Start for Free with AWS Artifact »
  • Compliance Reports FAQs

    AWS Artifact, available in the console, is a self-service audit artifact retrieval portal that provides our customers with on-demand access to AWS’ compliance documentation.

    AWS Artifact can be used by all AWS customers to assess and validate the security and compliance of the AWS infrastructure and services that they use.

    You should use AWS Artifact if you are:

    • Obligated to demonstrate the compliance of your cloud architectures during system design, development and audit life cycles. In order to demonstrate the historical and current compliance of your AWS infrastructure (specific to the services that you use), auditors and regulators require you to provide evidence in the form of audit artifacts.
    • Required to, or are interested in using audit artifacts to validate that your AWS implemented controls are operating effectively.
    • Interested in continuously monitoring or auditing your suppliers.
    • A member of a development team that is building secure cloud architectures, and are in need of guidance in understanding your responsibility for complying with ISO, PCI, SOC, and other regulatory standards. Often, the work of your team will either enable your enterprise to use AWS, or ensure that your enterprise can continue to use AWS.

    An audit artifact is a piece of evidence that demonstrates that an organization is following a documented process, or meeting a specific requirement. Audit artifacts are gathered and archived throughout the system development life cycle, and are to be used as evidence in internal and/or external audits and assessments.

    All AWS Accounts have access to AWS Artifact. Root users and IAM users with admin permissions can download all audit artifacts available to their account by agreeing to the associated terms and conditions.

    You will need to grant IAM users with non-admin permissions access to AWS Artifact using IAM permissions. This allows you to grant a user access to AWS Artifact, while restricting access to other services and resources within your AWS Account. For information on how to grant access using IAM, refer to this help topic in the AWS Artifact documentation.

    You can provide the AWS audit artifacts to your auditors or regulators as evidence of AWS security controls.

    You can also use the responsibility guidance provided by some of the AWS audit artifacts to design your cloud architecture. This guidance helps determine the additional security controls you should put in place in order to support the specific use cases of your system. 

    No. You can access and download all available artifacts at any time, as many times as you need.

    You will often need to provide your auditors with access to AWS compliance reports. You can easily accomplish this by creating IAM user credentials specific to each auditor, and configuring the credentials so that the auditor can only access the reports that are relevant to the audit that they are conducting. For more information, see this help topic in the AWS Artifact documentation.

    Your customers can access AWS compliance reports using their own AWS Account. If they do not already have an account, you should direct them to create one. There is no charge associated with creating an account.

    After logging into their account, your customers can access available reports in the AWS Console by navigating to Compliance Reports under Security, Identity & Compliance. If your customer would like to access a report that requires and NDA, they can receive access by signing a click-through NDA inside of the Artifact Console.

    For more information refer to Getting Started with AWS Artifact

    You will often need to provide other individuals within your organization access to AWS compliance reports. Documents that you download from AWS Artifact are specifically generated for you, and every document has a unique watermark. For this reason, you should only share the documents with individuals that you trust. Do not email the documents as attachments, and do not share them online. To share a document, use a secure sharing service such as Amazon WorkDocs, or create an IAM permissions policy that gives IAM users in the group access to the AWS Artifact documents. For more information, refer to the AWS Artifact documentation.

    Yes. Using IAM, you can create a permissions policy for a non-admin group that gives the IAM users in the group access to AWS Artifact. You can then use the policty to restrict access to other services and resources within the associated account. For more information on how to create a non-admin group, refer to the AWS Artifact documentation.

    Yes. Access can be granted to one or more artifacts using IAM permissions, giving you full control over who has access to each artifact. For example, if you want your PCI team to only have access to the AWS PCI report, but your SOX team to only have access to the AWS SOC 1 report, you can customize each users access permissions. For information on how to grant access using IAM, refer to this help topic in the AWS Artifact documentation.

    Yes, you will need to accept another NDA in Artifact to access and download confidential documents in Artifact. That said, if you have an existing NDA with Amazon, and if your existing NDA covers the same confidential information as the information provided in Artifact, then your existing NDA will apply instead of the Artifact NDA. Please refer to this language in the first paragraph of the Artifact NDA:

    “If you have entered into a separate nondisclosure agreement with Amazon that covers at least the same confidential information covered by Artifact Confidential Information (as defined in this Agreement), then that separate nondisclosure agreement will apply instead of this Agreement (see Section 11 below).”

  • BAA Agreement FAQs

    AWS Artifact Agreements is a feature of the AWS Artifact service (our audit and compliance portal). AWS Artifact Agreements enables you to review, accept, and manage the status of your Business Associate Addendum (BAA) agreement from the AWS Management Console for your account. You can use the console to enter into a BAA agreement, and thus instantly designate an AWS account for use in connection with protected health information (PHI). Additionally, you can use the console to confirm that your AWS account is designated as a HIPAA account and review the terms of the accepted agreement to understand your obligations. If you no longer need to use the account in connection with PHI, you can use AWS Artifact Agreements to terminate the BAA.

    If you’re an administrator of an AWS account, you can grant IAM permissions to other users to enable them to download, accept, or terminate agreements on behalf of your account in AWS Artifact. For more information, see the AWS Artifact documentation.

