# Managing application resources **Note** You can also use myApplications in the AWS Management Console to add and remove resources from your applications. Review [Managing resources](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/myApp-manage-resources.html) in the AWS Management Console *Getting started guide* for instructions. An application resource is an object within an AWS service that you can tag with [the `awsApplication` tag](https://docs.aws.amazon.com/servicecatalog/latest/arguide/overview-appreg.html#ar-user-tags). AWS customers and services use the `awsApplication` tag to add and remove resources from applications and identify which resources are associated with an application. You add resources to your application after you define your application. You can add and remove application resources with any of the existing methods for tagging resources, infrastructure as code, and the AppRegistry API. To add and remove application resources with the AppRegistry API, use the [console procedures](https://docs.aws.amazon.com/servicecatalog/latest/arguide/associate-resources.html) or the AppRegistry `AssociateResource` and `DisassociateResource` APIs. You can can add the `awsApplication` tag to a resource using the AppRegistry `AssociateResource` API with the `APPLY_APPLICATION_TAG` option. **Note** Adding and removing resources requires certain permissions. For more information, see [AssociateResource](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_app-registry_AssociateResource.html) and [DisassociateResource](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_app-registry_DisassociateResource.html) in the *AWS Service Catalog AppRegistry Developer Guide*. AppRegistry integrates with AWS Resource Groups. When you create an application, AWS Resource Groups creates an application resource group and a resource group for every CloudFormation stack or tag-based resource you associate with your application. You can list the resources in your application by calling the Resource Groups `ListGroupResources` API on the application resource group. Any resource tagged with the `awsApplication` tag for this application will be a member of this group. For information about resource types and related functionalities you can use with AppRegistry applications, see [Supported resource types for AppRegistry applications](https://docs.aws.amazon.com/servicecatalog/latest/arguide/supported-resource-types.html). This section decribes how to manage application definitions as you create and associate deployed resources to applications in your local account and AWS Region. **Topics** + [ # Associating and disassociating application resources ](associate-resources.md) + [ # Controlling the resources associated to applications ](control-tags.md) + [ # Supported resource types for AppRegistry applications ](supported-resource-types.md) # Associating and disassociating application resources An application resource is an object within an AWS service that you can tag with [the `awsApplication` tag](https://docs.aws.amazon.com/servicecatalog/latest/arguide/overview-appreg.html#ar-user-tags), which is an AWS user tag that AppRegistry vends on your behalf. The following procedures describe how to associate and disassociated application resources. **Note** For AppRegistry applications created before November 8th, 2023, AppRegistry creates the `awsApplication` tag after you perform your first resource association. This tag’s value is a unique identifier for the application. You can then apply the `awsApplication` tag to any other resources you want to add to the application. For AppRegistry applications created after November 8th, 2023, AppRegistry creates the `awsApplication` tag when you create the application. **Topics** + [ ## Associate application resources in a new application ](#w2aab9b7c19c21b9) + [ ## Associate application resources in an existing application ](#w2aab9b7c19c21c11) + [ ## Disassociate application resources from an application ](#w2aab9b7c19c21c13) ## Associate application resources in a new application The following procedure describes how to associate application resources in a new application. **To associate application resources in a new application.** 1. Open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/) 1. From the navigation pane, choose **AppRegistry**, and then choose **Applications**. You're directed to the **Applications** screen. 1. On **Applications**, choose **Create application**. 1. Under **Application name and description**, enter a name and optional description for your application. 