AWS resource-explorer documentation change
Summary
Added detailed troubleshooting sections for permission-based access issues, service-linked role creation, search functionality access, and indexing progress. Clarified required IAM permissions (AWSResourceExplorerReadOnlyAccess and AWSResourceExplorerFullAccess) for different access levels.
Security assessment
The changes document IAM permission requirements and access control troubleshooting but do not address a specific security vulnerability. They explain how missing permissions (like iam:CreateServiceLinkedRole) impact functionality, which helps users configure security policies correctly but does not indicate a resolved exploit or vulnerability.
Diff
diff --git a/resource-explorer/latest/userguide/troubleshooting_setup.md b/resource-explorer/latest/userguide/troubleshooting_setup.md index 2bd5e1600..63f317a6e 100644 --- a//resource-explorer/latest/userguide/troubleshooting_setup.md +++ b//resource-explorer/latest/userguide/troubleshooting_setup.md @@ -5 +5,3 @@ -I get an "access denied" message when I make a request to Resource ExplorerI get an "access denied" message when I make a request with temporary security credentials +Troubleshooting permission-based access issuesI get an "access denied" message when I make a request to Resource ExplorerI get an "access denied" message when I make a request with temporary security credentials + +AWS Resource Explorer now provides immediate access to resource search and discovery capabilities in a Region. With this launch, you no longer need to activate Resource Explorer to discover your resources. [Learn more](https://docs.aws.amazon.com/resource-explorer/latest/userguide/manage-immediate-resource-discovery-experience.html) @@ -12,0 +15,2 @@ Use the information here to help you diagnose and fix issues that can occur when + * Troubleshooting permission-based access issues + @@ -19,0 +24,60 @@ Use the information here to help you diagnose and fix issues that can occur when +## Troubleshooting permission-based access issues + +Resource Explorer provides different user experiences based on your IAM permissions. Use this section to troubleshoot issues related to permission-based access and search results. + +### I'm getting partial search results instead of complete results + +If you're receiving partial search results, this indicates you have, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy but lack `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy), or the service-linked role hasn't been created in your account yet. + + * **To get complete results:** Obtain `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy) from your administrator, or sign in with a role that has this permission. Once you initiate a search with both permissions, Resource Explorer will automatically create the service-linked role and provide complete results. + + * **If the service-linked role already exists:** Verify you have, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy. Users with search permission get complete results after searching in a Region once the service-linked role exists in the account. + +###### Note + +Automatic setup may not happen in this case if an index was previously deleted or the aggregator index already exists + + * **Regional differences:** Results may vary by Region based on index types. Regions with user-owned indexes provide complete results, while Regions with only Resource Explorer-owned indexes provide partial results. + + + + +### Service-linked role creation issues + +If you receive an error when Resource Explorer attempts to create the service-linked role during your first search, this indicates you lack the `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy). + + * **Resolution:** Get permission from your administrator OR sign in with a role that has the `iam:CreateServiceLinkedRole` permission. + +###### Note + +**Note:** The service-linked role only needs to be created once per account. After it's created by any user with the appropriate permission, all users with, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy are able to create an index and view for full results in a Region on first search. + + + + +### I can't access Resource Explorer search functionality + +If you receive access denied errors when trying to use Resource Explorer search, you lack at minimum the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy. + + * **Resolution:** Contact your administrator to obtain the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy. These permissions are also a subset of the `ResourceExplorerFullAccess` managed policy + + * **Organizational control:** If your organization wants to prevent access to Resource Explorer search functionality, administrators can disallow the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy. + + + + +### Indexing progress and completion issues + +When Resource Explorer automatically creates indexes and views, you may see indexing progress indicators in the console. + + * **Blue banner "Completing Resource Explorer setup":** This indicates indexing is in progress. You can search immediately and receive partial results while indexing completes in the background. + + * **Green completion banner:** This indicates that the user-index is setup. Refresh to view full results. + + * **Timeline expectations:** Initial indexing typically completes within a few hours, depending on the number of resources in your account. You can use Resource Explorer immediately while indexing continues. + + * **If indexing appears stuck:** Indexing runs automatically in the background. If you don't see progress after several hours, verify your permissions and try refreshing the console. + + + + @@ -22 +86,7 @@ Use the information here to help you diagnose and fix issues that can occur when - * Verify that you have permissions to call the action and resource that you requested. An administrator can grant permissions by assigning an AWS Identity and Access Management (IAM) permission policy to your IAM principal, such as a role, group, or user. +Access denied errors can occur when accessing Resource Explorer search functionality or when trying to configure enhanced features like custom views or cross-Region search. + + * **For basic search access:** Verify you have, at minimum, the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy. This permission provides immediate access to search functionality. + + * **For complete search results:** Verify you have both the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy and the `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy), or that the service-linked role already exists in your account. + + * **For enhanced features:** Verify that you have permissions to call the action and resource that you requested. An administrator can grant permissions by assigning an AWS Identity and Access Management (IAM) permission policy to your IAM principal, such as a role, group, or user.