    Currently, the Business Associate Addendum (BAA) is the only specialized industry agreement that is available in AWS Artifact Agreements. Before you enter into a BAA agreement, you must download and agree to the terms of a nondisclosure agreement (NDA). The BAA is confidential and can’t be shared with others outside of your organization.

    Yes, you will need to accept another NDA in Artifact to access and download confidential documents in Artifact. That said, if you have an existing NDA with Amazon, and if your existing NDA covers the same confidential information as the information provided in Artifact, then your existing NDA will apply instead of the Artifact NDA. Please refer to this language in the first paragraph of the Artifact NDA:

    “If you have entered into a separate nondisclosure agreement with Amazon that covers at least the same confidential information covered by Artifact Confidential Information (as defined in this Agreement), then that separate nondisclosure agreement will apply instead of this Agreement (see Section 11 below).”

    If you’re an administrator of an AWS account, you automatically have permissions to download, accept, and terminate agreements for that account. If you’re not an administrator, you will need additional permissions to accept and terminate agreements. Users whose IAM accounts have been granted full access to download all reports will not inherit access to accept or terminate agreements. However, users whose IAM accounts have been granted full access to AWS Artifact (i.e. an IAM policy with Artifact*) will be able to perform all actions.

    The different levels of permissions give administrators the flexibility to grant permissions to IAM users based on the business needs of the users. For more information, see the AWS Artifact documentation.

    Yes. By default, users with administrative privileges can use AWS Artifact Agreements to download, review, and accept agreements. You should always review any agreement terms with your legal, privacy and/or compliance teams before accepting. You can also use IAM to seamlessly grant access to users with a business need (such as members of your legal, privacy and/or compliance teams), so that those users can download, review, and accept agreements for your organization. For more information, see the AWS Artifact documentation.

    No. If you previously signed an offline BAA, the terms of that BAA continue to apply to the accounts you already designated as HIPAA Accounts under that offline BAA.

    For any account that you have not already designated as a HIPAA Account under your offline BAA, you can use AWS Artifact Agreements to accept an online BAA for that account and instantly designate it as a HIPAA Account.

    No. In order to protect the confidentiality of your offline BAA, you will not be able to download it in AWS Artifact Agreements by default. If you would like to view a copy of your previously signed offline BAA, you can reach out to your AWS Account Manager to request it.

    Yes. You can follow the steps within the AWS Artifact interface to remove your account as a HIPAA Account under your offline BAA. You should only remove an account as a HIPAA Account if you are sure that you have removed all protected health information (PHI) from the account and will no longer use the account in connection with PHI.

    No. If you need to designate an account as a HIPAA Account under your previously signed offline BAA, you can do so by following the process described in your offline BAA (e.g., sending an email to aws-hipaa@amazon.com). Once confirmed by AWS, the Artifact Agreements interface will change for the newly designated account to reflect that it has been designated as a HIPAA Account under your offline BAA.

    No. Customers with a previously signed offline BAA cannot terminate that offline BAA in AWS Artifact. To terminate a previously signed offline BAA, customers will need to provide written notice to AWS according to the terms of the offline BAA.

    When you accept a BAA online in AWS Artifact, the account you used to log into AWS Artifact is automatically designated as a HIPAA Account under that online BAA. No additional steps are necessary.

    If you have additional accounts that need to be covered under a BAA, you must log in to AWS Artifact for each of those other accounts, and separately accept a BAA for each one.

    Yes. However, you must log in to AWS Artifact for each account that needs to be covered under a BAA and separately accept a BAA for each one.

    Similarly, if you terminate an online BAA, only the account associated with that online BAA agreement will be removed as a HIPAA Account.

    AWS Artifacts Agreements works the same for reseller accounts. Resellers can use IAM to control who has permissions to download, accept, and terminate agreements. By default, only users with administrative privileges can grant access.

    AWS Artifact Agreements, and the entire AWS Artifact service, can be used independently by both technical and non-technical users at no cost. Administrators of AWS accounts can grant users IAM permissions to perform one or more actions within AWS Artifact. These actions include downloading reports, accepting agreements, and terminating agreements. For more information, see the AWS Artifact documentation.

    If you terminate an online BAA in AWS Artifact, the account you used to log in to AWS Artifact will immediately be removed as a HIPAA Account and will no longer be covered by a BAA with AWS. Using AWS Artifact to terminate an online BAA for one account will not terminate any other BAA you have in place with AWS for any other account.

    You should only terminate a BAA for an account if you are sure that you have removed all protected health information (PHI) from the account and will no longer use the account in connection with PHI.

    You may use any AWS service in an account designated as a HIPAA Account, but you may only include PHI in HIPAA Eligible Services. Our HIPAA Eligible Services Reference page contains the latest list of HIPAA Eligible Services.

    Yes. If you prefer to enter into an offline BAA with AWS, please contact your AWS Account Manager or contact us to submit your request. However, we encourage you to take advantage of the speed, efficiency and visibility provided by AWS Artifact Agreements.

    1. Make certain that you are using the most current version of your web browser and have Adobe Reader as well.
    2. Enable pop-ups for your browser so the attachment can download.
    3. Check your recent downloads folder.
    4. Review the document and share as needed.

 

Start for Free with AWS Artifact