Ace Cloud Interviews
Home/AWS Tutorial/Artifact
🔒

AWS Security & Identity

Artifact

Access AWS compliance reports and agreements on demand

AWS Artifact is a self-service portal that provides on-demand access to AWS compliance reports, certifications, and legal agreements. It is the primary resource for obtaining AWS audit documentation needed for your own compliance programs (SOC reports, PCI DSS Attestation of Compliance, ISO certifications). Artifact also lets you review and accept AWS agreements like the Business Associate Addendum (BAA) for HIPAA compliance.

What Artifact Contains and Who Needs It

Artifact has two sections: Reports (AWS compliance documentation you can download) and Agreements (legal agreements you can review and accept for your account or organization).

Document typeExamplesUse case
SOC reportsSOC 1 Type II, SOC 2 Type II, SOC 3Provide to auditors as evidence that AWS infrastructure meets security/availability criteria
PCI DSSAWS PCI DSS Attestation of Compliance (AOC), Responsibility SummaryRequired for PCI compliance programs - defines AWS's responsibility vs yours
ISO certificationsISO 27001, ISO 27017, ISO 27018, ISO 9001Enterprise vendor assessments, GDPR documentation
GDPRAWS GDPR Data Processing Addendum, Privacy NoticeEU data protection compliance documentation
FedRAMPFedRAMP authorization packagesUS federal government cloud usage requirements
HIPAABusiness Associate Addendum (BAA)Required agreement for using AWS to process PHI (Protected Health Information)
💡

AWS compliance reports cover AWS's own infrastructure and services. They do not cover your application or workload running on AWS. Your auditors need both the AWS compliance documentation (from Artifact) AND your own controls documentation. The PCI DSS Responsibility Summary is particularly useful - it maps which controls AWS handles vs which you are responsible for.

AWS Agreements: BAA, GDPR, and More

The Agreements section of Artifact lets you accept legal agreements with AWS that are prerequisites for operating in regulated industries.

AgreementRequired forScope
Business Associate Addendum (BAA)HIPAA - processing Protected Health Information (PHI)Per-account; must be accepted before storing any PHI in AWS
GDPR Data Processing AddendumEU GDPR compliance as a data controllerPer-account or organization-wide
Nondisclosure Agreement (NDA)Accessing confidential AWS compliance materialsMay be required for certain sensitive reports
⚠️

Accepting the BAA in Artifact does not automatically make your AWS account HIPAA-compliant. It means AWS agrees to act as your Business Associate. You must still ensure that you only use HIPAA-eligible AWS services (not all services are eligible), implement required security controls, and document your own policies. Check the AWS HIPAA Eligible Services page for the current list of covered services.

Controlling Access to Artifact Reports

Access to Artifact is controlled via IAM. Reports are available to users with the appropriate IAM permissions. For sensitive reports that require an NDA, AWS tracks individual acceptance per IAM user.

bash
# IAM policy to grant read-only access to Artifact
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "artifact:Get",
        "artifact:DownloadAgreement",
        "artifact:ListReports",
        "artifact:DescribeReport"
      ],
      "Resource": "*"
    }
  ]
}

# List available reports via CLI
aws artifact list-reports

# Get a specific report (generates a download URL)
aws artifact get-report --report-id <report-id> --term-token <token>
💡

In multi-account organizations, the management account administrator can accept agreements on behalf of all member accounts using the organizational agreements feature. This is the recommended approach for the BAA and GDPR DPA in an enterprise - centrally accepted once, covering all accounts.

Using Artifact Documents in a Shared Responsibility Context

The AWS Shared Responsibility Model means AWS compliance certifications cover the cloud infrastructure layer but not your workloads. Artifact documents help you understand exactly where the boundary lies.

Compliance frameworkWhat Artifact providesWhat you still need to do
PCI DSSAWS AOC covering AWS infrastructureAchieve PCI compliance for your application, cardholder data handling, network segmentation, access controls
HIPAABAA agreement, SOC 2 Type IIUse only HIPAA-eligible services, implement PHI encryption, access logging, workforce training
SOC 2AWS SOC 2 Type II report covering AWS controlsObtain your own SOC 2 audit covering your application controls
ISO 27001AWS ISO 27001 certificateImplement ISMS for your organization, may reference AWS cert as vendor control
💡

When customers or enterprise procurement ask for your vendor's security documentation, you provide them with the relevant AWS Artifact reports (with appropriate NDA if required) alongside your own security documentation. Do not share Artifact reports externally without verifying the terms of use for that specific report - some reports have distribution restrictions.

🎯

Interview Focus Points

  • 1What is AWS Artifact and what are the two main sections of the service?
  • 2A customer asks for your SOC 2 report. How do you use AWS Artifact to respond?
  • 3What is the HIPAA Business Associate Addendum (BAA) and what does accepting it in Artifact actually mean for your compliance posture?
  • 4Does an AWS ISO 27001 certification make your application ISO 27001 certified? Why or why not?
  • 5How do you accept the AWS BAA for an entire AWS Organization centrally?
  • 6What is the PCI DSS Responsibility Summary document and why is it useful for compliance teams?
  • 7How do you control which IAM users in your organization can access compliance reports in Artifact?