General

1. What is AWS Artifact?

AWS Artifact, available in the console, is a self-service audit artifact retrieval portal that provides our customers with on-demand access to AWS’ compliance documentation and AWS agreements.

You can use AWS Artifact Reports to download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports.

You can use AWS Artifact Agreements to review, accept, and track the status of AWS agreements such as the Business Associate Addendum (BAA).

2. Who has access to AWS Artifact?

All AWS Accounts have access to AWS Artifact. Root users and IAM users with admin permissions can download all audit artifacts available to their account by agreeing to the associated terms and conditions.

You will need to grant IAM users with non-admin permissions access to AWS Artifact using IAM permissions. This allows you to grant a user access to AWS Artifact, while restricting access to other services and resources within your AWS Account. For information on how to grant access using IAM, refer to this help topic in the AWS Artifact documentation.

3. How do I give other users access to AWS Artifact Agreements?

Your administrative account has all of the permissions needed to use AWS Artifact, but different documents and agreements might require you to delegate permissions differently for various users. You can delegate permissions by using IAM policies. Refer to the following tables in the AWS Artifact User Guide to view the permissions that you can assign to IAM users based on the level of access that they need.

4. What is an audit artifact?

An audit artifact is a piece of evidence that demonstrates that an organization is following a documented process or meeting a specific requirement. Audit artifacts are gathered and archived throughout the system development life cycle and are to be used as evidence in internal and/or external audits and assessments.

AWS Artifact currently provides customers with reports and agreements that may be used as audit artifacts.

5. How do I share audit artifacts with my auditors?

You will often need to provide your auditors with access to AWS compliance reports. You can easily accomplish this by creating IAM user credentials specific to each auditor and configuring the credentials so that the auditor can only access the reports that are relevant to the audit that they are conducting. For more information, see this help topic in the AWS Artifact documentation.

6. How can I use these artifacts to meet my audit requirements?

You can provide the AWS audit artifacts to your auditors or regulators as evidence of AWS security controls.

You can also use the responsibility guidance provided by some of the AWS audit artifacts to design your cloud architecture. This guidance helps determine the additional security controls you should put in place in order to support the specific use cases of your system.

7. Is there a limit to the number of artifacts I can download?

No. You can access and download all available artifacts at any time, as many times as you need.

Compliance Reports

1. Who should use AWS Artifact Reports?

AWS Artifact Reports can be used by all AWS customers to assess and validate the security and compliance of the AWS infrastructure and services that they use.

You should use AWS Artifact Reports if you are:

  • Obligated to demonstrate the compliance of your cloud architectures during system design, development and audit life cycles. In order to demonstrate the historical and current compliance of your AWS infrastructure (specific to the services that you use), auditors and regulators require you to provide evidence in the form of audit artifacts.
  • Required to or are interested in using audit artifacts to validate that your AWS implemented controls are operating effectively.
  • Interested in continuously monitoring or auditing your suppliers.
  • A member of a development team that is building secure cloud architectures and are in need of guidance in understanding your responsibility for complying with ISO, PCI, SOC, and other regulatory standards. Often, the work of your team will either enable your enterprise to use AWS or ensure that your enterprise can continue to use AWS.

You can provide the AWS audit artifacts to your auditors or regulators as evidence of AWS security controls.

You can also use the responsibility guidance provided by some of the AWS audit artifacts to design your cloud architecture. This guidance helps determine the additional security controls you should put in place in order to support the specific use cases of your system.

2. Can I share AWS compliance reports with my customers?

Your customers can access AWS compliance reports using their own AWS Account. If they do not already have an account, you should direct them to create one. There is no charge associated with creating an account.

After logging into their account, your customers can access available reports in the AWS Console by navigating to Artifact under Security, Identity & Compliance. If your customer would like to access a report that requires an NDA, they can receive access by signing a click-through NDA inside of the Artifact Console.

For more information refer to Getting Started with AWS Artifact.

