AWS Artifact

Introduction

Amazon Web Services (AWS) is the most comprehensive and widely used cloud platform in the world, with over 200 fully-featured services delivered from data centres. AWS is meant to let application providers, ISVs, and vendors host their applications fast and securely, whether they're existing or new SaaS-based apps. To access AWS's application hosting platform, users can utilise the AWS Management Console or well-documented web services APIs. It increases credibility, which will help to advance in work. AWS Cloud Architect links engineers with partners and technical management in the same way that it engages with customers. In this article, we will discuss the details of AWS Artifact.

AWS Artifact allows you to download AWS security and compliance papers on demand, including AWS ISO certifications and Service Organization Control (SOC) reports. You can provide your auditors or regulators the security and compliance papers (also known as audit artefacts) to demonstrate the security and compliance of the AWS infrastructure and services you employ. You can also use these materials as a guide to examine the efficiency of your company's internal controls and evaluate your own cloud infrastructure. Only materials about AWS are available on AWS Artifact.
Customers of AWS are responsible for creating or getting papers that demonstrate their company's security and compliance.AWS Artifact can also be used to evaluate, adopt, and track AWS agreements such as the Business Associate Addendum (BAA).

Downloading reports

The AWS Artifact console allows you to download reports. AWS Artifact report has a unique watermark. As a result, you should only discuss the reports with people you know and trust. Do not send the reports as attachments or distribute them on the internet. Use a secure sharing service like Amazon WorkDocs to share a report. Before you can download these reports, you must first agree to the Terms & Conditions. Adobe Acrobat Reader is required to download reports. Other PDF readers will not work.

Go to https://console.aws.amazon.com/artifact/ to access the AWS Artifact console.
Select View reports from the AWS Artifact home page.
(Optional) To find a report, type a term into the search field.
Choose Download report after selecting a report.
You may be prompted to agree to terms and conditions related to the report you are downloading. It is advised to read them carefully. When you're done, Select I've read and agree to all of the terms, then Accept terms and download.

Managing Agreements

You may use the AWS Management Console to evaluate, accept, and manage agreements for your account or business with AWS Artifact Agreements. For firms subject to the Health Insurance Portability and Accountability Act (HIPAA), a Business Associate Addendum (BAA) agreement is normally necessary to ensure that protected health information (PHI) is correctly maintained. You can accept an agreement, such as the BAA with AWS, and designate an AWS account that can lawfully process PHI using AWS Artifact. You can accept agreements like the AWS BAA on behalf of all accounts in your organisation if you use AWS Organizations. The agreement instantly covers all existing and subsequent member accounts, allowing them to legally process PHI.
You can also utilise AWS Artifact to verify that your AWS account or organisation has accepted an agreement and to study the contents of the approved agreement to ensure that you are aware of your responsibilities. If your account or organisation no longer requires the accepted agreement, you can terminate it using AWS Artifact. You can reactivate the agreement if you cancel it and subsequently discover you need it.

Managing an agreement for a single account

Accepting an agreement with AWS

It is recommended to read the legal, privacy, and compliance teams before accepting an agreement.

Permissions Required

You can provide IAM users and federated users with roles authorization to access and manage one or more of your agreements if you're an account administrator. An agreement can only be accepted by users with administrator access by default. IAM and federated users have the following permissions to accept an agreement:

artifact:DownloadAgreement
artifact:AcceptAgreement

Steps to accept an agreement with AWS

Go to https://console.aws.amazon.com/artifact/ to access the AWS Artifact console.
Choose Agreements from the AWS Artifact navigation pane.
Select the Account Agreements tab from the drop-down menu.
Extend the agreement's part.
Select Download and Review.
Read the terms and conditions before proceeding. Choose Accept and Download when you're done.
After reading the agreement, mark the checkboxes to indicate that you agree.
To accept the agreement for your account, select Accept.

Terminating an agreement with AWS

You can utilise the AWS Artifact console to terminate an agreement that you accepted using the console. Otherwise, check the section on Offline Agreements.

