AWS Artifact Cheat Sheet

• AWS Artifact is a legally binding, self-service portal that provides on-demand access to AWS’ compliance reports and select online agreements. It serves as your central repository for audit artifacts, allowing you to demonstrate to auditors or regulators that your AWS infrastructure meets specific security and compliance standards.

  Overview & Key Capabilities

  • Central Compliance Repository: A single location to download audit artifacts and manage agreements.

  • Audit Artifacts: Evidence (reports, certifications) that validates AWS security controls are effective and compliant.

  • Legal Agreements: Review, accept, and manage contracts like the Business Associate Addendum (BAA) for HIPAA.

  • Third-Party Visibility: Access security documents for Independent Software Vendors (ISVs) via AWS Marketplace.

AWS Artifact Agreements & Access Control

1. Access & Permissions

• Default Access: Root users and IAM Administrators have automatic access to download artifacts and accept agreements.

• IAM Users: Non-admin users must be granted explicit IAM permissions (e.g., artifact:DownloadAgreement) to view or download documents.

• Prerequisite: To use Organization-level agreements, your AWS Organization must be enabled for “All Features” (not just Consolidated Billing).

2. Key Agreement Types

• Nondisclosure Agreement (NDA): Often required before you can view confidential AWS audit reports.

• Business Associate Addendum (BAA):

  • Required for companies subject to HIPAA handling Protected Health Information (PHI).

  • Accepting this instantly designates your account(s) as a HIPAA Account.

• Regional Agreements: Covers local regulations, such as the Australian Notifiable Data Breach (ANDB) Addendum.

Pro Tip: Do not confuse AWS Artifact Agreements (Compliance/Legal) with the AWS Marketplace Agreements service (Commercial/Pricing contracts for software).

Understanding the hierarchy between an individual account and an AWS Organization is a frequent exam topic

Lifecycle & Termination Logic

• Simultaneous Agreements: An account can have both an individual agreement and be covered by an organization agreement at the same time.
• Leaving an Organization: If a member account leaves the Organization (or is removed), all Organization Agreements accepted on its behalf immediately cease to apply. The account reverts to its individual status.
• Termination:
  • Terminating an Organization Agreement removes coverage for all member accounts (unless they have their own Account Agreement).
  • Terminating an Organization Agreement does not automatically terminate a specific Account Agreement (and vice versa).

Limits & Restrictions

• Unique Watermarking: Every downloaded report contains a unique, traceable watermark specific to your account.

• Sharing Restrictions: You generally cannot share these documents publicly (e.g., on your website). They are confidential and intended only for you and your auditors/regulators.

• Role Requirements:

  • Root Users and Admin IAM users have automatic access.

  • Non-Admin IAM Users require explicit IAM permissions to access Artifact (e.g., artifact:Get, artifact:DownloadAgreement).

Pricing

• Cost: Free.
• There is no charge to access AWS Artifact, download reports, or accept agreements.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

AWS Artifact Cheat Sheet References:
https://aws.amazon.com/artifact/
https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-artifact.html
https://aws.amazon.com/artifact/faq/