Agreements

1. What is AWS Artifact Agreements, and why should I use it?

AWS Artifact Agreements, a feature of the AWS Artifact service (our audit and compliance portal), enables you to review, accept, and manage agreements with AWS for your individual account, and also for all accounts that are part of your organization in AWS Organizations. You can also use AWS Artifact to terminate agreements you have previously accepted if they are no longer required.

2. What agreements are available in AWS Artifact Agreements?

Different types of agreements are available in AWS Artifact Agreements to address the needs of customers subject to specific regulations.For example, the Business Associate Addendum (BAA) is available for customers that need to comply with the Health Insurance Portability and Accountability Act (HIPAA). For a complete list of agreements available to your account, login to AWS Artifact.

Before you enter into an agreement on AWS Artifact Agreements, you must download and agree to the terms of the AWS Artifact nondisclosure agreement (NDA). Each agreement is confidential and cannot be shared with others outside of your company.

3. If I already have a signed NDA with AWS outside of Artifact, do I need to accept a new NDA in AWS Artifact Agreements?

Yes, you will need to accept the AWS Artifact NDA to access and download confidential documents in Artifact. That said, if you have an existing NDA with Amazon, and if your existing NDA covers the same confidential information as the information provided in Artifact, then your existing NDA will apply instead of the Artifact NDA.

4. Who has access to use AWS Artifact Agreements?

If you’re an administrator of an AWS account, you automatically have permissions to download, accept, and terminate agreements for that account. If you are the administrator of the master account of an organization in AWS Organizations, you can accept and terminate agreements on behalf of the master account and all member accounts in your organization. You should always review any agreement terms with your legal, privacy and/or compliance teams before accepting. You can use IAM to grant access to your agreement stakeholders (such as members of your legal, privacy and/or compliance teams), so that those users can download, review, and accept agreements.

If you’re not an administrator, you will need to be granted additional permissions to download, accept, and terminate agreements (usually, by your administrator). Administrators have the flexibility to grant varying levels of permissions to IAM users based on the business needs of the users.

For a complete list of AWS Artifact permissions, refer to Controlling Access and Common Policies in the AWS Artifact User Guide.

5. What is the difference between AWS Artifact Account Agreements and AWS Artifact Organization Agreements?

When accepted, AWS Artifact Account Agreements (located under the Account agreements tab) apply only to the individual account you used to sign into AWS.

When accepted, AWS Artifact Organization Agreements (located under the Organization agreements tab) apply to all accounts in an organization created through AWS Organizations, including the organization's master account and all member accounts. Only the master account in an organization can accept agreements in AWS Artifact Organization Agreements.

6. What is the benefit of using AWS Artifact Organization Agreements?

AWS Artifact Organization Agreements simplifies agreement management for multiple AWS accounts by allowing you to accept a single agreement on behalf of all accounts within your organization. When an authorized user of a master account accepts an organization agreement, all existing and future member accounts will be covered under the terms of the agreement automatically.

7. What do I need to do in order to use AWS Artifact Organization agreements?

If you are a user of the master account of an organization in AWS Organizations, you can accept an agreement on behalf of all current and future member accounts in your organization. The organization that you belong to must be enabled for all features. If your organization is configured for consolidated billing features only, see Enabling All Features in Your Organization.

To get started, you must be signed in to the master account with the following IAM permissions:

artifact:DownloadAgreement
artifact:AcceptAgreement
artifact:TerminateAgreement
organizations:DescribeOrganization
organizations:EnableAWSServiceAccess
organizations:ListAWSServiceAccessForOrganization
iam:ListRoles
iam:CreateRole
iam:AttachRolePolicy

For a complete list of AWS Artifact permissions, refer to Controlling Access and Common Policies in the AWS Artifact User Guide.

8. Why do I have to grant AWS permission to create a role in my account before using AWS Artifact Organization Agreements?

AWS needs permission to create an IAM role in your account so that the AWS Artifact service can ListAccounts to identify the complete list of member accounts in your organization when an agreement is accepted. When a member account joins or leaves your organization, AWS will be notified, and the list of accounts covered by your accepted agreement(s) will be updated.

