doc: clarify default admin role usage

iru · web-flow · commit fbe5b7f615b5 · 2022-04-01T22:09:34.000+02:00
diff --git a/examples/organizational/README.md b/examples/organizational/README.md
@@ -23,10 +23,17 @@ Minimum requirements:
 2. Configure [Terraform **AWS** Provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) for the `management` account of the organization
     * This provider credentials must be [able to manage cloudtrail creation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html)
       > You must be logged in with the management account for the organization to create an organization trail. You must also have sufficient permissions for the IAM user or role in the management account to successfully create an organization trail.
-    * When an account is created within an organization, AWS will create an `OrganizationAccountAccessRole` [for account management](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html), which Sysdig Secure for Cloud will use for member-account provisioning and role assuming.
-    * However, when the account is invited into the organization, it's required to [create the role manually](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role)
-      > You have to do this manually, as shown in the following procedure. This essentially duplicates the role automatically set up for created accounts. We recommend that you use the same name, OrganizationAccountAccessRole, for your manually created roles for consistency and ease of remembering.
-    * If role name, `OrganizationAccountAccessRole` wants to be modified, it must be done both on the `aws` member-account provider AND input value `organizational_member_default_admin_role`
+      
+3. Organizational Multi-Account Setup
+    * An specific role is required, to enable Sysdig to impersonate and be able to provide
+      * For the scanning feature, the ability to pull ECR hosted images when they're allocated in a different account
+      * A solution to resolve current limitation when accessing an S3 bucket in a different region than where it's being called from
+    * By default, it uses [AWS created default role `OrganizationAccountAccessRole`](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html)
+      * When an account is created within an organization, AWS will create an `OrganizationAccountAccessRole` [for account management](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html), which Sysdig Secure for Cloud will use for member-account provisioning and role assuming.
+      * However, when the account is invited into the organization, it's required to [create the role manually](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role)
+        > You have to do this manually, as shown in the following procedure. This essentially duplicates the role automatically set up for created accounts. We recommend that you use the same name, OrganizationAccountAccessRole, for your manually created roles for consistency and ease of remembering.
+      * If role name, `OrganizationAccountAccessRole` wants to be modified, it must be done both on the `aws` member-account provider AND input value `organizational_member_default_admin_role`
+
 3. Provide a member **account ID for Sysdig Secure for Cloud workload** to be deployed.
    Our recommendation is for this account to be empty, so that deployed resources are not mixed up with your workload.
    This input must be provided as terraform required input value
@@ -39,25 +46,29 @@ Minimum requirements:
     ```
 
 
-## Permission Summary
+## Role Summary
 
 Permission requirement for this example comes as follows
 
 - **management account**
     - terraform aws provider: default
     - `SysdigSecureForCloudRole` will be created
-      - used by Sysdig to subscribe to cloudtrail-sns
+      - used by Sysdig to subscribe to cloudtrail events
       - used by Sysdig to be able to jump to several member accounts to pull ECR hosted images through the `OrganizationAccountAccessRole` role
+      - assumming previous role will also enable the access of cloudtrail s3 buckets when they are in a different region than were the terraform module is deployed
+      
     - `SysdigCloudBench` role will be created for SecurityAudit read-only purpose, used by Sysdig to benchmark
+    
 - **member accounts**
     - terraform aws provider: 'member' aliased
       - this provider can be configured as desired, we just provide a default option
-    - requires [`OrganizationAccountAccessRole`](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html) default role created by AWS for managed-account users to be able to admin member accounts
+    - by default, we suggest using an assumeRole to the [AWS created default role `OrganizationAccountAccessRole`](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html)
       - if this role does not exist provide input var `organizational_member_default_admin_role` with the role
     - `SysdigCloudBench` role will be created for SecurityAudit read-only purpose, used by Sysdig to benchmark
-    - **sysdig member account workload**
-      - if ECS workload is deployed, `ECSTaskRole` will be used to define its permissions
-        - used by Sysdig to assumeRole on management account `SysdigSecureForCloudRole` and other organizations `OrganizationAccountAccessRole`
+    
+- **sysdig workload member account**
+  - if ECS workload is deployed, `ECSTaskRole` will be used to define its permissions
+    - used by Sysdig to assumeRole on management account `SysdigSecureForCloudRole` and other organizations `OrganizationAccountAccessRole`
 
 ## Notice
 
