About Resource Explorer views

AWS Resource Explorer indexes your resources in the background and then makes that index available for you to query. You can perform search queries for your resources using the Resource Explorer API documented in this guide, or by using the Resource Explorer console. Resource Explorer uses its API to provide an interactive graphical interface to what otherwise would be only a programmatically accessible API. The concepts described in this topic apply to both the API and the console.

A view is stored in an AWS Region and returns results from only that Region's index.

Because the administrator might want to limit access to the information contained in the resources index, the indexes themselves are not directly accessible. Instead, all searches must go through a view for which the user must have permission to search.

There are several key elements to every view:

Permissions to search

You can use standard AWS permission policies to control who can use each view. This is provided by identity-based permission policies attached to the principals that give you granular control over who can see the information provided by each view. For example, you can grant access to the Production-resources view to allow searching only by the engineers that operate your production services. Then, you can grant different permissions to the Pre-production-resources view to allow searching for pre-production resources by your developers.

If you use the AWS managed policy named AWSResourceExplorerReadOnlyAccess with your principals, it grants them the ability to search using any view in the account.

Alternatively, you can create your own permissions policy and grant the following permissions for only specified views:

• resource-explorer-2:GetView

• resource-explorer-2:Search

To provide access, add permissions to your users, groups, or roles:

• Users and groups in AWS IAM Identity Center:

  Create a permission set. Follow the instructions in Create a permission set in the AWS IAM Identity Center User Guide.

• Users managed in IAM through an identity provider:

  Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.

• IAM users:

  • Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.

  • (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.

For more information about permissions related to views, see Granting access to Resource Explorer views for search.

Filtering the search

A view serves as a virtual window through which the user can see the resources in the account. You can create multiple views, each presenting a different view of the larger picture. For example, you can create a view that allows searching only resources associated with your pre-production environment, as identified by tags attached to your resources. Then, you could create a separate view that allows searching only resources in your production environment, based on different values in the tags. If you configure multiple views with different FilterString values, you don't have to re-enter those query parameters every time you Search.

Views also can specify which optional pieces of information about the resources to include in the results. The default list of fields is always included in results. In addition to the default list, you can request that the view also include any tags attached to the resource.

Scope of the search

• Region scope – When you search in an AWS Region with Resource Explorer, the results can include only resources that are indexed in that Region. The index in most Regions is labelled LOCAL because it contains information about resources within only that Region. Searches in those Regions can return only those resources.

• Account scope – You can promote one local index to be the aggregator index for the account. When you do this, all other Regions where Resource Explorer is turned on replicate their index information to the Region with the aggregator index. If you search in that Region, those results include resources from all Regions in the account. When you use the Quick setup option to configure the server, Resource Explorer automatically creates an aggregator index in the Region you specify. Also, the Quick Setup option creates a default view in that Region to support searching all resources in the account across all Regions.

Default views

If a user attempts to search without explicitly specifying a view, Resource Explorer uses the default view defined for that AWS Region.

If a default view doesn't exist for that Region and the user didn't specify a view to use, then the search fails and generates an exception.

Resource Explorer automatically creates a default view as follows:

• If you turn on Resource Explorer using the AWS Management Console and choose the Quick setup option, you must specify which Region contains the aggregator index for the account. Resource Explorer automatically creates a default view in the specified aggregator index Region.

• If you register Resource Explorer using the AWS Management Console and choose the Advanced setup option, you can optionally choose to create the aggregator index for the account in a specified Region. If you do this, Resource Explorer creates a default view automatically in the aggregator index Region.

• If you register Resource Explorer by using the console and choose not to register an aggregator index Region, Resource Explorer creates a default view for the local index in each Region.

• If you register Resource Explorer by using the AWS CLI or the API operations, Resource Explorer doesn't automatically create a default view. Instead, you must configure the default view manually for each Region where you expect users to search from.