delegated administrator for Resource Explorer in the organization:
resource-explorer:RegisterAccount
For instruction about enabling a delegated administrator account for Resource Explorer, see Setting Up in the AWS Resource Explorer User Guide.
If you configure a delegated administrator using the AWS Resource Explorer console, then Resource Explorer automatically enables trusted access for you.
Disabling a delegated administrator for Resource Explorer
Only an administrator in the Organizations management account or in the Resource Explorer delegated administrator account can remove a delegated
administrator for Resource Explorer. You can disable trusted access using the Organizations DeregisterDelegatedAdministrator
CLI or SDK operation.