# Generating the account status report for declarative policies Generating the account status report The *account status report* allows you to review the current status of all attributes supported by declarative policies for the accounts in scope. You can choose the accounts and organizational units (OUs) to include in the report scope, or choose an entire organization by selecting the root. This report helps you assess readiness by providing a Region breakdown and if the current state of an attribute is *uniform across accounts* (through the `numberOfMatchedAccounts`) or *inconsistent* (through the `numberOfUnmatchedAccounts`). You can also see the *most frequent value*, which is the configuration value that is most frequently observed for the attribute. The choice to attach a declarative policy for enforcing a baseline configuration depends on your specific use case. For more information and an illustrative example, see [Account status report for declarative policies](orgs_manage_policies_declarative.md#orgs_manage_policies_declarative-account-status-report). ## Prerequisites Before you can generate an account status report, you must perform the following steps 1. The `StartDeclarativePoliciesReport` API can only be called by the management account or delegated administrators for an organization. 1. You must have an S3 bucket before generating the report (create a new one or use an existing one), it must be in the same Region in which the request is made, and it must have an appropriate S3 bucket policy. For a sample S3 policy, see *Sample Amazon S3 policy* under [Examples ](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_StartDeclarativePoliciesReport.html#API_StartDeclarativePoliciesReport_Examples) in the *Amazon EC2 API Reference* 1. You must enable trusted access for the service where the declarative policy will enforce a baseline configuration. This creates a read-only service-linked role that is used to generate the account status report of what the existing configuration is for accounts across your organization. **Using the console** For the Organizations console, this step is a part of the process for enabling declarative policies. **Using the Amazon CLI** For the Amazon CLI, use the [EnableAWSServiceAccess](https://docs.amazonaws.cn/organizations/latest/APIReference/API_EnableAWSServiceAccess.html) API. For more information on how to enable trusted access for a specific service with the Amazon CLI see, [Amazon Web Services services that you can use with Amazon Organizations](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_integrate_services_list.html). 1. Only one report per organization can be generated at a time. Attempting to generate a report while another is in progress will result in an error. ## Access the compliance status report **Minimum permissions** To generate a compliance status report, you need permission to run the following actions: `ec2:StartDeclarativePoliciesReport` `ec2:DescribeDeclarativePoliciesReports` `ec2:GetDeclarativePoliciesReportSummary` `ec2:CancelDeclarativePoliciesReport` `organizations:DescribeAccount` `organizations:DescribeOrganization` `organizations:DescribeOrganizationalUnit` `organizations:ListAccounts` `organizations:ListDelegatedAdministrators` `organizations:ListAWSServiceAccessForOrganization` `s3:PutObject` **Note** If your Amazon S3 bucket uses SSE-KMS encryption, you must also include the `kms:GenerateDataKey` permission in the policy. ------ #### [ Amazon Web Services Management Console ] Use the following procedure to generate an account status report. **To generate an account status report** 1. Sign in to the [Amazon Organizations console](https://console.amazonaws.cn/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account. 1. On the **Policies** page, choose **Declarative policies for EC2**. 1. On the **Declarative policies for EC2** page, choose **View account status report** from the **Actions** dropdown menu. 1. On the **View account status report** page, choose **Generate status report**. 1. In the **Organizational structure** widget, specify which organizational units (OUs) you want to include in the report. 1. Choose **Submit**. ------ #### [ Amazon CLI & Amazon SDKs ] **To generate an account status report** Use the following operations to generate a compliance status report, check on its status, and view the report: + `ec2:start-declarative-policies-report`: Generates an account status report. The report is generated asynchronously, and can take several hours to complete. For more information, see [StartDeclarativePoliciesReport](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_StartDeclarativePoliciesReport.html) in the *Amazon EC2 API Reference*. + `ec2:describe-declarative-policies-report`: Describes the metadata of an account status report, including the state of the report. For more information, see [DescribeDeclarativePoliciesReports](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_DescribeDeclarativePoliciesReports.html) in the *Amazon EC2 API Reference*. + `ec2:get-declarative-policies-report-summary`: Retrieves a summary of the account status report. For more information, see [GetDeclarativePoliciesReportSummary](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_GetDeclarativePoliciesReportSummary.html) in the *Amazon EC2 API Reference*. + `ec2:cancel-declarative-policies-report`: Cancels the generation of an account status report. For more information, see [CancelDeclarativePoliciesReport](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_CancelDeclarativePoliciesReport.html) in the *Amazon EC2 API Reference*. Before generating a report, grant the EC2 declarative policies principal access to the Amazon S3 bucket where the report will be stored. To do this, attach the following policy to the bucket. Replace `amzn-s3-demo-bucket` with your actual Amazon S3 bucket name, and `identity_ARN` with the IAM identity used to call the `StartDeclarativePoliciesReport` API. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "DeclarativePoliciesReportDelivery", "Effect": "Allow", "Principal": { "AWS": "identity_ARN" }, "Action": [ "s3:PutObject" ], "Resource": "arn:aws-cn:s3:::amzn-s3-demo-bucket/*", "Condition": { "StringEquals": { "aws:CalledViaLast": "organizations.amazonaws.com" } } } ] } ``` ------ ------