Skip to content

AWS Artifact

Self-service portal for compliance reports, audit documentation, regulatory evidence, and online agreements. Allows customers to access AWS compliance and governance documents on demand.

AWS Artifact = AWS compliance and agreement portal.


Why It Matters for Security

AWS Artifact helps organizations:

  • satisfy audit requirements
  • prove compliance
  • accelerate vendor reviews
  • support governance
  • reduce manual evidence requests

Security teams use Artifact for:

  • audit preparation
  • compliance evidence
  • regulatory validation
  • contractual agreements

Core Concepts

compliance reports · agreements · audit evidence · governance · self-service compliance · regulatory documentation


Important Integrations

AWS Organizations

Supports:

  • centralized agreement management

AWS Audit Manager

Important distinction:

Artifact Audit Manager
Provides Reports Collects Evidence

Very important exam distinction.


AWS IAM

Controls:

  • Artifact access

AWS Compliance Programs

Examples: SOC · ISO · PCI DSS · HIPAA

Very important compliance identity.


AWS Marketplace

Supports:

  • eligible ISV compliance reports

Very important governance capability.


Security Features

Compliance Reports

Artifact provides downloadable reports.

Examples: SOC reports · ISO reports · PCI reports

Useful for:

  • audit evidence
  • security reviews
  • vendor assurance

Agreements

Artifact supports agreement acceptance.

Examples: HIPAA BAA · regulatory agreements · legal acknowledgements

Very important governance capability.


Self-Service Compliance

Pattern:

Customer  →  Artifact  →  Report Access

Benefits:

  • reduced support effort
  • faster audits

Advanced Security and Operational Concepts

Reports vs Agreements (Classic Trap)

Reports Agreements
Provide Compliance Evidence Legal Acceptance
Examples SOC, ISO, PCI HIPAA BAA, regulatory agreements

Very important exam distinction.


NDA Requirement and Report Watermarking

Sensitive compliance reports require:

Review NDA  →  Accept  →  Download

Common examples: SOC 1 · SOC 2

Reports may include:

  • account traceability
  • watermarking

Purpose: accountability · controlled distribution

Very important governance concept.


Organization-Level Agreements

Artifact supports → Organization Agreements

Pattern:

Management Account  →  Accept  →  Entire Organization

Applies to: current accounts · future accounts

Example: HIPAA BAA

Benefits:

  • centralized compliance
  • reduced administration

Very important enterprise capability.


Third-Party ISV Reports

Artifact supports compliance reports for eligible Marketplace vendors.

Examples: SOC · security attestations

Useful for: vendor assessment · procurement validation

Pattern:

Vendor  →  Artifact  →  Review

Very important modern governance capability.


Secure Auditor Sharing

Recommended:

Artifact  →  Download  →  Secure Distribution  →  Auditor

Examples: encrypted storage · controlled sharing · secure portals

Avoid: public sharing · anonymous publication

Very important compliance practice.


Artifact Does NOT Perform Audits

Artifact provides: reports · documents

Artifact does NOT:

  • evaluate controls
  • scan resources
  • collect evidence

Need continuous auditing? → Audit Manager

Very important ownership distinction.


Shared Responsibility Model

Artifact commonly demonstrates AWS Responsibilities.

Examples: infrastructure controls · certifications

Customer remains responsible for: IAM · workloads · applications · configurations

Very important exam concept.


Cost Model

AWS Artifact: No Additional Cost

Useful for: audit readiness · governance programs


Architecture Example

Centralized Compliance Governance

flowchart LR

ORG[AWS Organization]

ART[AWS Artifact]

REP[Reports]

AGR[Agreements]

AUD[Auditor]

ORG --> ART

ART --> REP

ART --> AGR

REP --> AUD

classDef governance fill:#e3f2fd,stroke:#1565c0,color:#0d47a1;
classDef security fill:#e8f5e9,stroke:#2e7d32,color:#1b5e20;

class ORG,ART governance;
class REP,AGR,AUD security;

Use case: centralized compliance management.


Compliance Retrieval Workflow

sequenceDiagram

autonumber

participant USER

participant ART

participant REPORT

USER->>ART: Request report

ART->>REPORT: Retrieve document

REPORT-->>USER: Download

Agreement Workflow

sequenceDiagram

autonumber

participant CUSTOMER

participant ART

participant AWS

CUSTOMER->>ART: Review agreement

ART->>AWS: Accept

AWS-->>CUSTOMER: Confirmation

Organization Agreement Workflow

sequenceDiagram

autonumber

participant MGMT

participant ART

participant ORG

participant MEMBER

MGMT->>ART: Accept agreement

ART->>ORG: Apply

ORG->>MEMBER: Extend coverage

Artifact vs Audit Manager

Artifact Audit Manager
reports evidence
AWS controls customer controls
download continuous evaluation

Very important distinction.


Artifact vs Security Hub

Artifact Security Hub
compliance documents security findings
governance monitoring

Artifact vs Trusted Advisor

Artifact Trusted Advisor
reports recommendations
evidence optimization

Common Exam Traps

Trap 1 — Artifact Does Not Audit Need evidence collection? → Audit Manager

Trap 2 — Reports ≠ Agreements Reports → compliance · Agreements → legal

Trap 3 — NDA Required for Sensitive Reports Need SOC report? → Accept NDA

Trap 4 — Organization Agreements Apply Broadly Need organization-wide BAA? → Organization Agreements

Trap 5 — Artifact Does Not Scan Resources Need control validation? → Audit Manager

Trap 6 — Artifact Supports ISV Reports Need Marketplace compliance? → Artifact

Trap 7 — Shared Responsibility Still Applies Artifact proves → AWS controls · Not → customer compliance

Trap 8 — Secure Report Distribution Matters Use → controlled sharing


5-Second Recall

Identity: Artifact = AWS compliance portal

Keywords — if the scenario mentions any of these, answer AWS Artifact: SOC reports · ISO reports · audit evidence · BAA · compliance documentation

Need Evidence Collection? → Audit Manager

Need Findings? → Security Hub

Need Legal Agreements? → Artifact

Need Vendor Compliance? → Artifact


Quick Revision Notes

compliance portal · reports · agreements · NDA · watermarking · organization agreements · ISV reports · Audit Manager · governance · self-service · shared responsibility · audit evidence · no additional cost