AWS resource-explorer medium security documentation change
Summary
Rewrote Unified Search permissions section to clarify access tiers (partial/full regional/cross-region) based on IAM policies, removed setup steps, and added permission dependency notes.
Security assessment
Explicitly documents how IAM permissions (AWSResourceExplorerReadOnlyAccess and iam:CreateServiceLinkedRole) control resource visibility in Unified Search. This clarifies security boundaries by linking access levels to specific permissions, preventing unintended resource exposure.
Diff
diff --git a/resource-explorer/latest/userguide/manage-service-unified-search.md b/resource-explorer/latest/userguide/manage-service-unified-search.md index 08512cf75..7d161c718 100644 --- a//resource-explorer/latest/userguide/manage-service-unified-search.md +++ b//resource-explorer/latest/userguide/manage-service-unified-search.md @@ -5,2 +4,0 @@ -AWS Resource Explorer now provides immediate access to resource search and discovery capabilities in a Region. With this launch, you no longer need to activate Resource Explorer to discover your resources. [Learn more](https://docs.aws.amazon.com/resource-explorer/latest/userguide/manage-immediate-resource-discovery-experience.html) - @@ -17 +15,2 @@ The AWS Management Console has a search bar at the top of every console page. Th - * Resources in your accounts — if you follow the steps below. + * Resources in your accounts — if have at minimum read-only access. + @@ -20,0 +20 @@ The AWS Management Console has a search bar at the top of every console page. Th +The account resources you can view in your Unified Search results depend on the permissions assigned to you. @@ -22 +22 @@ The AWS Management Console has a search bar at the top of every console page. Th -To see your account's resources in your Unified Search results, you must perform the following steps. You can do this during initial setup of AWS Resource Explorer. It all happens automatically if you use the **Quick setup** option. + * Partial Regional results: With, at minimum, the permissions in the `AWSResourceExplorerReadOnlyAccess` managed policy, you can can immediately search all tagged resources and supported untagged resources created after the immediate resource discovery release in a Region. @@ -24 +24 @@ To see your account's resources in your Unified Search results, you must perform - * You must [create an aggregator index](./manage-aggregator-region-turn-on.html) in one AWS Region for the AWS account. + * Full Regional results: With at minimum, the permissions in the `AWSResourceExplorerReadOnlyAccess` managed policy and the `iam:CreateServiceLinkedRole` permission, you can search full results, including all tagged and untagged resources with ongoing automatic updates and historical backfill, in a Region. @@ -26 +26 @@ To see your account's resources in your Unified Search results, you must perform - * You must [create a default view in the AWS Region that contains the aggregator index](./configure-views-set-default.html). + * Full cross-Region results: If you create an aggregator index, cross-Region results are available in Unified Search. @@ -28 +27,0 @@ To see your account's resources in your Unified Search results, you must perform - * You must grant all principals that need to search for resources in the Unified Search bar [permission to search using that default view](./configure-views-grant-access.html). @@ -31,0 +31 @@ To see your account's resources in your Unified Search results, you must perform +Unified Search always uses the default view in the AWS Region that contains the aggregator index to perform all searches when present. @@ -33 +33 @@ To see your account's resources in your Unified Search results, you must perform -Unified Search always uses the default view in the AWS Region that contains the aggregator index to perform all searches. +For more information about resourcer views, see [Permission tiers and user experiences](./manage-immediate-resource-discovery-experience.html#immediate-permission-tiers).