9. How do I know if my organization is using AWS Artifact Organization Agreements?

Visit the AWS Artifact Agreements console and click on the Organization agreements tab. If the master account in your organization has accepted one or more organization agreements, they will be listed as active. You can do this either when logged in as the master account or as a member account in the organization.

Important: The IAM user signed into the AWS console must have permission to organizations:DescribeOrganization in order for AWS Artifact to retrieve information about your account’s organization agreements. For a complete list of AWS Artifact permissions, refer to Controlling Access and Common Policies in the AWS Artifact User Guide.

10. What is an organization?

An organization is a collection of one or more member accounts that you can manage centrally with a single master account using AWS Organizations. Refer to the AWS Organizations website to learn more.

11. What is a master account?

A master account is the AWS account you use to create your organization in AWS Organizations. When logged into the master account, you can use AWS Organizations to create member accounts in your organization, invite existing accounts to join your organization, and remove accounts from your organization.

Only master accounts can use AWS Artifact Organization Agreements to accept or terminate agreements on behalf of all accounts in an organization.

12. What is a member account?

A member account is an AWS account, other than the master account, that is part of an organization in AWS Organizations. If you are an administrator of the master account in an organization, you can create member accounts in the organization and invite existing accounts to join the organization. A member account can belong to only one organization at a time.

Member accounts can use AWS Artifact Account Agreements to accept or terminate agreements on behalf of that individual member account only. Member accounts can use AWS Artifact Organization Agreements to view the agreements accepted on the member account’s behalf by the organization’s master account.

13. If my account is not part of an organization, can I still use AWS Artifact Organization Agreements?

No, AWS Artifact Organization Agreements is only available for accounts using AWS Organizations. If you would like to create or join an organization, follow the instructions in Creating and Managing an AWS Organizations.

14. How does AWS Artifact Agreements work for reseller accounts?

AWS Artifacts Agreements works the same for reseller accounts. Resellers can use IAM to control who has permissions to download, accept, and terminate agreements. By default, only users with administrative privileges can grant access.

15. How do I accept an agreement for accounts in separate AWS Organizations?

If you have accounts in separate organizations that you want covered by an agreement, you must log in to each organization’s master account and accept the relevant agreements through AWS Artifact Organization Agreements.

If you would like to consolidate accounts into a single organization, you can invite AWS accounts to join your organization by following the instructions in Inviting an Account to Your Organization.

16. Can I use AWS Artifact Organization Agreements to accept an agreement for only some member accounts within my organization?

No. In AWS Artifact Organization Agreements (the Organization agreements tab) you can only accept agreements on behalf of all accounts within the organization.

If you would like to accept an agreement for only some member accounts, you must sign in to each account individually and accept the relevant agreement(s) through AWS Artifact Account Agreements (the Account agreements tab).

17. Can I accept an agreement in the Organization agreement tab if my account already has an agreement of the same type accepted in the Account agreements tab?

Yes, master accounts and member accounts can have AWS Artifact Account Agreements (i.e. agreements under the Account agreements tab) and AWS Artifact Organization Agreements (i.e. agreements under the Organization agreements tab) of the same type in place at the same time.

If your account has an account agreement and an organization agreement of the same type in place at the same time, the organization agreement will apply instead of the account agreement. If, with respect to an individual account, an organization agreement is terminated (e.g. by removal of a member account from the organization), the account agreement in place for that individual account (viewable under the Account agreements tab) will remain active and will continue to apply.

18. If my account has the same agreement accepted in the Account agreements tab and the Organization agreements tab, which one applies?

The organization agreement will apply because according to its terms, it applies instead of the account agreement when both are active. If the organization agreement is terminated, and if you have an account agreement of the same type in place (under the Account agreements tab), the account agreement will apply to that account. Note: Terminating the organization agreement does not terminate the account agreement.

19. If a member account is removed from my organization, what happens to the organization agreements that have been accepted on its behalf?

