AWS Artifact¶

What Is AWS Artifact?¶

AWS Artifact is AWS’s self-service portal for:

compliance reports
audit documentation
regulatory evidence
online agreements

It allows customers to access AWS compliance and governance documents on demand.

Think of AWS Artifact as:

AWS compliance and agreement portal.

Why It Matters for Security¶

AWS Artifact helps organizations:

satisfy audit requirements
prove compliance
accelerate vendor reviews
support governance
reduce manual evidence requests

Security teams use Artifact for:

audit preparation
compliance evidence
regulatory validation
contractual agreements

Core Concepts¶

compliance reports
agreements
audit evidence
governance
self-service compliance
regulatory documentation

Important Integrations¶

AWS Organizations¶

Supports:

centralized agreement management

AWS Audit Manager¶

Important distinction:

Artifact:

Provides Reports

Audit Manager:

Collects Evidence

Very important exam distinction.

AWS IAM¶

Controls:

Artifact access

AWS Compliance Programs¶

Examples:

SOC
ISO
PCI DSS
HIPAA

Very important compliance identity.

AWS Marketplace¶

Supports:

eligible ISV compliance reports

Very important governance capability.

Security Features¶

Compliance Reports¶

Artifact provides downloadable reports.

Examples:

SOC reports
ISO reports
PCI reports

Useful for:

audit evidence
security reviews
vendor assurance

Agreements¶

Artifact supports agreement acceptance.

Examples:

HIPAA BAA
regulatory agreements
legal acknowledgements

Very important governance capability.

Self-Service Compliance¶

Pattern:

Customer
↓
Artifact
↓
Report Access

Benefits:

reduced support effort
faster audits

Advanced Security and Operational Concepts¶

Reports vs Agreements (Classic Trap)¶

Reports¶

Provide:

Compliance Evidence

Examples:

SOC
ISO
PCI

Agreements¶

Provide:

Legal Acceptance

Examples:

HIPAA BAA
regulatory agreements

Very important exam distinction.

NDA Requirement and Report Watermarking¶

Sensitive compliance reports require:

Review NDA
↓
Accept
↓
Download

Common examples:

SOC 1
SOC 2

Reports may include:

account traceability
watermarking

Purpose:

accountability
controlled distribution

Very important governance concept.

Organization-Level Agreements¶

Artifact supports:

→ Organization Agreements

Pattern:

Management Account
↓
Accept
↓
Entire Organization

Applies to:

current accounts
future accounts

Example:

HIPAA BAA

Benefits:

centralized compliance
reduced administration

Very important enterprise capability.

Third-Party ISV Reports¶

Artifact supports compliance reports for eligible Marketplace vendors.

Examples:

SOC
security attestations

Useful for:

vendor assessment
procurement validation

Pattern:

Vendor
↓
Artifact
↓
Review

Very important modern governance capability.

Recommended:

Artifact
↓
Download
↓
Secure Distribution
↓
Auditor

Examples:

encrypted storage
controlled sharing
secure portals

Avoid:

public sharing
anonymous publication

Very important compliance practice.

Artifact Does NOT Perform Audits¶

Artifact provides:

reports
documents

Artifact does NOT:

evaluate controls
scan resources
collect evidence

Need continuous auditing?

→ Audit Manager

Very important ownership distinction.

Shared Responsibility Model¶

Artifact commonly demonstrates:

AWS Responsibilities

Examples:

infrastructure controls
certifications

Customer remains responsible for:

IAM
workloads
applications
configurations

Very important exam concept.

Cost Model¶

AWS Artifact:

No Additional Cost

Useful for:

audit readiness
governance programs

Architecture Example¶

Centralized Compliance Governance¶

flowchart LR

ORG[AWS Organization]

ART[AWS Artifact]

REP[Reports]

AGR[Agreements]

AUD[Auditor]

ORG --> ART

ART --> REP

ART --> AGR

REP --> AUD

classDef governance fill:#e3f2fd,stroke:#1565c0,color:#0d47a1;
classDef security fill:#e8f5e9,stroke:#2e7d32,color:#1b5e20;

class ORG,ART governance;
class REP,AGR,AUD security;

Use case: centralized compliance management.

