# Generating compliance and resilience posture reports **Prerequisites** Before you can generate a report, your service must have: + A **report output configuration** specifying the Amazon S3 bucket where reports are delivered. + An **invoker role** that trusts the the next generation of Resilience Hub service and has permission to write to the configured Amazon S3 bucket. + At least one **completed assessment** with a status of `SUCCESS`. You can configure report outputs when creating or updating a service: ``` aws resiliencehubv2 update-service \ --service-arn "arn:aws:resiliencehub:us-east-1:123456789012:service/my-service:abc123" \ --report-configuration '{"reportOutputs": [{"s3": {"bucketPath": "my-report-bucket", "bucketOwner": "123456789012"}}]}' ``` The invoker role must have a permissions policy that grants `s3:PutObject` on the target bucket. The following example shows the minimum required policy. ``` { "Version": "2012-10-17" , "Statement": [ { "Effect": "Allow", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::my-report-bucket/*" } ] } ``` **Note** If your bucket uses a prefix in the `bucketPath` (for example, `my-report-bucket/reports`), scope the resource accordingly (for example, `arn:aws:s3:::my-report-bucket/reports/*`). **Note** If your Amazon S3 bucket is configured with SSE-KMS encryption, the invoker role also needs `kms:GenerateDataKey` and `kms:Encrypt` permissions on the bucket's KMS key. **Generating a failure mode assessment report** To generate a report after running an assessment: 1. Navigate to your service. 1. Choose the **Assessment** tab. 1. Choose **Generate report**. **Viewing reports** In the left-hand navigation, choose **Reports**. The reports page shows all generated failure mode assessment reports that you have access to. You can view, download, or share reports from this page.