When a member account is removed from an organization (e.g. by leaving the organization, or by being removed from the organization by the master account), any organization agreements accepted on its behalf will no longer apply to that member account.

Master account administrators should alert member accounts prior to removing those accounts from the organization so that member accounts can put new account agreements in place, if necessary. Before member account owners leave an organization, they should determine (with the assistance of legal, privacy, or compliance teams, if appropriate) whether it is necessary to put new agreements in place.

20. If a member account is removed from my organization, will they be notified?

Currently, member accounts are not notified when they are removed from an organization. We are developing functionality that will alert member accounts when they have been removed from an organization and are no longer covered by an organization agreement.

Master account administrators should alert member accounts prior to removing those accounts from the organization so that member accounts can put new account agreements in place, if necessary. Before member account owners leave an organization, they should determine (with the assistance of legal, privacy, or compliance teams, if appropriate) whether it is necessary to put new agreements in place.

Business Associate Addendum (BAA)

1. How do I accept an AWS BAA using AWS Artifact Agreements?

AWS Artifact Agreements enables you to review and accept the AWS BAA from the AWS Management Console for your account or your organization in AWS Organizations. You can accept the AWS BAA for your individual account under the Account agreements tab, or if you are a master account in an organization, you can accept the AWS BAA on behalf of all accounts in your organization under the Organization agreements tab. Upon accepting the AWS BAA in AWS Artifact Agreements, you will instantly designate your AWS account(s) for use in connection with protected health information (PHI). Additionally, you can use the AWS Artifact Agreements console to see which agreements are in place for your AWS account or organization and review the terms of those agreements.

2. How do I designate my account as a HIPAA Account under a BAA using AWS Artifact Agreements?

When you accept an online BAA within the Account agreements tab in AWS Artifact, the account you used to sign in to AWS is automatically designated as a HIPAA Account under that online account BAA. If you are a master account in AWS Organizations and accept an online BAA under the Organization agreements tab in AWS Artifact, all accounts within your organization are automatically designated as HIPAA Accounts. Member accounts that are later added to that organization will be automatically designated as HIPAA Accounts as well.

3. Can I designate more than one account as a HIPAA Account under a BAA using AWS Artifact Agreements?

Yes, if you use AWS Organizations, the master account in your organization can use the Organization agreements tab in AWS Artifact Agreements to accept an organization BAA on behalf of all existing and future member accounts in your organization.

If you do not use AWS Organizations, or would only like to designate certain of your member accounts, you must sign in to each account separately and accept a BAA on behalf of that account.

4. What is the difference between the AWS BAA that can be accepted as an account agreement and the AWS BAA that can accepted as an organization agreement?

The difference is that the BAA in the Organization agreements tab, when accepted, applies to all accounts linked to your master account through AWS Organizations. In comparison, the BAA in the Account agreements tab only applies to the individual account you used to accept the account BAA, and no other accounts. If you have accepted both the account BAA and the organization BAA, the organization BAA will apply instead of the account BAA.

5. If my account has already accepted an account BAA, can I accept the organization BAA so that all of my accounts are covered?

Yes, using the master account of your organization you can use the Organization agreements tab in AWS Artifact Agreements to accept an organization BAA on behalf of all existing and future member accounts in your organization. When both the account and organization BAA are accepted, the organization BAA will apply instead of the account BAA.

6. How do I terminate a BAA using AWS Artifact Agreements?

If you no longer need to use your AWS account or organization accounts in connection with PHI, and if you accepted the BAA using AWS Artifact Agreements, you can use AWS Artifact Agreements to terminate that BAA.

If you accepted the BAA offline, refer to the 'Offline BAA' FAQs below.

7. What happens when I terminate an online BAA in AWS Artifact Agreements?

If you terminate an online BAA under the Account agreements tab in AWS Artifact, the account you used to sign into AWS will immediately cease to be a HIPAA Account and, unless it is also covered by an organization BAA (within the Organization agreements tab), it will no longer be covered by a BAA with AWS. You should only terminate a BAA if you are sure that you have removed all protected health information (PHI) from the account and will no longer use the account in connection with PHI.

