Step 1: Create an IAM policy
As an IAM administrator, you can create a policy that grants permissions to AWS Artifact actions and resources.
To create an IAM policy
Use the following procedure to create an IAM policy that you can use to grant permissions to your IAM users and groups.
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Policies.
3. Choose Create policy.
4. Choose the JSON tab.
5. Enter a policy document. You can create you own policy, or you can use one of the policies from Example IAM policies (p. 11).
Step 2: Create an IAM group and attach the policy
6. Choose Review Policy. The policy validator reports any syntax errors.
7. On the Review policy page, enter a unique name that helps you remember the purpose of the policy. You can also provide a description.
8. Choose Create policy.
Step 2: Create an IAM group and attach the policy
As an IAM administrator, you can create a group and attach the policy that you created to the group. You can add IAM users to the group at any time.
To create an IAM group and attach your policy
1. In the navigation pane, choose Groups and then choose Create New Group.
2. For Group Name, enter a name for your group and then choose Next Step.
3. In the search field, enter the name of the policy that you created. Select the check box for your policy and then choose Next Step.
4. Review the group name and policies. When you are ready, choose Create Group.
Step 3: Create IAM users and add them to the group
As an IAM administrator, you can add users to a group at any time. This grants the users the permissions granted to the group.
To create an IAM user and add the user to a group
1. In the navigation pane, choose Users and then choose Add user.
2. For User name, enter the names for one or more users.
3. Select the check box next to AWS Management Console access. Configure an auto-generated or custom password. You can optionally select User must create a new password at next sign-in to require a password reset when the user first signs in.
4. Choose Next: Permissions.
5. Choose Add user to group and then select the group that you created.
6. Choose Next: Tags. You can optionally add tags to your users.
7. Choose Next: Review. When you are ready, choose Create user.
Example IAM policies
You can create permissions policies that grant permissions to IAM users. You can grant users access to AWS Artifact reports and the ability to accept and download agreements on behalf of either a single account or an organization.
The following example policies show permissions that you can assign to IAM users based on the level of access that they need.
• Example policies to manage reports (p. 12)
• Example policies to manage agreements (p. 12)
• Example policies to integrate with AWS Organizations (p. 13)
• Example policies to manage agreements for the management account (p. 14)
• Example policies to manage organizational agreements (p. 15)
Example IAM policies
Example Example policies to manage reports
The following policy grants permission to download all reports.
{
"Version": "2012-10-17", "Statement": [
The following policy grants permission to download only the SOC, PCI, and ISO reports.
{
"Version": "2012-10-17", "Statement": [
"arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*", "arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*", "arn:aws:artifact:::report-package/Certifications and Attestations/ISO/*"
] } ] }
Example Example policies to manage agreements
The following policy grants permission to download all agreements. IAM users must also have this permission to accept agreements.
{ "Version": "2012-10-17", "Statement": [
The following policy grants permission to accept an agreement.
Example IAM policies
{ "Version": "2012-10-17", "Statement": [
The following policy grants permission to terminate an agreement.
{
"Version": "2012-10-17", "Statement": [
The following policy grants permissions to manage single account agreements.
{ "Version": "2012-10-17", "Statement": [
Example Example policies to integrate with AWS Organizations
The following policy grants permission to create the IAM role that AWS Artifact uses to integrate with AWS Organizations. Your organization's management account must have these permissions to get started with organizational agreements.
{
Example IAM policies
"Version": "2012-10-17", "Statement": [
"Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync"
}, {
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync", "Condition": {
The following policy grants permission to grant AWS Artifact the permissions to use AWS Organizations.
Your organization's management account must have these permissions to get started with organizational agreements.
{ "Version": "2012-10-17", "Statement": [
"organizations:ListAWSServiceAccessForOrganization"
],
"Resource": "*"
} ] }
Example Example policies to manage agreements for the management account
The following policy grants permissions to manage agreements for the management account.{
"Version": "2012-10-17", "Statement": [
Example IAM policies
"Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync"
}, {
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync", "Condition": {
"organizations:ListAWSServiceAccessForOrganization"
Example Example policies to manage organizational agreements
The following policy grants permissions to manage organizational agreements. Another user with the required permissions must set up the organizational agreements.
{
"Version": "2012-10-17", "Statement": [
Cross-service confused deputy prevention
} ] }
The following policy grants permissions to view organizational agreements.
{
"Version": "2012-10-17", "Statement": [
The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In AWS, cross- service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the calling service) calls another service (the called service). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access. To prevent this, AWS provides tools that help you protect your data for all services with service principals that have been given access to resources in your account.
When you enable trusted access between AWS Artifact and AWS Organizations, we automatically create a role with a policy in your account that limits who can assume that role.
We use the aws:SourceArn and aws:SourceAccount global condition context keys in the trust policy to limit the entities that can assume the service role we create in your account. With the global condition context keys, the aws:SourceAccount value and the account in the aws:SourceArn value must use the same account ID when used in the same policy statement.
Below is an example of the policy we create with the role when you enable trusted access between AWS Artifact and AWS Organizations.
{ "Version": "2012-10-17", "Statement": [
Cross-service confused deputy prevention
"Condition": { "ArnEquals": {
"aws:SourceArn": "arn:aws:artifact:us-west-2:00117294401"
},
"StringEquals": {
"aws:SourceAccount": "00117294401"
} } } ] }
Document history for AWS Artifact
The following table describes the releases for AWS Artifact.
update-history-change update-history-description update-history-date Security (p. 18) Added section to Identity and
access management page for confused deputy prevention.
December 20, 2021
Reports (p. 18) Removed non-disclosure agreement and introduced terms and conditions for report downloads.
December 17, 2020
Home page and search (p. 18) Added service home page and search bar on the reports and agreements page.
May 15, 2020
GovCloud launch (p. 18) Launched AWS Artifact in
GovCloud regions. November 7, 2019
AWS Organizations
agreements (p. 18) Added support for managing
agreements for an organization. June 20, 2018 Agreements (p. 18) Added support for managing
AWS Artifact agreements. June 17, 2017 Initial release (p. 18) This release introduces AWS
Artifact. November 30, 2016