Compliance Retrieval Workflow¶

sequenceDiagram

autonumber

participant USER

participant ART

participant REPORT

USER->>ART: Request report

ART->>REPORT: Retrieve document

REPORT-->>USER: Download

Agreement Workflow¶

sequenceDiagram

autonumber

participant CUSTOMER

participant ART

participant AWS

CUSTOMER->>ART: Review agreement

ART->>AWS: Accept

AWS-->>CUSTOMER: Confirmation

Organization Agreement Workflow¶

sequenceDiagram

autonumber

participant MGMT

participant ART

participant ORG

participant MEMBER

MGMT->>ART: Accept agreement

ART->>ORG: Apply

ORG->>MEMBER: Extend coverage

Artifact vs Audit Manager¶

Artifact	Audit Manager
reports	evidence
AWS controls	customer controls
download	continuous evaluation

Very important distinction.

Artifact vs Security Hub¶

Artifact	Security Hub
compliance documents	security findings
governance	monitoring

Artifact vs Trusted Advisor¶

Artifact	Trusted Advisor
reports	recommendations
evidence	optimization

Common Exam Traps¶

Trap 1 — Artifact Does Not Audit¶

Need evidence collection?

→ Audit Manager

Trap 2 — Reports ≠ Agreements¶

Reports:

→ compliance

Agreements:

→ legal

Trap 3 — NDA Required for Sensitive Reports¶

Need SOC report?

→ Accept NDA

Trap 4 — Organization Agreements Apply Broadly¶

Need organization-wide BAA?

→ Organization Agreements

Trap 5 — Artifact Does Not Scan Resources¶

Need control validation?

→ Audit Manager

Trap 6 — Artifact Supports ISV Reports¶

Need Marketplace compliance?

→ Artifact

Trap 7 — Shared Responsibility Still Applies¶

Artifact proves:

→ AWS controls

Not:

→ customer compliance

Trap 8 — Secure Report Distribution Matters¶

Use:

→ controlled sharing

5-Second Recall¶

Identity¶

Artifact = AWS compliance portal

Keywords¶

If the scenario mentions:

SOC reports
ISO reports
audit evidence
BAA
compliance documentation

Answer:

→ AWS Artifact

Need Evidence Collection?¶

→ Audit Manager

Need Findings?¶

→ Security Hub

Need Legal Agreements?¶

→ Artifact

Need Vendor Compliance?¶

→ Artifact

Quick Revision Notes¶

compliance portal
reports
agreements
NDA
watermarking
organization agreements
ISV reports
Audit Manager
governance
self-service
shared responsibility
audit evidence
no additional cost

AWS Artifact¶

What Is AWS Artifact?¶

Why It Matters for Security¶

Core Concepts¶

Important Integrations¶

AWS Organizations¶

AWS Audit Manager¶

AWS IAM¶

AWS Compliance Programs¶

AWS Marketplace¶

Security Features¶

Compliance Reports¶

Agreements¶

Self-Service Compliance¶

Advanced Security and Operational Concepts¶

Reports vs Agreements (Classic Trap)¶

Reports¶

Agreements¶

NDA Requirement and Report Watermarking¶

Organization-Level Agreements¶

Third-Party ISV Reports¶

Secure Auditor Sharing¶

Artifact Does NOT Perform Audits¶

Shared Responsibility Model¶

Cost Model¶

Architecture Example¶

Centralized Compliance Governance¶

Compliance Retrieval Workflow¶

Agreement Workflow¶

Organization Agreement Workflow¶

Artifact vs Audit Manager¶

Artifact vs Security Hub¶

Artifact vs Trusted Advisor¶

Common Exam Traps¶

Trap 1 — Artifact Does Not Audit¶

Trap 2 — Reports ≠ Agreements¶

Trap 3 — NDA Required for Sensitive Reports¶

Trap 4 — Organization Agreements Apply Broadly¶

Trap 5 — Artifact Does Not Scan Resources¶

Trap 6 — Artifact Supports ISV Reports¶

Trap 7 — Shared Responsibility Still Applies¶

Trap 8 — Secure Report Distribution Matters¶

5-Second Recall¶

Identity¶

Keywords¶

Need Evidence Collection?¶

Need Findings?¶

Need Legal Agreements?¶

Need Vendor Compliance?¶

Quick Revision Notes¶