Sharing Resource Explorer views - AWS Resource Explorer

Permissions policy to share view with AWS accounts

Views in AWS Resource Explorer primarily use resource-based policies to grant access. Similar to Amazon S3 bucket policies, these policies are attached to the view and specify who can use the view. This is in contrast to AWS Identity and Access Management (IAM) identity-based policies. An IAM identity-based policy is assigned to a role, group, or user, and it specifies which actions and resources that role, group, or user can access. You can use either type of policy with Resource Explorer views, as follows:

Within the management account or delegated administrator account that owns the resource, use either policy type to grant access, provided that no other policy explicitly denies access to the view for that principal.
Across accounts, you must use both policy types. The resource-based policy attached to the view in the sharing account turns on sharing with another consuming account. However, that policy doesn't grant access to the individual users or roles in the consuming account. The administrator in the consuming account must also assign an identity-based policy to the desired roles and users in the consuming account. That policy grants access to the Amazon resource name (ARN) of the view.

To share views with other accounts, you must use AWS Resource Access Manager (AWS RAM). AWS RAM handles the complexity of resource-based policies for you. Before you can share, you must perform the following tasks:

Turn on multi-account search.
Ensure that your resource-based policy or the IAM identity-based policy you use to share and unshare views includes the resource-explorer-2:GetResourcePolicy, resource-explorer-2:UpdateResourcePolicy and resource-explorer-2:UpdateResourcePolicy permissions.

To share a view, you must be the organization's management account or a delegated administrator. You specify the accounts or identities that you want to share the resource with. AWS RAM fully supports Resource Explorer views. AWS RAM uses policies similar to those described in the following sections, based on the types of the principals that you choose to share with. For instructions on how to share resources, see Sharing your AWS resources in the AWS Resource Access Manager User Guide.

Administrators and delegated administrators can create and share 3 types of views: organization scope view, organizational unit (OU) scope views, and account-level scope views. They can share with organizations, OUs, or accounts. When accounts join or leave the organization, AWS RAM automatically grants or revokes the shared view.

The following example policy shows how you can make a view available to the principals in two different AWS accounts:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [ "111122223333", "444455556666" ]
            },
            "Action": [
                "resource-explorer-2:Search",
                "resource-explorer-2:GetView",
            ], 
            "Resource": "arn:aws:resource-explorer-2:us-east-1:123456789012:view/policy-name/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111",
            "Condition": {"StringEquals": {"aws:PrincipalOrgID": "o-123456789012"},
                "StringNotEquals": {"aws:PrincipalAccount": "123456789012"}
            }
        }
    ]
    }"
}

The administrator in each of the specified accounts must now specify which roles and users can access the view by attaching identity-based permissions policies to the roles, groups, and users. The administrators of accounts 111122223333 or 444455556666 can create the following example policy. Then, they can assign the policy to roles, groups, and users in those accounts who are to be allowed to search using the view shared from the originating account.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "resource-explorer-2:Search",
                "resource-explorer-2:GetView",
            "Resource": "arn:aws:resource-explorer-2:us-east-1:123456789012:view/policy-name/1a2b3c4d-5d6e-7f8a-9b0c-abcd11111111"
        }
    ]
}

You can use these IAM identity-based policies as part of an attribute-based access control (ABAC) security strategy. In that paradigm, you make sure that all of your resources and all of your identities are tagged. Then, you specify in your policies which tag keys and values must match between the identity and the resource for access to be allowed. For information about tagging the views in your account, see Adding tags to views. For more information about attribute-based access control, see What is ABAC for AWS? and Controlling access to AWS resources using tags, both in the IAM User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Tagging views

Deleting views