If you are a user of a master account and terminate an online BAA within the Organization agreements tab in AWS Artifact, all accounts within your organization will immediately be removed as HIPAA Accounts and, unless they are covered by individual account BAAs (within the Account agreements tab), they will no longer be covered by a BAA with AWS. You should only terminate a BAA for an organization if you are sure that you have removed all protected health information (PHI) from ALL accounts within such organization and will no longer use any of the accounts in connection with PHI.

8. Which BAA applies if my AWS account has an accepted account BAA and organization BAA?

If you have both an account BAA and an organization BAA in place at the same time, the terms of the organization BAA will apply instead of the terms of the account BAA. Terminating the organization BAA does not terminate the account BAA, so if you terminate the organization BAA, the account BAA will continue to apply to that account.

9. If a member account leaves an organization, does the organization agreement still apply to the account?

No. When a member account leaves an organization, any accepted organization agreement(s) no longer apply to that account. If the member account wants one or more of the agreements to continue to apply after leaving the organization, the member account should accept the relevant account agreement(s) under the Account agreements tab in AWS Artifact prior to leaving the organization.

10. If I have a BAA with AWS, what AWS services can I use in my HIPAA account?

You may use any AWS service in an account designated as a HIPAA Account, but you may only include PHI in HIPAA Eligible Services. Our HIPAA Eligible Services Reference page contains the latest list of HIPAA Eligible Services.

11. Can I enter into a BAA agreement without using AWS Artifact?

Yes. If you prefer to enter into an offline BAA with AWS, please contact your AWS Account Manager or contact us to submit your request. However, we encourage you to take advantage of the speed, efficiency and visibility provided by AWS Artifact Agreements.

12. If I previously signed an offline BAA with AWS, how will that be affected by the online BAA available in AWS Artifact Agreements?

If you previously signed an offline BAA, the terms of that BAA will continue to apply to the accounts you designated as HIPAA Accounts under that offline BAA.

For any accounts that you have not already designated as a HIPAA Account under your offline BAA, you can use AWS Artifact Agreements to accept an online BAA for those accounts.

13. If I previously signed an offline BAA with AWS, can I accept an online BAA in AWS Artifact Agreements?

Yes. The master account in your organization can use the Organization agreements tab in AWS Artifact Agreements to accept an organization BAA on behalf of all existing and future member accounts in your organization.

14. If I have a previously signed offline BAA with AWS, can I view or download that offline BAA in AWS Artifact Agreements?

No. In order to protect the confidentiality of your offline BAA, you will not be able to download a copy of it in AWS Artifact Agreements. If you would like to view a copy of your previously signed offline BAA, you can reach out to your AWS Account Manager to request it.

15. If I previously signed an offline BAA with AWS, can I use AWS Artifact Agreements to designate additional accounts as HIPAA Accounts under that offline BAA?

No. You can use AWS Artifact Agreements to accept an online BAA for a single account or for all accounts within your organization in AWS Organizations. These will be subject to the terms of the applicable online BAA, however, not your offline BAA.

If you want to designate additional HIPAA Accounts under your offline BAA, you can do so by following the process described in your offline BAA (e.g., sending an email to aws-hipaa@amazon.com). Once confirmed by AWS, the Artifact Agreements interface will change for the newly designated account to reflect that it has been designated as a HIPAA Account under your offline BAA.

16. If I have an offline BAA with AWS, can I terminate my offline BAA in the AWS Artifact Agreements interface?

No. You can use AWS Artifact Agreements to remove an account as a HIPAA Account under your offline BAA, but it will not terminate the offline BAA itself. To terminate an offline BAA, you need to provide written notice to AWS according to the terms of your offline BAA.

17. If I designated an account as a HIPAA Account under a previously signed offline BAA, can I use AWS Artifact Agreements to remove that account as a HIPAA Account under my offline BAA?

