AWS Resource Explorer launches immediate resource discovery within a Region

AWS now provides immediate access to resource search capabilities through AWS Resource Explorer so that customers can discover resources across services in their AWS account. Operations like troubleshooting and problem resolution, making resource changes, investigating resource dependencies, identifying security risks and optimizing costs are critical everyday activities for the cloud operations team. With resource search, customers can find resources they want to act on faster. Immediate resource discovery eliminates the requirement for customers to activate Resource Explorer to begin searching.

With this launch, you have immediate availability to discover resources in a Region for all existing and new AWS accounts. To start searching, you need, at minimum, permissions in the AWS Resource Explorer Read Only Access or AWS Read Only Access managed policies. You can discover resources in the AWS Resource Explorer console, Unified Search, and AWS CLI and SDKs. Initially in partial results, you can see all tagged resources and supported untagged resources created after the launch. To search the full inventory of supported resources, including historical backfill and automatic updates, complete Resource Explorer setup. This requires additional permissions to create a Service-Linked Role (SLR), so that Resource Explorer can automatically complete setup in each Region where you search. If you already have Resource Explorer with cross-Region search, there will be no changes to your environment, and all you existing configurations will remain the same.

For further visibility, you can continue to configure Resource Explorer for your AWS Organization for a multi-account experience. Leveraging Organizations and Resource Explorer, you can transform your resource discovery process through a centralized search experience, regardless of which account your resources are deployed in. This approach provides comprehensive inventory insights, enhanced governance capabilities, and dramatically reduces the time and effort required to locate and understand resource relationships. To set up multi-account functionality, you can get started on the Resource Explorer Settings page.

In this blog, we will walk through four scenarios to show the experience after launch; the first is searching for resources in Unified Search in the AWS Management Console, the second and third are searching for resources in the Resource Explorer console with different permission tiers, and the fourth is searching for resources in the Resource Explorer console with existing Resource Explorer configurations.

Resource Explorer Key Components:

The following are key concepts to understand how Resource Explorer works.

Index: An index is the data store used by AWS Resource Explorer to provide information about your AWS resources that the service discovers. By default, an index is local, meaning that it contains information about resources in only the same Region as the index. Resource Explorer-owned indexes are the indexes immediately available to use for searching in partial results. If you want full results, you need a user-owned index. Resource Explorer will automatically create a user-owned index when you search with the correct permissions, or you can create one from the Settings page.

Aggregator Index: An aggregator index is a centralized search index that consolidates resource metadata from multiple user-owned (local) indexes across different AWS Regions for the account. You will need to explicitly set-up cross region search by selecting your aggregator Region (one-click experience in the Console).

Views (Filter): You can create views to control the visibility of resources in your account and define what resource information is available for search and discovery. To look up resources by running a query, you need a view that gives you access to an index. If the index is an aggregator index, then the query can run a search across all Regions with a user-owned index. Resource Explorer service views are the views immediately available to use for searching. If you require custom configurations, you can create your own views on the views page.

Scenario 1: Finding resources in Unified Search

Before this launch, you could only view resource search results in Unified Search after setting up cross-Region search. Now, when you have minimum permissions in AWSResourceExplorerReadOnlyAccess, you can look up regional resources using the Unified Search bar with partial results.

Figure 1. Partial resource search results in Unified Search with a call to action to complete setup.

If you have Resource Explorer set up in specific Regions, but have not turned on cross-Region search, you will be prompted to finish setting up cross-Region search by selecting an aggregator index in just two clicks.

1. Click Enable cross-region search in Unified Search
2. Enable cross-Region search in all Regions (shown in Scenario 2, Figure 5).

Figure 2. Full Regional search results in Unified Search with a call to action to enable cross-Region search.

Scenario 2: Full search experience in Resource Explorer console

When you first land on the Resource Explorer console, Resource Explorer automatically starts setting up in the background, which includes creating the necessary Service-Linked Role (SLR), index, and view. While set up completes, you can immediately search resources from the initial set of partial results. You will see a notification at the top of the screen letting you know results are partial while AWS completes the setup of Resource Explorer in the Region.

Figure 3. Completing AWS Resource Explorer setup on the Resource Explorer console.

When the index and SLR creation is complete you can then refresh the page to view the full results for that Region.

Figure 4. Resource Explorer setup complete with call to action to refresh the page for full, single-Region results on the Resource Explorer console.

Search results are populated progressively as indexing completes. You will also have a one-click option to enable cross-Region search and complete Resource Explorer setup in additional Regions.

Figure 5. One-click banner to enable cross-Region search in all Regions in the Resource Explorer console.

Scenario 3: Partial search experience  in Resource Explorer console

When you navigate to the Resource Explorer console, Resource Explorer will try to complete setup. However, because you do not have sufficient permissions to create the SLR, you receive a warning banner and remain in partial results. A retry button is provided in the banner so you can retry once the necessary permissions have been granted by your account administrator or you have logged in with a role that has the required permissions.

Figure 6: Warning banner indicating completing setup of Resource Explorer requires permission to create a Service-Linked Role (SLR)

NOTE:

• The following managed policies include the required permissions for immediate partial results: AWSResourceExplorerReadOnlyAccess, ReadOnlyAccess.
• The following managed policies include the required permission to complete Resource Explorer setup and search full results: AWSResourceExplorerFullAccess, AdministratorAccess.

If you do not have the ability to modify policies yourself, you will need to contact your AWS administrator to request these permissions be added to your AWS IAM identity.

Scenario 4: You previously setup Resource Explorer only in specific Regions, deleted indexes in certain Regions over time, or already have a cross-Region setup

Resource Explorer returns results based on your existing configuration. If you search in a Region that does not have complete setup, Resource Explorer will create user-owned indexes and views in subsequent Regions via the SLR when cross-Region search has not been enabled or an index has not been previously deleted in the Region. Resource Explorer will not alter an existing cross-Region setup or onboard a Region that has already offboarded from Resource Explorer. In these cases, you can choose to complete setup in the Region for both full results and inclusion of the Region in cross-Region results.

Figure 7. Complete setup banner in a Region when automatic setup does not occur because an aggregator index exists or an index has been previously deleted in the Region.

In the four scenarios above, we went over the different experiences you will have after this launch. The first was looking up AWS resources using Unified Search in the AWS Management console. The second was searching for resources in the Resource Explorer console when you have the AWSResourceExplorerFullAccess permissions. The third was searching for resources in the Resource Explorer console if you only have the AWSResourceExplorerReadOnlyAccess, but not the permissions to create Service-Linked Roles (SLR). The fourth covered the experience if you previously setup Resource Explorer in either a single Region or cross-Region or have deleted indexes in the past

Conclusion

Resource Explorer is a critical resource search and discovery tool that allows you to explore your AWS resources that are supported through AWS Resource Explorer. This latest enhancement simplifies cloud resource management and visibility by removing initial setup steps and providing immediate access to resource discovery.

To learn more about this experience, visit the documentation on understanding the immediate resource discovery experience.

For common FAQs, visit AWS Resource Explorer re:Post.