Get started with AWS SSM Resource Groups

Maxat AkbanovMaxat Akbanov
9 min read

Table of contents

You can use resource groups to organize your AWS resources. AWS Resource Groups is the service that lets you manage and automate tasks on large numbers of resources at one time. This guide shows you how to create and manage resource groups in AWS Resource Groups. The tasks that you can perform on a resource vary based on the AWS service you're using. For a list of the services that support AWS Resource Groups and a brief description of what each service allows you to do with a resource group, see AWS services that work with AWS Resource Groups.

What are resource groups?

In AWS, a resource is an entity that you can work with. Examples include an Amazon EC2 instance, an AWS CloudFormation stack, or an Amazon S3 bucket. If you work with multiple resources, you might find it useful to manage them as a group rather than move from one AWS service to another for each task. If you manage large numbers of related resources, such as EC2 instances that make up an application layer, you likely need to perform bulk actions on these resources at one time. Examples of bulk actions include:

  • Applying updates or security patches.

  • Upgrading applications.

  • Opening or closing ports to network traffic.

  • Collecting specific log and monitoring data from your fleet of instances.

A resource group is a collection of AWS resources that are all in the same AWS Region, and that match the criteria specified in the group's query. In Resource Groups, there are two types of queries you can use to build a group. Both query types include resources that are specified in the format AWS::service::resource.

  • Tag-based

    A tag-based resource group bases its membership on a query that specifies a list of resource types and tags. Tags are keys that help identify and sort your resources within your organization. Optionally, tags include values for keys.

    Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are not intended to be used for private or sensitive data.

  • AWS CloudFormation stack-based

    An AWS CloudFormation stack-based resource group bases its membership on a query that specifies an AWS CloudFormation stack in your account in the current region. You can optionally choose resource types within the stack that you want to be in the group. You can base your query on only one AWS CloudFormation stack.

Resource groups can be nested; a resource group can contain existing resource groups in the same region.

Use cases for resource groups

By default, the AWS Management Console is organized by AWS service. But with Resource Groups, you can create a custom console that organizes and consolidates information based on criteria specified in tags, or the resources in an AWS CloudFormation stack. The following list describes some of the cases in which resource grouping can help organize your resources.

  • An application that has different phases, such as development, staging, and production.

  • Projects managed by multiple departments or individuals.

  • A set of AWS resources that you use together for a common project or that you want to manage or monitor as a group.

  • A set of resources related to applications that run on a specific platform, such as Android or iOS.

For example, you are developing a web application, and you are maintaining separate sets of resources for your alpha, beta, and release stages. Each version runs on Amazon EC2 with an Amazon Elastic Block Store storage volume. You use Elastic Load Balancing to manage traffic and Route 53 to manage your domain. Without Resource Groups, you might have to access multiple consoles just to check the status of your services or modify the settings for one version of your application.

With Resource Groups, you use a single page to view and manage your resources. For example, let’s say you use the tool to create a resource group for each version—alpha, beta, and release—of your application. To check your resources for the alpha version of your application, open your resource group. Then view the consolidated information on your resource group page. To modify a specific resource, choose the resource's links on your resource group page to access the service console that has the settings that you need.

AWS Resource Groups and permissions

Resource Groups feature permissions are at the account level. As long as IAM principals, such as roles and users, who are sharing your account have the correct IAM permissions, they can work with resource groups that you create.

Tags are properties of a resource, so they are shared across your entire account. Users in a department or specialized group can draw from a common vocabulary (tags) to create resource groups that are meaningful to their roles and responsibilities. Having a common pool of tags also means that when users share a resource group, they don't have to worry about missing or conflicting tag information.

AWS Resource Groups resources

In Resource Groups, the only available resource is a group. Groups have unique Amazon Resource Names (ARNs) associated with them.

Build a tag-based query and create a group

The following procedures show you how to build a tag-based query and use it to create a resource group.

💡
In this guide, we will launch three EC2 instances, two of them have the tag "Environment = Dev" and the one with "Prod" tag. To launch these EC2 instances use the following guide: How to launch a single EC2 instance via AWS CLI

To launch EC2 instance with Environment tag:

aws ec2 run-instances --image-id ami-0f34c5ae932e6f0e4 --instance-type t2.micro --key-name DemoKeyPair --security-groups AWSSSH --count 1 --tag-specifications 'ResourceType=instance,Tags=[{Key=Environment,Value=Prod}]'

  1. Sign in to the AWS Resource Groups console.

  2. In the navigation pane, choose Create Resource Group.

  3. On the Create query-based group page, under Group type, choose the Tag based group type.

  4. Under Grouping criteria, choose the resource types that you want to be in your resource group. You can have a maximum of 20 resource types in a query. For this walkthrough, choose AWS::EC2::Instance.

  5. Still under Grouping criteria, for Tags, specify a tag key, or a tag key and value pair, to limit the matching resources to include only those that are tagged with your specified values. For this walkthrough use Environment tag. Choose Add or press Enter when you've finished your tag. The tag value is optional, but narrows the results of the query further. You can add multiple values for a tag key by adding an OR operator between tag values. To add more tags, choose Add. Queries assign an AND operator to tags, so any resource that matches the specified resource types and all specified tags is returned by the query.

  6. Still under Grouping criteria, choose Preview group resources to return the list of EC2 instances and S3 buckets in your account that match the specified tag key or keys.

  7. After you have the results that you want, create a group based on this query.

    1. Under Group details, for Group name, type a name for your resource group.

      A resource group name can have a maximum of 128 characters, including letters, numbers, hyphens, periods, and underscores. The name cannot start with AWS or aws. These are reserved. A resource group name must be unique in the current Region in your account.

    2. (Optional) In Group description, enter a description of your group.

    3. (Optional) In Group tags, add tag key and value pairs that apply only to the resource group, not the member resources in the group.

      Group tags are useful if you plan to make this group a member of a larger group. Because specifying at least a tag key is required to create a group, be sure to add at least a tag key in Group tags to groups that you plan to nest into larger groups.

  8. When you're finished, choose Create group.

Updating groups in AWS Resource Groups

To update a tag-based resource group in Resource Groups, you can edit the query and tags that are the basis of your group. You can add and remove resources from your group only by applying changes to the query or tags. You cannot select specific resources to add to or remove from your group. The best way to add or remove a specific resource from a group is to edit the resource's tags. Then verify that your resource group tag query either includes or omits the tag, depending on whether you want the resource in your group.

Update tag-based query groups

Update a tag-based group by changing the resource types or tags in the query on which the group is based. You can also add or change the group's description.

  1. Sign in to the AWS Resource Groups console.

  2. In the navigation pane, under Saved Resource Groups, choose the name of the group, and then choose Edit.

    💡
    You can update only resource groups that you own. The Owner column shows account ownership for each resource group. Any groups with an account owner other than the one you're signed in to were created in AWS License Manager. For more information, see Host resource groups in AWS License Manager in the License Manager User Guide.

  3. On the Edit group page, under Grouping criteria, add or remove resource types. You can have a maximum of 20 resource types in a query. To remove a resource type, choose X on the resource type's label.

    Choose View group resources to see how the changes affect your group's resource members. In this walkthrough, we add the resource type AWS::S3::Bucket to the query.

  4. Still under Grouping criteria, edit the tags as needed. In this example, we filter for resources that have a tag key of Environment and add a tag value of Prod. The tag value is optional, but narrows the results of the query further. To remove a tag, choose X on the tag's label.

  5. In Additional information, you can edit the group description. You cannot edit a group's name after the group has been created.

  6. (Optional) In Group tags, you can add or remove tags. Group tags are metadata about your resource group. They do not affect member resources. To change the resources that are returned by the resource group's query, edit the tags found under Grouping criteria.

    Group tags are useful if you plan to make this group a member of a larger group. Specifying at least a tag key is required to create a group. Therefore, be sure to add at least a tag key in Group tags to groups that you plan to nest into larger groups.

  7. Choose Preview group resources to retrieve the updated list of EC2 instances, S3 buckets, and Amazon RDS database instances in your account that match the specified tag keys. If you do not see resources in the list that you expect, be sure that the resources are tagged with tags that you specified in Grouping criteria.

  8. When you are finished, choose Save changes.

References

  1. Prerequisites for working with AWS Resource Groups

  2. What are resource groups?

0
Subscribe to my newsletter

Read articles from Maxat Akbanov directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSDevopsssmAWS Resource Groups

Written by

Maxat Akbanov
Maxat Akbanov

Hey, I'm a postgraduate in Cyber Security with practical experience in Software Engineering and DevOps Operations. The top player on TryHackMe platform, multilingual speaker (Kazakh, Russian, English, Spanish, and Turkish), curios person, bookworm, geek, sports lover, and just a good guy to speak with!