Permissions Required

IAM and federated users must have the following permissions to terminate an agreement:

artifact:TerminateAgreement

Steps to terminate an agreement with AWS

Go to https://console.aws.amazon.com/artifact/ to access the AWS Artifact console.
Choose Agreements from the AWS Artifact navigation pane.
Select the Account Agreements tab from the drop-down menu.
Choose Terminate agreement after selecting the agreement.
To indicate that you accept to terminate the agreement, check all of the boxes.
Select Terminate. Choose Terminate when prompted for confirmation.

Managing an agreement for multiple accounts

Users can accept an agreement on behalf of all accounts in your AWS Organizations organisation through the management account. To accept or reject organisation agreements, you must be logged in to the management account with the appropriate AWS Artifact access. Users having the describeOrganizations access on their member accounts can see the organisation agreements that have been approved on their behalf.
If your account is not already a member of an organisation, you may create or join one by following the procedures in the AWS Organizations User Guide's Creating and maintaining an organisation section.

Accepting an agreement with AWS

It is recommended to read the legal, privacy, and compliance teams before accepting an agreement.

Permissions Required

To approve an agreement, the owner of the management account must have the following rights:

artifact:DownloadAgreement
artifact:AcceptAgreement
organizations:DescribeOrganization 
organizations:EnableAWSServiceAccess 
organizations:ListAWSServiceAccessForOrganization
iam:ListRoles 
iam:CreateRole 
iam:AttachRolePolicy

Steps to accept an agreement with AWS

Go to https://console.aws.amazon.com/artifact/ to access the AWS Artifact console.
Choose Agreements from the AWS Artifact navigation pane.
Select the Account Agreements tab from the drop-down menu.
Extend the agreement's part.
Select Download and Review.
Read the terms and conditions before proceeding. Choose Accept and Download when you're done.
After reading the agreement, mark the checkboxes to indicate that you agree.
To accept the agreement for your account, select Accept.

Terminating an agreement with AWS

You can use the AWS Artifact console to terminate an agreement that you accepted on behalf of all member accounts in an organisation using the console.

Permissions Required

The management account must have the following rights to terminate an agreement:

artifact:DownloadAgreement
artifact:TerminateAgreement
organizations:DescribeOrganization 
organizations:EnableAWSServiceAccess 
organizations:ListAWSServiceAccessForOrganization
iam:ListRoles 
iam:CreateRole 
iam:AttachRolePolicy

Steps to terminate an agreement with AWS

Go to https://console.aws.amazon.com/artifact/ to access the AWS Artifact console.
Choose Agreements from the AWS Artifact navigation pane.
Select the Account Agreements tab from the drop-down menu.
Choose Terminate agreement after selecting the agreement.
To indicate that you accept to terminate the agreement, check all of the boxes.
Select Terminate. Choose Terminate when prompted for confirmation.

Existing offline agreement

AWS Artifact displays the agreements that the user had accepted offline. The Offline Business Associate Addendum with an Active state might be displayed in the console. The agreement was accepted, as indicated by the active status. See your agreement's termination guidelines and procedures for details on how to end an offline agreement.
AWS Artifact can be used to apply the conditions of your offline agreement to all accounts in your AWS Organizations organisation if your account is the management account. You must have the following rights to apply an agreement that you accepted offline to your organisation and all accounts in your organisation:

organizations:DescribeOrganization 
organizations:EnableAWSServiceAccess 
organizations:ListAWSServiceAccessForOrganization
iam:ListRoles 
iam:CreateRole 
iam:AttachRolePolicy

To read your offline organisation agreements, you must have the following permissions if your account is a member account in an organisation:

organizations:DescribeOrganization

Identity and Access Management

When you sign up for AWS, you'll be asked to give an email address and a password for your account. These are your root credentials, which grant you full access to your AWS resources, including AWS Artifact resources. However, it is highly advised against using the root account for regular access. AWS also advises you not to share your account details with anyone unless you want them to have full access to your account.

Instead of using root credentials to log into your AWS account or providing your credentials with others, you should create an IAM user for yourself . You can offer individual sign-in credentials for each user and grant each user only the permissions they require to work with certain documents using this method. Creating an IAM group and adding the IAM users to the group grants same permission to several IAM users.

Instead of creating IAM users, you can use IAM identity providers if you currently handle user IDs outside of AWS.

Create IAM users and grant them AWS Artifact access.

