AWS cli medium security documentation change
Summary
Added documentation about S3 bucket policies for cross-account access, updated navigation links, and improved compliance guidance
Security assessment
Added explicit guidance about required bucket policies for cross-account access control and permissions for compliance evaluation. This addresses potential misconfiguration risks by documenting proper security practices for report storage.
Diff
diff --git a/cli/latest/reference/resourcegroupstaggingapi/start-report-creation.md b/cli/latest/reference/resourcegroupstaggingapi/start-report-creation.md index 02420122d..07b5fe0c5 100644 --- a//cli/latest/reference/resourcegroupstaggingapi/start-report-creation.md +++ b//cli/latest/reference/resourcegroupstaggingapi/start-report-creation.md @@ -14,2 +14,2 @@ - * [previous](get-tag-values.html "get-tag-values") | - * [AWS CLI 2.31.37 Command Reference](../../index.html) » + * [previous](list-required-tags.html "list-required-tags") | + * [AWS CLI 2.31.39 Command Reference](../../index.html) » @@ -22 +22 @@ - * [← get-tag-values](get-tag-values.html "previous chapter \(use the left arrow\)") / + * [← list-required-tags](list-required-tags.html "previous chapter \(use the left arrow\)") / @@ -63 +63,3 @@ The generated report is saved to the following location: -> `s3://example-bucket/AwsTagPolicies/o-exampleorgid/YYYY-MM-ddTHH:mm:ssZ/report.csv` +> `s3://amzn-s3-demo-bucket/AwsTagPolicies/o-exampleorgid/YYYY-MM-ddTHH:mm:ssZ/report.csv` + +For more information about evaluating resource compliance with tag policies, including the required permissions, review [Permissions for evaluating organization-wide compliance](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-policies-orgs.html#tag-policies-permissions-org) in the _Tagging Amazon Web Services Resources and Tag Editor_ user guide. @@ -66,0 +69,2 @@ You can call this operation only from the organization’s management account an +If the account associated with the identity used to call `StartReportCreation` is different from the account that owns the Amazon S3 bucket, there must be a bucket policy attached to the bucket to provide access. For more information, review [Amazon S3 bucket policy for report storage](https://docs.aws.amazon.com/tag-editor/latest/userguide/tag-policies-orgs.html#bucket-policy) in the _Tagging Amazon Web Services Resources and Tag Editor_ user guide. + @@ -102 +106 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/resour ->> `awsexamplebucket` +>> `amzn-s3-demo-bucket` @@ -104 +108 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/resour -> For more information on S3 bucket requirements, including an example bucket policy, see the example S3 bucket policy on this page. +> For more information on S3 bucket requirements, including an example bucket policy, see the example Amazon S3 bucket policy on this page. @@ -215 +219 @@ None - * [← get-tag-values](get-tag-values.html "previous chapter \(use the left arrow\)") / + * [← list-required-tags](list-required-tags.html "previous chapter \(use the left arrow\)") / @@ -224,2 +228,2 @@ None - * [previous](get-tag-values.html "get-tag-values") | - * [AWS CLI 2.31.37 Command Reference](../../index.html) » + * [previous](list-required-tags.html "list-required-tags") | + * [AWS CLI 2.31.39 Command Reference](../../index.html) »