diff --git a/website/source/docs/auth/aws-ec2.html.md b/website/source/docs/auth/aws-ec2.html.md
index 60034dc39..6d328a941 100644
--- a/website/source/docs/auth/aws-ec2.html.md
+++ b/website/source/docs/auth/aws-ec2.html.md
@@ -40,11 +40,11 @@ security, as detailed later in this documentation.
## Authorization Workflow
-The basic mechanism of operaion is per-role. Roles are registered in the
-backend and associated with various optional restricitons, such as the set
+The basic mechanism of operation is per-role. Roles are registered in the
+backend and associated with various optional restrictions, such as the set
of allowed policies and max TTLs on the generated tokens. Each role can
-be specified with the contraints that are to be met during the login. For
-example, currently the contraint that is supported is to bind against AMI
+be specified with the constraints that are to be met during the login. For
+example, currently the constraint that is supported is to bind against AMI
ID. A role which is bound to a specific AMI, can only be used for login by
those instances that are deployed on the same AMI.
@@ -54,7 +54,7 @@ role entry in the backend can also be associated with a "role tag". These tags
are generated by the backend and are placed as the value of a tag with the
given key on the EC2 instance. The role tag can be used to further restrict the
parameters set on the role, but cannot be used to grant additional privileges.
-If a role with AMI bound contraint, has "role tag" enabled on the role, and
+If a role with AMI bound constraint, has "role tag" enabled on the role, and
the EC2 instance performing login does not have an expected tag on it, or if the
tag on the instance is deleted for some reason, authentication fails.
@@ -791,7 +791,7 @@ The response will be in JSON. For example:
Description
Registers a role in the backend. Only those instances which are using the role registered using this endpoint,
- will be able to perform the login operation. Contraints can be specified on the role, that are applied on the
+ will be able to perform the login operation. Constraints can be specified on the role, that are applied on the
instances attempting to login. Currently only one constraint is supported which is 'bound_ami_id', which must
be specified. Going forward, when more than one constraint is supported, the requirement will be to specify at
least one constraint, but not necessarily 'bound_ami_id'.
@@ -1152,7 +1152,7 @@ The response will be in JSON. For example:
Places a valid role tag in a blacklist. This ensures that the role tag
cannot be used by any instance to perform a login operation again.
- Note that if the role tag was previousy used to perfom a successful
+ Note that if the role tag was previously used to perform a successful
login, placing the tag in the blacklist does not invalidate the
already issued token.