Resource Explorer Indexes Exist
Overview
This check verifies that your AWS account has at least one AWS Resource Explorer index. Resource Explorer helps you find and discover resources across your AWS account by maintaining a searchable catalog of all your AWS resources.
Risk
Without a Resource Explorer index, you lose visibility into your AWS resources. This creates several security concerns:
- Hidden exposures: Publicly accessible or misconfigured resources may go unnoticed
- Delayed incident response: Finding affected resources during a security event takes longer
- Orphaned resources: Unused resources that cost money or pose security risks remain undetected
- Compliance gaps: Auditing and inventory requirements become difficult to meet
Remediation Steps
Prerequisites
- AWS account access with permission to create Resource Explorer indexes
- Access to the AWS Console or AWS CLI
Required IAM permissions
To create a Resource Explorer index, your IAM user or role needs these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"resource-explorer-2:CreateIndex",
"resource-explorer-2:GetIndex",
"resource-explorer-2:ListIndexes"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/resource-explorer-2.amazonaws.com/*"
}
]
}
The iam:CreateServiceLinkedRole permission is only needed the first time you create an index in your account.
AWS Console Method
- Sign in to the AWS Management Console
- Navigate to Resource Explorer (search for "Resource Explorer" in the top search bar)
- If this is your first time, you will see a welcome page. Click Turn on Resource Explorer
- Choose your setup option:
- Quick setup: Creates a local index in the current region (recommended for most users)
- Advanced setup: Lets you choose which regions to enable and designate an aggregator
- For quick setup, click Turn on Resource Explorer to confirm
- Wait for the index status to show Active (this typically takes a few minutes)
Tip: For cross-region search capabilities, consider creating an aggregator index. This lets you search resources across all your enabled regions from a single location.
AWS CLI (optional)
Create a local index in us-east-1:
aws resource-explorer-2 create-index --region us-east-1
Create an index with tags:
aws resource-explorer-2 create-index \
--region us-east-1 \
--tags Environment=Production,ManagedBy=CLI
List all indexes in your account:
aws resource-explorer-2 list-indexes --region us-east-1
Check the status of an index in a specific region:
aws resource-explorer-2 get-index --region us-east-1
Example output when index is active:
{
"Arn": "arn:aws:resource-explorer-2:us-east-1:123456789012:index/abc12345-def6-7890-ghij-klmnopqrstuv",
"CreatedAt": "2024-01-15T10:30:00.000Z",
"LastUpdatedAt": "2024-01-15T10:35:00.000Z",
"ReplicatingFrom": [],
"ReplicatingTo": [],
"State": "ACTIVE",
"Tags": {},
"Type": "LOCAL"
}
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: Creates an AWS Resource Explorer index for resource discovery
Parameters:
IndexType:
Type: String
Default: LOCAL
AllowedValues:
- LOCAL
- AGGREGATOR
Description: Type of Resource Explorer index (LOCAL or AGGREGATOR)
Resources:
ResourceExplorerIndex:
Type: AWS::ResourceExplorer2::Index
Properties:
Type: !Ref IndexType
Tags:
Environment: Production
ManagedBy: CloudFormation
Outputs:
IndexArn:
Description: ARN of the Resource Explorer index
Value: !GetAtt ResourceExplorerIndex.Arn
Deploy the stack:
aws cloudformation create-stack \
--stack-name resource-explorer-index \
--template-body file://template.yaml \
--region us-east-1
Deploy as an aggregator index:
aws cloudformation create-stack \
--stack-name resource-explorer-index \
--template-body file://template.yaml \
--parameters ParameterKey=IndexType,ParameterValue=AGGREGATOR \
--region us-east-1
Terraform (optional)
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "index_type" {
description = "Type of Resource Explorer index (LOCAL or AGGREGATOR)"
type = string
default = "LOCAL"
validation {
condition = contains(["LOCAL", "AGGREGATOR"], var.index_type)
error_message = "index_type must be either LOCAL or AGGREGATOR."
}
}
variable "tags" {
description = "Tags to apply to the Resource Explorer index"
type = map(string)
default = {
Environment = "Production"
ManagedBy = "Terraform"
}
}
resource "aws_resourceexplorer2_index" "main" {
type = var.index_type
tags = var.tags
}
output "index_arn" {
description = "ARN of the Resource Explorer index"
value = aws_resourceexplorer2_index.main.arn
}
Apply the configuration:
terraform init
terraform apply
Create an aggregator index:
terraform apply -var="index_type=AGGREGATOR"
Verification
After creating the index, verify it is working:
- In the AWS Console, go to Resource Explorer
- Check that the index status shows Active
- Try searching for a resource (e.g., type "ec2" in the search bar)
- Results should appear showing your EC2 instances and related resources
CLI verification commands
Check index status:
aws resource-explorer-2 get-index --region us-east-1
The State field should be ACTIVE.
List all indexes across regions:
aws resource-explorer-2 list-indexes --region us-east-1
Test a search (once index is active):
aws resource-explorer-2 search \
--query-string "resourcetype:ec2:instance" \
--region us-east-1
Additional Resources
- AWS Resource Explorer User Guide
- Turn on Resource Explorer in a Region
- Creating an Aggregator Index
- Resource Explorer Pricing (Resource Explorer is free to use)
Notes
- Index types: A
LOCALindex only catalogs resources in its own region. AnAGGREGATORindex can search across all regions where you have local indexes enabled. - One aggregator per account: You can only have one aggregator index per AWS account. Choose a central region for your aggregator.
- Indexing time: After creating an index, it may take several minutes for resources to be fully indexed and searchable.
- Service-linked role: The first index you create will automatically create a service-linked role (
AWSServiceRoleForResourceExplorer) that allows Resource Explorer to discover resources. - No additional cost: AWS Resource Explorer is available at no additional charge.