AWS Security ChangesHomeSearch

AWS organizations medium security documentation change

Service: organizations · 2025-05-28 · Security-related medium

File: organizations/latest/userguide/orgs_manage_policies_declarative_status-report.md

Summary

Added SSE-KMS encryption requirements and S3 bucket policy example for compliance reports

Security assessment

Explicitly addresses security configuration gaps by requiring kms:GenerateDataKey for SSE-KMS encrypted buckets, preventing potential report delivery failures due to missing permissions.

Diff

diff --git a/organizations/latest/userguide/orgs_manage_policies_declarative_status-report.md b/organizations/latest/userguide/orgs_manage_policies_declarative_status-report.md
index 418f4b80b..12ef9afa8 100644
--- a//organizations/latest/userguide/orgs_manage_policies_declarative_status-report.md
+++ b//organizations/latest/userguide/orgs_manage_policies_declarative_status-report.md
@@ -67,0 +68 @@ To generate a compliance status report, you need permission to run the following
+  * `s3:PutObject`
@@ -70,0 +72,5 @@ To generate a compliance status report, you need permission to run the following
+
+###### Note
+
+If your Amazon S3 bucket uses SSE-KMS encryption, you must also include the `kms:GenerateDataKey` permission in the policy.
+
@@ -110,0 +117,25 @@ Use the following operations to generate a compliance status report, check on it
+Before generating a report, grant the EC2 declarative policies principal access to the Amazon S3 bucket where the report will be stored. To do this, attach the following policy to the bucket. Replace `amzn-s3-demo-bucket` with your actual Amazon S3 bucket name, and `identity_ARN` with the IAM identity used to call the `StartDeclarativePoliciesReport` API.
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "DeclarativePoliciesReportDelivery",
+                "Effect": "Allow",
+                "Principal": {
+                    "AWS": "identity_ARN"
+                },
+                "Action": [
+                    "s3:PutObject"
+                ],
+                "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
+                "Condition": {
+                    "StringEquals": {
+                        "aws:CalledViaLast": "report.declarative-policies-ec2.amazonaws.com"
+                    }
+                }
+            }
+        ]
+    }
+