AWS Artifact¶
Self-service portal for compliance reports, audit documentation, regulatory evidence, and online agreements. Allows customers to access AWS compliance and governance documents on demand.
AWS Artifact = AWS compliance and agreement portal.
Why It Matters for Security¶
AWS Artifact helps organizations:
- satisfy audit requirements
- prove compliance
- accelerate vendor reviews
- support governance
- reduce manual evidence requests
Security teams use Artifact for:
- audit preparation
- compliance evidence
- regulatory validation
- contractual agreements
Core Concepts¶
compliance reports · agreements · audit evidence · governance · self-service compliance · regulatory documentation
Important Integrations¶
AWS Organizations¶
Supports:
- centralized agreement management
AWS Audit Manager¶
Important distinction:
| Artifact | Audit Manager |
|---|---|
| Provides Reports | Collects Evidence |
Very important exam distinction.
AWS IAM¶
Controls:
- Artifact access
AWS Compliance Programs¶
Examples: SOC · ISO · PCI DSS · HIPAA
Very important compliance identity.
AWS Marketplace¶
Supports:
- eligible ISV compliance reports
Very important governance capability.
Security Features¶
Compliance Reports¶
Artifact provides downloadable reports.
Examples: SOC reports · ISO reports · PCI reports
Useful for:
- audit evidence
- security reviews
- vendor assurance
Agreements¶
Artifact supports agreement acceptance.
Examples: HIPAA BAA · regulatory agreements · legal acknowledgements
Very important governance capability.
Self-Service Compliance¶
Pattern:
Customer → Artifact → Report Access
Benefits:
- reduced support effort
- faster audits
Advanced Security and Operational Concepts¶
Reports vs Agreements (Classic Trap)¶
| Reports | Agreements | |
|---|---|---|
| Provide | Compliance Evidence | Legal Acceptance |
| Examples | SOC, ISO, PCI | HIPAA BAA, regulatory agreements |
Very important exam distinction.
NDA Requirement and Report Watermarking¶
Sensitive compliance reports require:
Review NDA → Accept → Download
Common examples: SOC 1 · SOC 2
Reports may include:
- account traceability
- watermarking
Purpose: accountability · controlled distribution
Very important governance concept.
Organization-Level Agreements¶
Artifact supports → Organization Agreements
Pattern:
Management Account → Accept → Entire Organization
Applies to: current accounts · future accounts
Example: HIPAA BAA
Benefits:
- centralized compliance
- reduced administration
Very important enterprise capability.
Third-Party ISV Reports¶
Artifact supports compliance reports for eligible Marketplace vendors.
Examples: SOC · security attestations
Useful for: vendor assessment · procurement validation
Pattern:
Vendor → Artifact → Review
Very important modern governance capability.
Secure Auditor Sharing¶
Recommended:
Artifact → Download → Secure Distribution → Auditor
Examples: encrypted storage · controlled sharing · secure portals
Avoid: public sharing · anonymous publication
Very important compliance practice.
Artifact Does NOT Perform Audits¶
Artifact provides: reports · documents
Artifact does NOT:
- evaluate controls
- scan resources
- collect evidence
Need continuous auditing? → Audit Manager
Very important ownership distinction.
Shared Responsibility Model¶
Artifact commonly demonstrates AWS Responsibilities.
Examples: infrastructure controls · certifications
Customer remains responsible for: IAM · workloads · applications · configurations
Very important exam concept.
Cost Model¶
AWS Artifact: No Additional Cost
Useful for: audit readiness · governance programs
Architecture Example¶
Centralized Compliance Governance¶
flowchart LR
ORG[AWS Organization]
ART[AWS Artifact]
REP[Reports]
AGR[Agreements]
AUD[Auditor]
ORG --> ART
ART --> REP
ART --> AGR
REP --> AUD
classDef governance fill:#e3f2fd,stroke:#1565c0,color:#0d47a1;
classDef security fill:#e8f5e9,stroke:#2e7d32,color:#1b5e20;
class ORG,ART governance;
class REP,AGR,AUD security;
Use case: centralized compliance management.
Compliance Retrieval Workflow¶
sequenceDiagram
autonumber
participant USER
participant ART
participant REPORT
USER->>ART: Request report
ART->>REPORT: Retrieve document
REPORT-->>USER: Download
Agreement Workflow¶
sequenceDiagram
autonumber
participant CUSTOMER
participant ART
participant AWS
CUSTOMER->>ART: Review agreement
ART->>AWS: Accept
AWS-->>CUSTOMER: Confirmation
Organization Agreement Workflow¶
sequenceDiagram
autonumber
participant MGMT
participant ART
participant ORG
participant MEMBER
MGMT->>ART: Accept agreement
ART->>ORG: Apply
ORG->>MEMBER: Extend coverage
Artifact vs Audit Manager¶
| Artifact | Audit Manager |
|---|---|
| reports | evidence |
| AWS controls | customer controls |
| download | continuous evaluation |
Very important distinction.
Artifact vs Security Hub¶
| Artifact | Security Hub |
|---|---|
| compliance documents | security findings |
| governance | monitoring |
Artifact vs Trusted Advisor¶
| Artifact | Trusted Advisor |
|---|---|
| reports | recommendations |
| evidence | optimization |
Common Exam Traps¶
Trap 1 — Artifact Does Not Audit Need evidence collection? → Audit Manager
Trap 2 — Reports ≠ Agreements Reports → compliance · Agreements → legal
Trap 3 — NDA Required for Sensitive Reports Need SOC report? → Accept NDA
Trap 4 — Organization Agreements Apply Broadly Need organization-wide BAA? → Organization Agreements
Trap 5 — Artifact Does Not Scan Resources Need control validation? → Audit Manager
Trap 6 — Artifact Supports ISV Reports Need Marketplace compliance? → Artifact
Trap 7 — Shared Responsibility Still Applies Artifact proves → AWS controls · Not → customer compliance
Trap 8 — Secure Report Distribution Matters Use → controlled sharing
5-Second Recall¶
Identity: Artifact = AWS compliance portal
Keywords — if the scenario mentions any of these, answer AWS Artifact: SOC reports · ISO reports · audit evidence · BAA · compliance documentation
Need Evidence Collection? → Audit Manager
Need Findings? → Security Hub
Need Legal Agreements? → Artifact
Need Vendor Compliance? → Artifact
Quick Revision Notes¶
compliance portal · reports · agreements · NDA · watermarking · organization agreements · ISV reports · Audit Manager · governance · self-service · shared responsibility · audit evidence · no additional cost