Complete the steps below to provide people AWS Artifact rights based on the amount of access they require.

Tasks

Creating an IAM policy
Create an IAM group and attach the policy
Create IAM users and add them to the group

Creating IAM Policy

You can build a policy that provides permissions to AWS Artifact actions and resources as an IAM administrator.
Create an IAM policy that users can use to provide access to your IAM users and groups by following the steps below.

Go to https://console.aws.amazon.com/iam/ to access the IAM console.
Choose Policies from the navigation window.
Select create a policy.
Select the JSON tab from the drop-down menu.
Add a policy paper to the mix. You can either write your own policy or utilise one of the examples provided in Example IAM policies.
Select the Review Policy option. Any syntax problems are reported by the policy validator.
Enter a unique name for the policy on the Review policy page to help you remember its purpose. You may also include a brief description.
Select create a policy.

Creating an IAM group and attaching the policy

User can create a group and attach the policy you made to it as an IAM administrator. At any time, you can add IAM users to the group.

Steps to create an IAM group and attach your policy:

Choose Groups from the navigation window, then Create New Group.
Choose Next Step after entering a name for your group in Group Name.
Enter the name of the policy you generated in the search area. Choose Next Step after checking the box for your policy.
Examine the name of the group and its policies. Choose Create Group when you're ready.

Createing IAM users and adding them to the group

User can add other users to a group at any moment as an IAM administrator. This gives the users access to the group's permissions.

Steps to add an IAM user to a group and create an IAM user

Select Users from the navigation pane, then Add User.
Enter the names of all users in the User name field.
Select AWS Management Console access from the drop-down menu. Create a custom or auto-generated password. You have the option of selecting To enforce a password reset when the user first logs in, the user must generate a new password at the next sign-in.
Select Permissions.
Select Add user to group from the drop-down menu, then the group you created.
Tags is the next option. You can tag your users if you want to.
Select Next:Review. Choose Create user when you're ready.

IAM policies Example

Permissions policies can be created to provide IAM users permissions. On behalf of a single account or an organisation, you can give users access to AWS Artifact reports and the option to accept and download agreements.
Permissions that can be assigned to IAM users based on the level of access they require are shown in the following example policies.

Examples of report management policies

Permission to download all reports is granted by the following policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "artifact:Get"
            ],
            "Resource": [
                "arn:aws:artifact:::report-package/*"
            ]
        }
    ]
}

Only the SOC, PCI, and ISO reports can be downloaded under the following policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "artifact:Get"
            ],
            "Resource": [
                "arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*",
                "arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*",
                "arn:aws:artifact:::report-package/Certifications and Attestations/ISO/*"
            ]
        }
    ]
}

Policy examples for managing agreements

Permission to download all agreements is granted by the following policy. This permission is also required for IAM users to accept agreements.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "artifact:DownloadAgreement"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

The following policy authorises the acceptance of an agreement.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "artifact:AcceptAgreement",
                "artifact:DownloadAgreement"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

The following policy authorises the termination of an agreement.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "artifact:TerminateAgreement"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Permission to administer single account agreements is granted by the following policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "artifact:AcceptAgreement",
                "artifact:DownloadAgreement",
                "artifact:TerminateAgreement"
            ],
            "Resource": [
                "arn:aws:artifact::*:customer-agreement/*",
                "arn:aws:artifact:::agreement/*"
            ]
        }
    ]
}

Policy examples for integrating with AWS Organizations

The permission to create the IAM role that AWS Artifact uses to interface with AWS Organizations is granted by the following policy. To get started with organisational agreements, your organization's management account must have certain rights.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateRole",
            "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync"
        },
        {
            "Effect": "Allow",
            "Action": "iam:AttachRolePolicy",
            "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync",
            "Condition": {
                "ArnEquals": {
                    "iam:PolicyARN": "arn:aws:iam::aws:policy/service-role/AWSArtifactAccountSync"
                }
            }
        }
    ]
}

The permissions to use AWS Organizations are granted to AWS Artifact by the following policy. To get started with organisational agreements, your organization's management account must have certain rights.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "organizations:EnableAWSServiceAccess",
                "organizations:DescribeOrganization",
                "organizations:ListAWSServiceAccessForOrganization"
            ],
            "Resource": "*"
        }
    ]
}

Examples of policies to handle agreements.

