Security, Identity & Compliance | AWS Artifact Flashcards
What is AWS Artifact?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
AWS Artifact, available in the console, is a self-service audit artifact retrieval portal that provides our customers with on-demand access to AWS’ compliance documentation.
Who should use AWS Artifact?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
AWS Artifact can be used by all AWS customers to assess and validate the security and compliance of the AWS infrastructure and services that they use.
You should use AWS Artifact if you are:
Obligated to demonstrate the compliance of your cloud architectures during system design, development and audit life cycles. In order to demonstrate the historical and current compliance of your AWS infrastructure (specific to the services that you use), auditors and regulators require you to provide evidence in the form of audit artifacts.
Required to, or are interested in using audit artifacts to validate that your AWS implemented controls are operating effectively.
Interested in continuously monitoring or auditing your suppliers.
A member of a development team that is building secure cloud architectures, and are in need of guidance in understanding your responsibility for complying with ISO, PCI, SOC, and other regulatory standards. Often, the work of your team will either enable your enterprise to use AWS, or ensure that your enterprise can continue to use AWS.
What is an audit artifact?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
An audit artifact is a piece of evidence that demonstrates that an organization is following a documented process, or meeting a specific requirement. Audit artifacts are gathered and archived throughout the system development life cycle, and are to be used as evidence in internal and/or external audits and assessments.
Who has access to AWS Artifact?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
All AWS Accounts have access to AWS Artifact. Root users and IAM users with admin permissions can download all audit artifacts available to their account by agreeing to the associated terms and conditions.
You will need to grant IAM users with non-admin permissions access to AWS Artifact using IAM permissions. This allows you to grant a user access to AWS Artifact, while restricting access to other services and resources within your AWS Account. For information on how to grant access using IAM, refer to this help topic in the AWS Artifact documentation.
How can I use these artifacts to meet my audit requirements?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
You can provide the AWS audit artifacts to your auditors or regulators as evidence of AWS security controls.
You can also use the responsibility guidance provided by some of the AWS audit artifacts to design your cloud architecture. This guidance helps determine the additional security controls you should put in place in order to support the specific use cases of your system.
Is there a limit to the number of artifacts I can download?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
No. You can access and download all available artifacts at any time, as many times as you need.
How do I share audit artifacts with my auditors?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
You will often need to provide your auditors with access to AWS compliance reports. You can easily accomplish this by creating IAM user credentials specific to each auditor, and configuring the credentials so that the auditor can only access the reports that are relevant to the audit that they are conducting. For more information, see this help topic in the AWS Artifact documentation.
How do I share audit artifacts with my customers who have a need to assess the security of AWS?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
Your customers can access AWS compliance reports using their own AWS Account. If they do not already have an account, you should direct them to create one. There is no charge associated with creating an account.
After logging into their account, your customers can access available reports in the AWS Console by navigating to Compliance Reports under Security, Identity & Compliance. If your customer would like to access a report that requires and NDA, they can receive access by signing a click-through NDA inside of the Artifact Console.
For more information refer to Getting Started with AWS Artifact.
How do I share audit artifacts with other individuals within my organization?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
You will often need to provide other individuals within your organization access to AWS compliance reports. Documents that you download from AWS Artifact are specifically generated for you, and every document has a unique watermark. For this reason, you should only share the documents with individuals that you trust. Do not email the documents as attachments, and do not share them online. To share a document, use a secure sharing service such as Amazon WorkDocs, or create an IAM permissions policy that gives IAM users in the group access to the AWS Artifact documents. For more information, refer to the AWS Artifact documentation.
Can I grant individuals within my organization access only to AWS Artifact?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
Yes. Using IAM, you can create a permissions policy for a non-admin group that gives the IAM users in the group access to AWS Artifact. You can then use the policty to restrict access to other services and resources within the associated account. For more information on how to create a non-admin group, refer to the AWS Artifact documentation.
Can I restrict access to individuals within my organization to only select artifacts?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
Yes. Access can be granted to one or more artifacts using IAM permissions, giving you full control over who has access to each artifact. For example, if you want your PCI team to only have access to the AWS PCI report, but your SOX team to only have access to the AWS SOC 1 report, you can customize each users access permissions. For information on how to grant access using IAM, refer to this help topic in the AWS Artifact documentation.
If I already have a signed NDA with AWS outside of Artifact, do I need to accept a new NDA in AWS Artifact?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
Yes, you will need to accept another NDA in Artifact to access and download confidential documents in Artifact. That said, if you have an existing NDA with Amazon, and if your existing NDA covers the same confidential information as the information provided in Artifact, then your existing NDA will apply instead of the Artifact NDA. Please refer to this language in the first paragraph of the Artifact NDA:
“If you have entered into a separate nondisclosure agreement with Amazon that covers at least the same confidential information covered by Artifact Confidential Information (as defined in this Agreement), then that separate nondisclosure agreement will apply instead of this Agreement (see Section 11 below).”
What is AWS Artifact Agreements, and why should I use it?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
AWS Artifact Agreements is a feature of the AWS Artifact service (our audit and compliance portal). AWS Artifact Agreements enables you to review, accept, and manage the status of your Business Associate Addendum (BAA) agreement from the AWS Management Console for your account. You can use the console to enter into a BAA agreement, and thus instantly designate an AWS account for use in connection with protected health information (PHI). Additionally, you can use the console to confirm that your AWS account is designated as a HIPAA account and review the terms of the accepted agreement to understand your obligations. If you no longer need to use the account in connection with PHI, you can use AWS Artifact Agreements to terminate the BAA.
How do I give other users access to AWS Artifact Agreements?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
If you’re an administrator of an AWS account, you can grant IAM permissions to other users to enable them to download, accept, or terminate agreements on behalf of your account in AWS Artifact. For more information, see the AWS Artifact documentation.
What agreements are available in AWS Artifact Agreements?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
Currently, the Business Associate Addendum (BAA) is the only specialized industry agreement that is available in AWS Artifact Agreements. Before you enter into a BAA agreement, you must download and agree to the terms of a nondisclosure agreement (NDA). The BAA is confidential and can’t be shared with others outside of your organization.
