Update connect-aws-configure-environment.md

guywi-ms · guywi-ms · commit 3d1a6b84b867 · 2025-06-18T09:55:30.000+03:00
diff --git a/articles/sentinel/connect-aws-configure-environment.md b/articles/sentinel/connect-aws-configure-environment.md
@@ -47,11 +47,11 @@ This diagram shows how to set up your AWS environment to send logs to Azure:
 
 ### Manual setup
 
-Although you can set up the AWS environment manually, as described below, we strongly recommend using the automated tools provided when you [deploy AWS connectors](#4-deploy-aws-connectors) instead.
+Although you can set up the AWS environment manually, as described in this section, we strongly recommend using the automated tools provided when you [deploy AWS connectors](#4-deploy-aws-connectors) instead.
 
 #### 1. Create an S3 bucket and SQS queue
 
-1. Create an **S3 bucket** to which you'll ship the logs from your AWS services - VPC, GuardDuty, CloudTrail, or CloudWatch.
+1. Create an **S3 bucket** to which you can send the logs from your AWS services - VPC, GuardDuty, CloudTrail, or CloudWatch.
 
    See the [instructions to create an S3 storage bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the AWS documentation.
 
@@ -72,7 +72,7 @@ Follow these instructions in the AWS documentation:<br>[Creating OpenID Connect
 
 | Parameter | Selection/Value | Comments |
 | - | - | - |
-| **Client ID** | - | Ignore this, you already have it. See **Audience** line below. |
+| **Client ID** | - | Ignore this, you already have it. See **Audience**. |
 | **Provider type** | *OpenID Connect* | Instead of default *SAML*.|
 | **Provider URL** | Commercial:<br>`sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/`<br><br>Government:<br>`sts.windows.net/cab8a31a-1906-4287-a0d8-4eef66b95f6e/` |  |
 | **Thumbprint** | `626d44e704d1ceabe3bf0d53397464ac8080142c` | If created in the IAM console, selecting **Get thumbprint** should give you this result. |
@@ -88,12 +88,12 @@ Follow these instructions in the AWS documentation:<br>[Creating OpenID Connect
    | **Identity provider** | Commercial:<br>`sts.windows.net/33e01921-4d64-4f8c-a055-5bdaffd5e33d/`<br><br>Government:<br>`sts.windows.net/cab8a31a-1906-4287-a0d8-4eef66b95f6e/` | The provider you created in the previous step. |
    | **Audience** | Commercial:<br>`api://1462b192-27f7-4cb9-8523-0f4ecb54b47e`<br><br>Government:<br>`api://d4230588-5f84-4281-a9c7-2c15194b28f7` | The audience you defined for the identity provider in the previous step. |
    | **Permissions to assign** | <ul><li>`AmazonSQSReadOnlyAccess`<li>`AWSLambdaSQSQueueExecutionRole`<li>`AmazonS3ReadOnlyAccess`<li>`ROSAKMSProviderPolicy`<li>Other policies for ingesting the different types of AWS service logs | For information on these policies, see the relevant AWS S3 connector permissions policies page, in the Microsoft Sentinel GitHub repository.<ul><li>[AWS Commercial S3 connector permissions policies page](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/AwsRequiredPolicies.md)<li>[AWS Government S3 connector permissions policies page](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/AwsRequiredPoliciesForGov.md)|
-   | **Name** | "OIDC_*MicrosoftSentinelRole*"| Choose a meaningful name that includes a reference to Microsoft Sentinel.<br><br>The name must include the exact prefix `OIDC_`, otherwise the connector won't function properly. |
+   | **Name** | "OIDC_*MicrosoftSentinelRole*"| Choose a meaningful name that includes a reference to Microsoft Sentinel.<br><br>The name must include the exact prefix `OIDC_`; otherwise, the connector can't function properly. |
    
 1. Edit the new role's trust policy and add another condition:<br>`"sts:RoleSessionName": "MicrosoftSentinel_{WORKSPACE_ID)"`
 
    > [!IMPORTANT]
-   > The value of the `sts:RoleSessionName` parameter must have the exact prefix `MicrosoftSentinel_`, otherwise the connector won't function properly.
+   > The value of the `sts:RoleSessionName` parameter must have the exact prefix `MicrosoftSentinel_`; otherwise the connector doesn't function properly.
 
    The finished trust policy should look like this:
 
@@ -125,7 +125,7 @@ Follow these instructions in the AWS documentation:<br>[Creating OpenID Connect
 
 #### Configure AWS services to export logs to an S3 bucket
 
-See Amazon Web Services documentation (linked below) for the instructions for sending each type of log to your S3 bucket:
+See the linked Amazon Web Services documentation for instructions for sending each type of log to your S3 bucket:
 
 - [Publish a VPC flow log to an S3 bucket](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html).
 
