AWS organizations medium security documentation change
Summary
Added SSE-KMS encryption requirements and S3 bucket policy example for compliance reports
Security assessment
Explicitly addresses security configuration gaps by requiring kms:GenerateDataKey for SSE-KMS encrypted buckets, preventing potential report delivery failures due to missing permissions.
Diff
diff --git a/organizations/latest/userguide/orgs_manage_policies_declarative_status-report.md b/organizations/latest/userguide/orgs_manage_policies_declarative_status-report.md index 418f4b80b..12ef9afa8 100644 --- a//organizations/latest/userguide/orgs_manage_policies_declarative_status-report.md +++ b//organizations/latest/userguide/orgs_manage_policies_declarative_status-report.md @@ -67,0 +68 @@ To generate a compliance status report, you need permission to run the following + * `s3:PutObject` @@ -70,0 +72,5 @@ To generate a compliance status report, you need permission to run the following + +###### Note + +If your Amazon S3 bucket uses SSE-KMS encryption, you must also include the `kms:GenerateDataKey` permission in the policy. + @@ -110,0 +117,25 @@ Use the following operations to generate a compliance status report, check on it +Before generating a report, grant the EC2 declarative policies principal access to the Amazon S3 bucket where the report will be stored. To do this, attach the following policy to the bucket. Replace `amzn-s3-demo-bucket` with your actual Amazon S3 bucket name, and `identity_ARN` with the IAM identity used to call the `StartDeclarativePoliciesReport` API. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DeclarativePoliciesReportDelivery", + "Effect": "Allow", + "Principal": { + "AWS": "identity_ARN" + }, + "Action": [ + "s3:PutObject" + ], + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*", + "Condition": { + "StringEquals": { + "aws:CalledViaLast": "report.declarative-policies-ec2.amazonaws.com" + } + } + } + ] + } +