AWS resource-explorer medium security documentation change
Summary
Added documentation about managed view access controls using IAM FAS/SLR and resource-based policies, clarified deletion process requiring service-specific actions
Security assessment
The changes explicitly document security controls: managed views can only be modified by creating services using IAM forward access sessions or service-linked roles, with resource-based policies enforcing access. This clarifies security boundaries and access management for sensitive resource views.
Diff
diff --git a/resource-explorer/latest/userguide/aws-managed-views.md b/resource-explorer/latest/userguide/aws-managed-views.md index 114d92f8e..c4d6e2050 100644 --- a//resource-explorer/latest/userguide/aws-managed-views.md +++ b//resource-explorer/latest/userguide/aws-managed-views.md @@ -6,0 +7,2 @@ About managed views +AWS Resource Explorer now provides immediate access to resource search and discovery capabilities in a Region. With this launch, you no longer need to activate Resource Explorer to discover your resources. [Learn more](https://docs.aws.amazon.com/resource-explorer/latest/userguide/manage-immediate-resource-discovery-experience.html) + @@ -23,0 +26,4 @@ A _managed view_ is how other AWS services can access resource information index +Managed views can be updated or deleted only by the service that created the managed view. An AWS service creates a managed view using [IAM forward access sessions (FAS)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) or a [service-linked role (SLR)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create-service-linked-role.html). + +Resource Explorer uses a [resource-based policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) to control access to the managed view. When an AWS service creates a managed view, Resource Explorer attaches the resource-based policy to the view. This policy allows the managing AWS service to use and delete the view and allows view's resource owners to list and retrieve details about the view. The following is an example resource-based policy attached to a managed view: + @@ -74,0 +81,4 @@ JSON +Managed views can only be deleted by the AWS service that manages them. Before the managing service can delete the view, you may need to perform service-specific tasks to remove a managed view from your account. + +Resource Explorer managed views use the AWS Systems Manager `AWSManagedViewForSSM` unified console resource, which allows Systems Manager to access resource information indexed by Resource Explorer for your organization. If you want to delete the managed view, you must disable the unified console in Systems Manager. For instructions, see [Disabling the Systems Manager unified console](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-disable-integrated-console.html) in the _AWS Systems Manager User Guide_. + @@ -81 +91 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Deleting views +AWS service views