For the management account, the following policy allows permissions to manage agreements.

{
    "Version": "2012-10-17",
    "Statement": [
        {
           "Effect": "Allow",
            "Action": [
                "artifact:AcceptAgreement",
                "artifact:DownloadAgreement",
                "artifact:TerminateAgreement"
            ],
            "Resource": [
                "arn:aws:artifact::*:customer-agreement/*",
                "arn:aws:artifact:::agreement/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateRole",
            "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync"
        },
        {
            "Effect": "Allow",
            "Action": "iam:AttachRolePolicy",
            "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync",
            "Condition": {
                "ArnEquals": {
                    "iam:PolicyARN": "arn:aws:iam::aws:policy/service-role/AWSArtifactAccountSync"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:EnableAWSServiceAccess",
                "organizations:ListAccounts",
                "organizations:ListAWSServiceAccessForOrganization"
                
            ],
            "Resource": "*"
        }
    ]
}

Policies to Manage Organizational Agreements

Permission to handle organisational agreements is granted by the following policy. The organisational agreements must be set up by another person with the necessary permissions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "artifact:AcceptAgreement",
                "artifact:DownloadAgreement",
                "artifact:TerminateAgreement"
            ],
            "Resource": [
                "arn:aws:artifact::*:customer-agreement/*",
                "arn:aws:artifact:::agreement/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization"
            ],
            "Resource": "*"
        }
    ]
}

Permission to see organisational agreements is granted by the following policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "artifact:DownloadAgreement"
            ],
            "Resource": [
                "arn:aws:artifact::*:customer-agreement/*",
                "arn:aws:artifact:::agreement/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization"
            ],
            "Resource": "*"
        }
    ]
}

Cross-service confused deputy prevention

The confused deputy problem is a security flaw in which an entity without authorisation to undertake an action can force a more privileged entity to do so. Cross-service impersonation in AWS can lead to the puzzled deputy issue. When a service (the calling service) calls another service, this is known as cross-service impersonation (the called service). The calling service can be exploited to utilise its permissions to access resources belonging to another customer that it should not have access to. AWS provides solutions to assist you in protecting your data for all services with service principals who have been granted access to resources in the account to prevent this. When the trusted access between AWS Artifact and AWS Organizations is enabled, AWS creates a role in your account with a policy restricting who can take that position.
In the trust policy, AWS uses the global condition context keys aws:SourceArn and aws:SourceAccount inorder to limit the entities that can assume the service role they create in your account. When using the global condition context keys, the account in the aws:SourceAccount value and the account in the aws:SourceArn value must have the same account ID.
When you allow trusted access between AWS Artifact and AWS Organizations, AWS generates a policy with the role, as seen below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "aws-artifact-account-sync.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "ArnEquals": {
                  "aws:SourceArn": "arn:aws:artifact:us-west-2:00117294401"
                },
                "StringEquals": {
                  "aws:SourceAccount": "00117294401"
                }
            }
        }
    ]
}

Frequently Asked Questions

What is AWS?

Amazon Web Services (AWS) is the most comprehensive and widely used cloud platform in the world, with over 200 fully-featured services delivered from data centers.

What is AWS Artifact?

AWS Artifact allows you to download AWS security and compliance papers on demand, including AWS ISO certifications and Service Organization Control (SOC) reports.

What are the agreements that AWS Artifact can manage?

The AWS Artifact can manage agreements on a single account, multiple accounts, and existing offline agreements.

Conclusion

In this article, we have extensively discussed AWS Artifact. The article explains the details of AWS Artifact, downloading reports, managing agreements and identity, and access management.
We hope that this blog has helped you enhance your knowledge regarding AWS Artifact and if you would like to learn more, check out our articles on Amazon Web Services (AWS). You can refer to our guided paths on the Coding Ninjas Studio platform to learn more about DSA, DBMS, Competitive Programming, Python, Java, JavaScript, etc. To practice and improve yourself in the interview, you can check out Top 100 SQL problems, Interview experience, Coding interview questions, and the Ultimate guide path for interviews.
Do upvote our blog to help other ninjas grow.

Happy Coding!!