AWS organizations documentation change
Summary
Updated prerequisites for generating account status reports, adding requirement for delegated administrator accounts and reordering steps
Security assessment
The change adds documentation about delegated administrator requirements for EC2 service, which is an administrative security control. It clarifies proper configuration for generating reports but does not indicate a specific security vulnerability was addressed. The change improves documentation of security best practices for organizational management.
Diff
diff --git a/organizations/latest/userguide/orgs_manage_policies_declarative_status-report.md b/organizations/latest/userguide/orgs_manage_policies_declarative_status-report.md index e97cbf362..0ac177c8c 100644 --- a//organizations/latest/userguide/orgs_manage_policies_declarative_status-report.md +++ b//organizations/latest/userguide/orgs_manage_policies_declarative_status-report.md @@ -25 +25 @@ Before you can generate an account status report, you must perform the following - 2. You must have an S3 bucket before generating the report (create a new one or use an existing one), it must be in the same Region in which the request is made, and it must have an appropriate S3 bucket policy. For a sample S3 policy, see _Sample Amazon S3 policy_ under [Examples ](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartDeclarativePoliciesReport.html#API_StartDeclarativePoliciesReport_Examples) in the _Amazon EC2 API Reference_ + 2. To run reports from a delegated administrator account, the account must be registered as a delegated administrator for the EC2 service. @@ -27 +27,3 @@ Before you can generate an account status report, you must perform the following - 3. You must enable trusted access for the service where the declarative policy will enforce a baseline configuration. This creates a read-only service-linked role that is used to generate the account status report of what the existing configuration is for accounts across your organization. + 3. You must have an S3 bucket before generating the report (create a new one or use an existing one), it must be in the same Region in which the request is made, and it must have an appropriate S3 bucket policy. For a sample S3 policy, see _Sample Amazon S3 policy_ under [Examples ](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartDeclarativePoliciesReport.html#API_StartDeclarativePoliciesReport_Examples) in the _Amazon EC2 API Reference_ + + 4. You must enable trusted access for the service where the declarative policy will enforce a baseline configuration. This creates a read-only service-linked role that is used to generate the account status report of what the existing configuration is for accounts across your organization. @@ -39 +41 @@ For more information on how to enable trusted access for a specific service with - 4. Only one report per organization can be generated at a time. Attempting to generate a report while another is in progress will result in an error. + 5. Only one report per organization can be generated at a time. Attempting to generate a report while another is in progress will result in an error.