Yes. You can follow the steps prompted within AWS Artifact to remove your account as a HIPAA Account under your offline BAA. You should only remove an account as a HIPAA Account if you are sure that you have removed all protected health information (PHI) from the account and will no longer use the account in connection with PHI.

18. I want to accept an Organizations BAA but only some of my member accounts are processing PHI. Do the obligations of the BAA only apply to accounts processing PHI?

By its terms, the AWS BAA only applies to “HIPAA Accounts,” which are defined as AWS accounts that store or transmit PHI, that only use HIPAA Eligible Services to store or transmit that PHI, and to which you have applied the required security configurations specified in the AWS BAA, such as encryption of PHI at rest and in transit (refer to the AWS BAA for a full list of the required security configurations). Accounts that do not meet the definition of a HIPAA Account are not subject to the AWS BAA.

Troubleshooting

1. I am attempting to download an agreement, but I don’t see the download appear. What can I do next?
  1. Make certain that you are using the most current version of your web browser and have Adobe Reader as well.
  2. Enable pop-ups for your browser so the attachment can download.
  3. Check your recent downloads folder.
  4. Review the document and share within your organization, as needed.
2. I am receiving an error message, what does it mean?

Error messages are usually the result of your IAM user not having sufficient permissions to perform the desired action in AWS Artifact. Refer to the table below for a complete list of error messages and how to resolve them:

Error message in AWS Artifact console  
You don’t have the permissions to accept the agreement You need permissions to accept agreements in AWS Artifact. Contact your account administrator to attach the following permission to your IAM user: artifact:AcceptAgreement 

For an example IAM policy complete, refer to Agreement Permissions.
You don’t have the permissions to terminate the agreement You need permissions to terminate agreements in AWS Artifact. Contact your account administrator to attach the following permission to your IAM user: artifact:TerminateAgreement 

For an example IAM policy complete, refer to Agreement Permissions.
You don’t have the permissions to download the agreement You need permissions to download agreements in AWS Artifact. Contact your account administrator to attach the following permission to your IAM user: artifact:DownloadAgreement 

For an example IAM policy complete, refer to Agreement Permissions.
You don't have the permissions to download this report You need permissions to download reports in AWS Artifact. Contact your account administrator to attach the following permission to your IAM user: artifact:get. For an example IAM policy complete, refer to Report Permissions.
You need additional approval from AWS to access this report

The report you are trying to download requires additional permission from AWS to access it. Please open a request for access using the AWS Account ID you are using to download the report. Your access request will be responded to within 1 business day. If approved, you will be able to download the report using the AWS Account ID you submitted. If AWS has additional questions about your request, you will receive an email within 1 business day.

Your organization must be enabled for all features Your organization is configured only for consolidated billing. To use organization agreements in AWS Artifact, your organization must be enabled for all features. Learn more
Before you can manage agreements for your organization, you need the following permissions: organizations:EnableAWSServiceAccess and organizations:ListAWSServiceAccessForOrganization. These permissions enable AWS Artifact to access organization information in AWS Organizations. Contact your account administrator to attach the following permission to your IAM user:

iam:CreateRole
iam:AttachRolePolicy
iam:ListRoles

For an example IAM policy complete, refer to Agreement Permissions.
Before you can manage agreements for your organization, you need the following permissions to list, create, and attach IAM roles: iam:ListRoles, iam:CreateRole, and iam:AttachRolePolicy. Contact your account administrator to attach the following permission to your IAM user:

organizations:EnableAWSServiceAccess
organizations:ListAWSServiceAccessForOrganization

For an example IAM policy complete, refer to Agreement Permissions.

You don’t have the permissions to retrieve information about your AWS account’s organization

Contact your account administrator to attach the following permission to your IAM user:

organizations:DescribeOrganization

For an example IAM policy complete, refer to Agreement Permissions.
Your account isn’t in an organization You can create or join an organization by following the instructions in Creating and Managing an AWS Organizations.

Learn more about AWS Artifact

Visit the Getting Started page
Ready to build?
Get started with AWS Artifact
Have more questions?
Contact us