AWS resource-explorer documentation change
Summary
Removed announcement about immediate access feature launch, clarified IAM permission requirements for search results, and updated terminology about views.
Security assessment
Changes focus on clarifying IAM permission requirements but don't address any specific vulnerability. The update about service-linked roles improves documentation accuracy but doesn't indicate a security fix.
Diff
diff --git a/resource-explorer/latest/userguide/using-search.md b/resource-explorer/latest/userguide/using-search.md index 2e677a6f5..524d5aef8 100644 --- a//resource-explorer/latest/userguide/using-search.md +++ b//resource-explorer/latest/userguide/using-search.md @@ -7,2 +6,0 @@ Quick filters -AWS Resource Explorer now provides immediate access to resource search and discovery capabilities in a Region. With this launch, you no longer need to activate Resource Explorer to discover your resources. [Learn more](https://docs.aws.amazon.com/resource-explorer/latest/userguide/manage-immediate-resource-discovery-experience.html) - @@ -13 +11 @@ AWS Resource Explorer provides immediate search capabilities for your AWS resour -The search experience you receive depends on your IAM permissions. With basic search permissions, you get immediate access to partial results while indexing completes in the background. With additional permissions, you receive complete resource inventory and enhanced functionality. +The search experience you receive depends on your IAM permissions. With basic (Read-Only) search permissions, you get immediate access to partial results. With additional permissions, you receive complete resource inventory and enhanced functionality. @@ -19 +17 @@ The following are some of the main characteristics of Resource Explorer search. -When you access Resource Explorer with the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy, the service automatically provides search capabilities. Users with both the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy and the `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy) receive complete resource inventory. The `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy) is only needed until the first user creates the service-linked role for the account. Once created, subsequent users with only the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy in Regions where Resource Explorer has been set up will also receive complete results. Users without the service-linked role receive partial results immediately (all tagged resources plus untagged resources created after the feature launch). +When you access Resource Explorer with the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy, the service automatically provides search capabilities. Users with both the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy and the `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy) receive complete resource inventory. The `iam:CreateServiceLinkedRole` permission (included in the [AWSResourceExplorerFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerFullAccess.html) managed policy) is only needed until the first user creates the service-linked role for the account. Once created, users with only the permissions in the `[AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSResourceExplorerReadOnlyAccess.html)` managed policy will also receive complete results in subsequent Regions where they search. Users without the service-linked role receive partial results immediately (all tagged resources plus untagged resources created after the [feature launch](./manage-immediate-resource-discovery-experience.html)). @@ -21 +19 @@ When you access Resource Explorer with the permissions in the `[AWSResourceExplo - * **Every search must use a view.** + * **Every search uses a view.**