Granting access to Resource Explorer views for search

Before users can search with a new view, you must grant access to AWS Resource Explorer views. To do this, use an identity-based permission policy to the AWS Identity and Access Management (IAM) principals that need to search with the view.

To provide access, add permissions to your users, groups, or roles:

• Users and groups in AWS IAM Identity Center:

  Create a permission set. Follow the instructions in Create a permission set in the AWS IAM Identity Center User Guide.

• Users managed in IAM through an identity provider:

  Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.

• IAM users:

  • Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.

  • (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.

You can use either of the following methods:

• Use an existing AWS managed policy. Resource Explorer provides several pre-defined AWS managed policies for your use. For details of all of the available AWS managed policies, see AWS managed policies for AWS Resource Explorer.

  For example, you could use the AWSResourceExplorerReadOnlyAccess policy to grant search permissions to all views in the account.

• Create your own permission policy and assign it to the principals. If you create your own policy, you can restrict access to a single view, or a subset of the available views by specifying the Amazon resource name (ARN) of each view in the Resource element of the policy statement. For example, You can use the following example policy to grant that principal the ability to search using only that one view.

  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "resource-explorer-2:Search",
                  "resource-explorer-2:GetView"
              ],
              "Resource": "arn:aws:resource-explorer-2:us-east-1:123456789012:view/MyTestView/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111
          }
      ]
  }

  Use the IAM console to create the permission policies and to use them with the principals that need those permissions. For more information about IAM permission policies, see the following topics:

  • Policies and permissions in IAM

  • Adding and removing IAM identity permissions

  • Understanding permissions granted by a policy

Using tag-based authorization to control access to your views

If you choose to create multiple views with filters that return results with only certain resources, then you might also want to restrict access to those views to only the principals who need to see those resources. You can provide this type of security for the views in your account by using an attribute-based access control (ABAC) strategy. The attributes used by ABAC are the tags attached both to the principals attempting to perform operations in AWS and to the resources they attempt to access.

ABAC uses standard IAM permission policies attached to the principals. The policies use Condition elements in the policy statements to allow access only when both the tags attached to the requesting principal and the tags attached to the affected resource match the requirements in the policy.

For example, you could attach a tag "Environment" = "Production" to all of the AWS resources that support your company's production application. To ensure that only principals that are authorized to access the production environment can see those resources, create a Resource Explorer view that uses that tag as a filter. Then, to restrict access to the view to only the appropriate principals, you grant permissions using a policy that has a condition similar to the following example elements.

{
    "Effect": "Allow",
    "Action": [ "service:Action1", "service:Action2" ],
    "Resource": "arn:aws:arn-of-a-resource",
    "Condition": { "StringEquals": {"aws:ResourceTag/Environment": "${aws:PrincipalTag/Environment}"} }
}

That Condition in the previous example specifies that the request is allowed only if the Environment tag attached to the principal making the request matches the Environment tag attached to the resource specified in the request. If those two tags don't exactly match, or if either tag is missing, then the Resource Explorer denies the request.

Important

To successfully use ABAC to secure access to your resources, you must first restrict access to the ability to add or modify the tags attached to your principals and resources. If a user can add or modify the tags attached an AWS principal or resource then that user can affect the permissions controlled by those tags. In a secure ABAC environment, only approved security administrators have permission to add or modify the tags attached to principals, and only security administrators and resource owners can add or modify the tags attached to resources.

For more information about how to successfully implement an ABAC strategy, see the following topics in the IAM User Guide:

• IAM tutorial: Define permissions to access AWS resources based on tags

• Controlling access to AWS resources using tags

After you have the necessary ABAC infrastructure in place, you can use start using tags to control who can search using the Resource Explorer views in your account. For example policies that illustrate the principle, see the following example permission policies:

• Granting access to a view based on tags

• Granting access to create a view based on tags