AWS Artifact: A Beginner's Guide With Examples

What Is AWS Artifact?

AWS Artifact is Amazon’s self-service portal for accessing compliance reports and managing agreements. Think of it as a centralized hub for all things security and compliance. SOC reports, ISO certifications, or PCI DSS compliance documents are all available on demand. No need to file support tickets or wait for approvals—you can retrieve what you need in just a few clicks.

Using AWS Artifact saved my team so much time when preparing our ISO certification. I think everyone who has worked towards that certification knows just how much paperwork it entails! Having all the necessary documents in one place meant we could focus on the actual certification process rather than wasting hours tracking down paperwork.

AWS Artifact isn’t just a document repository, though. It also helps businesses manage agreements with AWS, such as Data Processing Addendums (DPAs) for GDPR compliance or Business Associate Addendums (BAAs) for HIPAA. If your company needs to ensure compliance with industry regulations, AWS Artifact provides the transparency and accessibility to make that process easier.

So, let’s recap the main features of AWS Artifact:

• On-demand access: No more waiting, retrieve compliance documents whenever you need them.
• Comprehensive documentation: Includes audit reports, certifications, and regulatory compliance materials.
• User-friendly interface: Easily navigate and download reports without needing extensive AWS expertise.

In the next section, I’ll break down the key components so you can see exactly what’s available and how it can benefit your organization.

Key Components of AWS Artifact

AWS Artifact is divided into two main sections: AWS Artifact Reports and AWS Artifact Agreements.

AWS Artifact Reports

If you've ever had to gather compliance documentation for an audit, you know how painful it can be. AWS Artifact Reports simplify this by offering direct access to audit reports, security certifications, and compliance documents:

• SOC reports: Service Organization Control (SOC) reports outline AWS’s internal controls related to security, availability, and confidentiality. They’re really important for organizations that need to demonstrate trust and transparency in their cloud operations.
• ISO certifications: AWS maintains several international security certifications, including ISO 27001 (information security), ISO 27017 (cloud security), and ISO 27018 (data privacy for cloud services). If your business follows ISO standards, you can easily download these reports for compliance purposes.
• PCI DSS compliance: For businesses handling payment card data, AWS Artifact provides PCI DSS (Payment Card Industry Data Security Standard) reports to confirm AWS’s compliance with industry regulations.

AWS Artifact Agreements

AWS Artifact also manages important agreements between AWS and its customers. These agreements help businesses meet regulatory and legal requirements and ensure data is handled correctly. Key agreements include:

• Customer agreements: Standard terms and conditions that govern the use of AWS services.
• Data Processing Addendum (DPA): For companies operating under GDPR, this agreement outlines how AWS handles and protects personal data.
• Business Associate Addendum (BAA): This type of agreement is essential for healthcare organizations subject to HIPAA and ensures AWS complies with regulations for handling protected health information (PHI).

Now you know what you can expect from AWS Artifact, I’ll show you how to access and use it effectively.

How to Access and Use AWS Artifact

AWS Artifact is available directly through the AWS Management Console, and using it is pretty straightforward. You don’t need to be a cloud expert or an IT professional.

1. Accessing AWS Artifact

To get started:

1. Log in to your AWS Management Console. If you do not have an account yet, you will need to create one.
2. In the search bar at the top, type “Artifact” and select it from the results.
3. Alternatively, navigate manually:
• Go to “Security, Identity, & Compliance” in the AWS services menu.
• Click on “AWS Artifact”.

This will bring you to the AWS Artifact dashboard, where you’ll see two main sections:

• Reports (for compliance documentation)
• Agreements (for legal and regulatory contracts)

AWS Artifact homepage

2. Downloading compliance reports

If you need SOC reports, ISO certifications, or PCI DSS documentation, this is how you can retrieve them:

1. From the AWS Artifact dashboard, click on “Reports”.
2. Browse or use the search bar to find the specific report you need.
3. Click on the report title to see details, or select it for quick actions.
4. Click “Download report” to get a copy of the document.

AWS Artifact reports

AWS Artifact specific report page

These reports are typically PDFs, and you can store them securely for audits or regulatory reviews.

3. Reviewing and accepting agreements

Some AWS services require legal agreements to comply with regulations like GDPR (DPA) or HIPAA (BAA). Here’s how to manage them:

1. In AWS Artifact, go to the “Agreements” tab.
2. You’ll see a list of agreements available for your account.
3. If required, accept the agreement by selecting it and clicking “Accept agreement”. You will need to download the agreement before you do that—and read it carefully!
4. If you no longer need a specific agreement, you may have the option to terminate it.

AWS Artifact agreements

Once accepted, these agreements ensure your AWS services comply with privacy laws and industry regulations.

4. Who can access AWS Artifact?

By default, not everyone in your AWS account can access AWS Artifact. If someone on your compliance or security team needs access, an AWS administrator must grant them permission via AWS Identity and Access Management (IAM).

To do this:

1. Open IAM in the AWS console.
2. Create or modify an IAM policy that includes permissions for AWS Artifact.
3. Attach the policy to the appropriate IAM users, groups, or roles.

You can define your own policies or use AWS’s managed policies like AWSArtifactReportsReadOnlyAccess.

AWS Artifact managed policies

5. Troubleshooting common issues

If you’re having trouble accessing AWS Artifact or downloading reports, here are a few things to check:

• No access: You might not have the right IAM permissions, Ask an AWS admin to grant access.
• Missing reports: Some reports are only available to AWS customers in specific regions or industries.
• Can’t download: Try disabling browser extensions or using a different browser, as some security settings may interfere.

Best Practices for AWS Artifact

AWS Artifact is a powerful tool, but like any compliance-related system, how you use it matters. To get the most value out of it (and avoid last-minute scrambles when auditors come knocking), there are some best practices to follow.

1. Regularly check for new reports and certifications

AWS continuously updates its compliance documentation as regulations evolve and audits are completed. If your business relies on SOC reports, ISO certifications, or PCI DSS compliance, make it a habit to check AWS Artifact periodically for the latest versions. You can even set a recurring task to download and review updated reports every quarter!

2. Keep compliance stakeholders in the loop

AWS Artifact is only useful if the right people know how to access and use it. Make sure your compliance officers, IT security teams, and auditors are aware of the tool and have the necessary permissions. I’d recommend documenting where to find key reports and agreements in your preferred documentation tool so no one has to dig through AWS’s UI at the last minute.

3. Review and accept agreements promptly

Some AWS services require specific agreements (like the DPA for GDPR or the BAA for HIPAA) before you can use them in a compliant manner. Failing to review and accept these agreements could cause delays in your compliance process. Assign someone to check for new agreements regularly and ensure they’re signed on time.

4. Integrate AWS Artifact into your compliance workflow

If your organization already follows ISO, SOC, or PCI DSS frameworks, make AWS Artifact a standard part of your compliance process. For example:

• During audits, you can provide direct downloads from AWS Artifact instead of manually collecting documentation.
• For new hires in security and compliance roles, you can include AWS Artifact training in onboarding.
• You can use a compliance checklist that includes checking AWS Artifact reports and agreements.

5. Use IAM permissions to control access

Not everyone in your organization needs access to AWS Artifact. Restrict access to only those who need it using AWS Identity and Access Management (IAM) policies. This ensures compliance data stays secure while still being available to the right teams.

Conclusion

AWS Artifact allows you to gather all your reports and agreements in one place so you can spend less time chasing paperwork and focus on the fun stuff.

If you’re new to AWS and would like to know more, you can follow this beginner’s AWS Concepts course, where you’ll learn about AWS’ main services and why the platform is at the forefront of cloud computing.