AWS resource-explorer medium security documentation change
Summary
Updated documentation to reflect immediate resource discovery availability, clarified IAM permission requirements for search functionality, and added troubleshooting guidance for service-linked role creation
Security assessment
The changes explicitly detail required IAM permissions (AWSResourceExplorerReadOnlyAccess and iam:CreateServiceLinkedRole) for secure access control. It addresses potential security implications of improper permissions by explaining how missing permissions can limit search results or block service-linked role creation. The troubleshooting section directly addresses authorization errors related to security configurations.
Diff
diff --git a/resource-explorer/latest/userguide/security_iam_service-with-iam.md b/resource-explorer/latest/userguide/security_iam_service-with-iam.md index d9de388d6..c252fad67 100644 --- a//resource-explorer/latest/userguide/security_iam_service-with-iam.md +++ b//resource-explorer/latest/userguide/security_iam_service-with-iam.md @@ -6,0 +7,2 @@ Resource Explorer identity-based policiesAuthorization based on Resource Explore +AWS Resource Explorer now provides immediate access to resource search and discovery capabilities in a Region. With this launch, you no longer need to activate Resource Explorer to discover your resources. [Learn more](https://docs.aws.amazon.com/resource-explorer/latest/userguide/manage-immediate-resource-discovery-experience.html) + @@ -22 +24,3 @@ Before you use IAM to manage access to AWS Resource Explorer, you should underst -Like any other AWS service, Resource Explorer requires permissions to use its operations to interact with your resources. To search, users must have permission to retrieve the details about a view, and also to search using the view. To create indexes or views, or to modify them or any other Resource Explorer settings, you must have additional permissions. +Like any other AWS service, Resource Explorer requires permissions to use its operations to interact with your resources. To create indexes or views, or to modify them or any other Resource Explorer settings, you must have additional permissions. + +Your search experience is automatically enabled based on your IAM permissions. If you have, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy, you can immediately search all tagged resources and supported untagged resources created after the [immediate resource discovery](https://docs.aws.amazon.com/resource-explorer/latest/userguide/manage-immediate-resource-discovery-experience.html) release. For complete resource inventory with automatic updates, you'll also need the `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy). After the service-linked role is created in your account by any user, subsequent users need only need, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy to create an index and view for full results in a Region on first search. Organizations can control access by denying the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy to prevent all search access, or denying `iam:CreateServiceLinkedRole` to limit users to partial results only when a service-linked role does not already exist in an account. @@ -120 +124 @@ Another resource type that you can use to control access to Resource Explorer fu -The primary way that you interact with the index is to turn on Resource Explorer in an AWS Region by creating an index in that Region. After that, you do almost everything else by interacting with the view. +The primary way that you interact with the index is to create an index in that Region. After that, you do almost everything else by interacting with the view. @@ -185 +189,3 @@ Resource Explorer supports using temporary credentials. -Resource Explorer uses service-linked roles to perform its work. For details about Resource Explorer service-linked roles, see [Using service-linked roles for Resource Explorer](./security_iam_service-linked-roles.html). +Resource Explorer uses service-linked roles to perform its work. When users with both, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy and the `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy) initiate their first resource search, Resource Explorer automatically creates the service-linked role at the account level. Once the service-linked role exists, subsequent regions are automatically enabled when users with search permissions invoke search operations. For details about Resource Explorer service-linked roles, see [Using service-linked roles for Resource Explorer](./security_iam_service-linked-roles.html). + +**Troubleshooting service-linked role creation:** If users lack the `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy), they will receive an error when attempting to create the service-linked role. To resolve this issue, users must either get permission from an administrator or sign in with a role that has the required permission.