AWS organizations documentation change
Summary
Updated documentation for generating EC2 compliance status reports with improved clarity and terminology. Changes include: rewording prerequisites, clarifying S3 bucket requirements, updating 'API' to 'operation', improving step-by-step instructions, and enhancing the report generation section.
Security assessment
The changes are editorial improvements focusing on clarity and terminology (e.g., changing 'API' to 'operation'). No security vulnerabilities or weaknesses are addressed. The S3 bucket policy requirement was already present and only received wording improvements. No new security features or vulnerabilities are documented.
Diff
diff --git a/organizations/latest/userguide/orgs_manage_policies_ec2_status-report.md b/organizations/latest/userguide/orgs_manage_policies_ec2_status-report.md index 867c8593f..baee9c82c 100644 --- a//organizations/latest/userguide/orgs_manage_policies_ec2_status-report.md +++ b//organizations/latest/userguide/orgs_manage_policies_ec2_status-report.md @@ -7 +7 @@ -PrerequisitesAccess the compliance status report +PrerequisitesGenerating the compliance status report @@ -15 +15 @@ This report helps you assess readiness by providing a Region breakdown and if th -The choice to attach a EC2 policy for enforcing a baseline configuration depends on your specific use case. +Whether to attach an EC2 policy for enforcing a baseline configuration depends on your specific use case. @@ -21 +21 @@ For more information and an illustrative example, see [Account status report for -Before you can generate an account status report, you must perform the following steps +Before you can generate an account status report, complete the following steps: @@ -23 +23 @@ Before you can generate an account status report, you must perform the following - 1. The `StartDeclarativePoliciesReport` API can only be called by the management account or delegated administrators for an organization. + 1. The `StartDeclarativePoliciesReport` operation can only be called by the management account or delegated administrators for an organization. @@ -27 +27 @@ Before you can generate an account status report, you must perform the following - 3. You must have an S3 bucket before generating the report (create a new one or use an existing one), it must be in the same Region in which the request is made, and it must have an appropriate S3 bucket policy. For a sample S3 policy, see _Sample Amazon S3 policy_ under [Examples ](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartDeclarativePoliciesReport.html#API_StartDeclarativePoliciesReport_Examples) in the _Amazon EC2 API Reference_ + 3. You must have an S3 bucket before you generate the report. Create a new bucket or use an existing one. The bucket must be in the same Region where you make the request. The bucket must have an appropriate bucket policy. For a sample S3 policy, see _Sample Amazon S3 policy_ under [Examples ](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartDeclarativePoliciesReport.html#API_StartDeclarativePoliciesReport_Examples) in the _Amazon EC2 API Reference_ @@ -29 +29 @@ Before you can generate an account status report, you must perform the following - 4. You must enable trusted access for Amazon EC2. This creates a read-only service-linked role that is used to generate the account status report of what the existing configuration is for accounts across your organization. + 4. You must enable trusted access for Amazon EC2. This creates a read-only service-linked role that generates the account status report of the existing configuration for accounts across your organization. @@ -37 +37 @@ For the Organizations console, this step is a part of the process for enabling E -For the AWS CLI, use the [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html) API. +For the AWS CLI, use the [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html) operation. @@ -39 +39 @@ For the AWS CLI, use the [EnableAWSServiceAccess](https://docs.aws.amazon.com/or -For more information on how to enable trusted access for a specific service with the AWS CLI see, [AWS services that you can use with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html). +For more information about how to enable trusted access for a specific service with the AWS CLI, see [AWS services that you can use with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html). @@ -41 +41 @@ For more information on how to enable trusted access for a specific service with - 5. Only one report per organization can be generated at a time. Attempting to generate a report while another is in progress will result in an error. + 5. Only one report per organization can be generated at a time. If you generate a report while another is in progress, the operation returns an error. @@ -46 +46 @@ For more information on how to enable trusted access for a specific service with -## Access the compliance status report +## Generating the compliance status report @@ -50 +50 @@ For more information on how to enable trusted access for a specific service with -To generate a compliance status report, you need permission to run the following actions: +To generate a compliance status report, you need permission to run the following operations: @@ -121 +121,3 @@ Use the following operations to generate a compliance status report, check on it -Before generating a report, grant the EC2 policies principal access to the Amazon S3 bucket where the report will be stored. To do this, attach the following policy to the bucket. Replace `amzn-s3-demo-bucket` with your actual Amazon S3 bucket name, and `identity_ARN` with the IAM identity used to call the `StartDeclarativePoliciesReport` API. +Before you generate a report, grant the EC2 policies principal access to the Amazon S3 bucket where the report will be stored. To do this, attach the following policy to the bucket. Replace `amzn-s3-demo-bucket` with your actual Amazon S3 bucket name, and `identity_ARN` with the IAM identity used to call the `StartDeclarativePoliciesReport` operation. + +The following JSON policy grants access to deliver the report to your bucket: