StartReportCreation
Generates a report that lists all tagged resources in the accounts across your organization and tells whether each resource is compliant with the effective tag policy. Compliance data is refreshed daily. The report is generated asynchronously.
The generated report is saved to the following location:
s3://example-bucket/AwsTagPolicies/o-exampleorgid/YYYY-MM-ddTHH:mm:ssZ/report.csv
You can call this operation only from the organization's management account and from the us-east-1 Region.
Request Syntax
{
"S3Bucket": "string"
}Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- S3Bucket
-
The name of the Amazon S3 bucket where the report will be stored; for example:
awsexamplebucketFor more information on S3 bucket requirements, including an example bucket policy, see the example S3 bucket policy on this page.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 63.
Pattern:
[a-z0-9.-]*Required: Yes
Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
Errors
For information about the errors that are common to all actions, see Common Errors.
- ConcurrentModificationException
-
The request failed because the target of the operation is currently being modified by a different request. Try again later.
HTTP Status Code: 400
- ConstraintViolationException
-
The request failed because performing the operation would violate a constraint.
Some of the reasons in the following list might not apply to this specific operation.
-
You must meet the prerequisites for using tag policies. For information, see Prerequisites and Permissions for Using Tag Policies in the AWS Organizations User Guide.
-
You must enable the tag policies service principal (
tagpolicies.tag.amazonaws.com) to integrate with AWS Organizations For information, see EnableAWSServiceAccess. -
You must have a tag policy attached to the organization root, an OU, or an account.
HTTP Status Code: 400
-
- InternalServiceException
-
The request processing failed because of an unknown error, exception, or failure. You can retry the request.
HTTP Status Code: 500
- InvalidParameterException
-
The request failed because of one of the following reasons:
-
A required parameter is missing.
-
A provided string parameter is malformed.
-
An provided parameter value is out of range.
-
The target ID is invalid, unsupported, or doesn't exist.
-
You can't access the Amazon S3 bucket for report storage. For more information, see Additional Requirements for Organization-wide Tag Compliance Reports in the AWS Organizations User Guide.
-
The partition specified in an ARN parameter in the request doesn't match the partition where you invoked the operation. The partition is specified by the second field of the ARN.
HTTP Status Code: 400
-
- ThrottledException
-
The request failed because it exceeded the allowed frequency of submitted requests.
HTTP Status Code: 400
Examples
Sample Amazon S3 policy
Before creating the report, you must grant access for the tag policies service
principal to an Amazon S3 bucket for report storage. Attach the following bucket
policy to the bucket. The statements in the Condition element
ensure that the operations can be performed only by the management account of
the specified organization. If you don't know your organization ID or your
management account's ID, you can call DescribeOrganization to find it.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "TagPolicyACL", "Effect": "Allow", "Principal": { "Service": [ "tagpolicies.tag.amazonaws.com" ] }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::your-bucket-name", "Condition": { "StringEquals": { "aws:SourceAccount": "your-org-management-account-id", "aws:SourceArn": "arn:aws:tag:us-east-1:your-org-management-account-id:*" } } }, { "Sid": "TagPolicyBucketDelivery", "Effect": "Allow", "Principal": { "Service": [ "tagpolicies.tag.amazonaws.com" ] }, "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::<your-bucket-name>/AwsTagPolicies/<your-org-id>/*", "Condition": { "StringEquals": { "aws:SourceAccount": "<your-org-management-account-id>", "aws:SourceArn": "arn:aws:tag:us-east-1:<your-org-management-account-id>:*" } } } ] }
Sample KMS Key Policy
If you choose to use a customer managed KMS key, you must grant access for the
tag policies service principal before creating the report. Add the following
Statement to your current KMS key policy. The statements in the
Condition element ensure that the operations can be performed
only by the management account of the specified organization. If you don't know
your organization ID or your organization admin account ID, you can call the
DescribeOrganization operation to find it.
... { "Sid": "AllowBucketAccessKMSPolicy", "Effect": "Allow", "Principal": { "Service": "tagpolicies.tag.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "arn:aws:kms:<region>:<your-kms-key-arn>", "Condition": { "StringEquals": { "aws:SourceAccount": "<org-admin-account-id>", "aws:SourceArn": "arn:aws:tag:us-east-1:<org-admin-account-id>:*" } } }
Example
This example illustrates one usage of StartReportCreation.
Sample Request
POST / HTTP/1.1
Host: tagging.us-east-1.amazonaws.com
Accept-Encoding: identity
Content-Length: 20
X-Amz-Target: ResourceGroupsTaggingAPI_20170126.StartReportCreation
X-Amz-Date: 20191201T214524Z
User-Agent: aws-cli/1.11.79 Python/2.7.9 Windows/7 botocore/1.5.42
Content-Type: application/x-amz-json-1.1
Authorization: AUTHPARAMS
{
"S3Bucket": "awsexamplebucket"
}
Sample Response
HTTP/1.1 200 OK
x-amzn-RequestID: d3cf21f0-26db-11e7-a532-75e05382c8b1
Content-Type: application/x-amz-json-1.1
Date: Sun, 1 Dec 2019 21:45:25 GMT
{}
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