1. Under **Resource collections**, choose one or more provisioned products or CloudFormation stacks to associate to your application. 1. Choose **Create application**. ## Associate application resources in an existing application The following procedure describes how to associate application resources in an existing application. **To associate application resources in an existing application** 1. Open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/) 1. From the left navigation pane, choose **AppRegistry**, and then choose **Applications**. You're directed to the **Applications** screen. 1. On **Applications**, choose the name of the application that you want to associate resources to. Or select the name of application that you want to associate resources to, and choose **View**. You're directed to the **Application details** screen. 1. Choose **Resource collections**, and then choose **Associate resource collection**. 1. Under **Resource collections**, choose one or more provisioned products or CloudFormation stacks to associate to your application. 1. Choose **Save changes**. **Note** If you share an application with this account, and the application has read-only permissions, associate and disassociate actions are disabled for resource collections. ## Disassociate application resources from an application The following procedure describes how to disassociate application resources from an existing application. **To disassociate application resources from an existing application** 1. Open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/) 1. From the navigation pane, choose **AppRegistry**, and then choose **Applications**. You're directed to the **Applications** screen. 1. On **Applications**, choose the name of the application that you want to disassociate resources from. Or select the name of the application that you want to disassociate resources from, and choose **View**. You're directed to the **Application details** screen. 1. Choose **Resource collections**, select the resource that you want to disassociate from the application, and then choose **Disassociate**. 1. Confirm your disassociation, and then choose **Ok**. **Note** If you share an application with this account, and the application has read-only permissions, associate and disassociate actions are disabled for resource collections. # Controlling the resources associated to applications This topic includes policy templates that you can use to control how tag key-value pairs are associated to applications. The following policy templates are organized by scenario and include values that can be replaced with your information. ** Sample policy: Stack only association ** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "servicecatalog:*", "cloudformation:DescribeStacks", "resource-groups:*" ], "Resource": "*" }, { "Effect": "Deny", "Action": "servicecatalog:AssociateResource", "Resource": "arn:aws:servicecatalog:*:*:*", "Condition": { "StringNotEquals": { "servicecatalog:ResourceType": "CFN_STACK" } } } ] } ``` ------ ** Sample policy: Stack association that allows a specific stack name ** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "servicecatalog:*", "cloudformation:DescribeStacks", "resource-groups:*" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "servicecatalog:AssociateResource" ], "Resource": "*", "Condition": { "StringNotEquals": { "servicecatalog:ResourceType": "CFN_STACK" } } } ] } ``` ------ ** Sample policy: Stack association that allows multiple specific stack names ** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "servicecatalog:*", "cloudformation:DescribeStacks", "resource-groups:*" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "servicecatalog:AssociateResource" ], "Resource": "*", "Condition": { "StringNotEquals": { "servicecatalog:ResourceType": "CFN_STACK" } } } ] } ``` ------ ** Sample policy: Tag value association that denies a specific tag query value while allowing other tag queries ** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "servicecatalog:*", "cloudformation:DescribeStacks", "resource-groups:*" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "servicecatalog:AssociateResource" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:ResourceType": "TAG_QUERY" } } } ] } ``` ------ ** Sample policy: Allow tag query association only ** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "servicecatalog:*", "cloudformation:DescribeStacks", "resource-groups:*" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "servicecatalog:AssociateResource" ], "Resource": "*", "Condition": { "StringNotEquals": { "servicecatalog:ResourceType": "TAG_QUERY" } } } ] } ``` ------ ** Sample policy: Allow tag query association/deny specific tag query values ** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "servicecatalog:*", "cloudformation:DescribeStacks", "resource-groups:*" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "servicecatalog:AssociateResource" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:ResourceType": "CFN_STACK" } } }, { "Effect": "Deny", "Action": [ "servicecatalog:AssociateResource" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:ResourceType": ["TAG_QUERY"] } } } ] } ``` ------ ** Sample policy: Allow specific tag query value and specific stack ** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "servicecatalog:*", "cloudformation:DescribeStacks", "resource-groups:*" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "servicecatalog:AssociateResource" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "servicecatalog:AssociateResource" ], "Resource": "*", "Condition": { "StringNotEquals": { "servicecatalog:ResourceType": "CFN_STACK" } } } ] } ``` ------ # Supported resource types for AppRegistry applications This topic includes a list of supported resource types by service for AppRegistry applications. **Note** If you don't see a resource type for your application, you can [submit feedback](https://docs-feedback.aws.amazon.com/feedback.jsp?hidden_service_name=Service%20Catalog&topic_url=https://docs.aws.amazon.com/servicecatalog/latest/arguide/supported-resource-types.html) to suggest a resource type to be included in a future update. | Resource type | Sevice | | --- | --- | | aws::cloudfront::distribution | cloudfront | | aws::cloudwatch::alarm | cloudwatch | | aws::docdb::cluster | docdb | | aws::docdb::clustersnapshot | docdb | | aws::docdb::dbclusterparametergroup | docdb | | aws::docdb::dbinstance | docdb | | aws::docdb::dbsubnetgroup | docdb | | aws::docdb::es | docdb | | aws::dynamodb::table | dynamodb | | aws::ec2::capacityreservation | ec2 | | aws::ec2::customergateway | ec2 | | aws::ec2::dhcpoptions | ec2 | | aws::ec2::eip | ec2 | | aws::ec2::host | ec2 | | aws::ec2::image | ec2 | | aws::ec2::instance | ec2 | | aws::ec2::internetgateway | ec2 | | aws::ec2::launchtemplate | ec2 | | aws::ec2::natgateway | ec2 | | aws::ec2::networkacl | ec2 | | aws::ec2::networkinterface | ec2 | | aws::ec2::reservedinstances | ec2 | | aws::ec2::routetable | ec2 | | aws::ec2::securitygroup | ec2 | | aws::ec2::snapshot | ec2 | | aws::ec2::spotinstancesrequest | ec2 | | aws::ec2::subnet | ec2 | | aws::ec2::transitgateway | ec2 | | aws::ec2::transitgatewayroutetable | ec2 | | aws::ec2::volume | ec2 | | aws::ec2::vpc | ec2 | | aws::ec2::vpcpeeringconnection | ec2 | | aws::ec2::vpnconnection | ec2 | | aws::ec2::vpngateway | ec2 | | aws::ecs::cluster | ecs | | aws::ecs::containerinstance | ecs | | aws::ecs::service | ecs | | aws::ecs::task | ecs | | aws::ecs::taskdefinition | ecs | | aws::elasticache::cachecluster | elasticache | | aws::elasticache::snapshot | elasticache | | aws::elasticloadbalancing::loadbalancer | elasticloadbalancing | | aws::elasticloadbalancingv2::loadbalancer | elasticloadbalancingv2 | | aws::elasticloadbalancingv2::targetgroup | elasticloadbalancingv2 | | aws::iam::instanceprofile | iam | | aws::iam::oidcprovider | iam | | aws::iam::policy | iam | | aws::iam::samlprovider | iam | | aws::iam::servercertificate | iam | | aws::kinesis::stream | kinesis | | aws::lambda::function | lambda | | aws::logs::loggroup | logs | | aws::neptune::dbcluster | neptune | | aws::neptune::dbclusterparametergroup | neptune | | aws::neptune::dbclustersnapshot | neptune | | aws::neptune::dbparametergroup | neptune | | aws::neptune::dbsubnetgroup | neptune | | aws::neptune::eventsubscription | neptune | | aws::opensearchservice::domain | opensearchservice | | aws::rds::clustersnapshot | rds | | aws::rds::dbcluster | rds | | aws::rds::dbclusterparametergroup | rds | | aws::rds::dbinstance | rds | | aws::rds::dbparametergroup | rds | | aws::rds::dbsecuritygroup | rds | | aws::rds::dbsubnetgroup | rds | | aws::rds::eventsubscription | rds | | aws::rds::optiongroup | rds | | aws::rds::ri | rds | | aws::rds::snapshot | rds | | aws::redshift::cluster | redshift | | aws::redshift::clusterparametergroup | redshift | | aws::redshift::clustersubnetgroup | redshift | | aws::s3::bucket | s3 | | aws::sns::topic | sns | | aws::sqs::queue | sqs | | aws::ssm::document | ssm | | aws::ssm::maintenancewindow | ssm | | aws::ssm::managedinstance | ssm | | aws::ssm::parameter | ssm | | aws::ssm::patchbaseline | ssm |