Security

Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement Management

Learn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.

約 3 分で読めます

Overview of Artifact

Artifact is a service that provides on-demand access to AWS compliance reports and agreements. When your compliance audit requires evidence of AWS's security controls, you can download SOC reports and ISO certificates from Artifact and submit them to your auditors. BAA and GDPR DPA agreements can also be applied across your entire Organizations structure at once.

Reports and Agreement Management

Artifact Reports provides over 50 types of compliance reports, including SOC 1 (internal controls over financial reporting), SOC 2 (security, availability, and confidentiality), PCI DSS AOC (Payment Card Industry compliance attestation), and ISO 27001 certificates. Artifact Agreements lets you electronically sign BAA (Business Associate Agreements required for HIPAA compliance) and NDA agreements. When you sign an organization agreement from the Organizations management account, it is automatically applied to all member accounts.

Using Reports for Audit Response

Reports available through Artifact Reports span a wide range, including SOC 1/2/3, PCI DSS, ISO 27001/27017/27018, FedRAMP, and HIPAA. When auditors request evidence of AWS's security controls, you download the relevant report and submit it. Some reports require agreement to an NDA (Non-Disclosure Agreement), which you accept electronically at the time of download. Artifact Agreements lets you apply BAA (Business Associate Agreement) and GDPR DPA (Data Processing Addendum) across your entire Organizations structure, eliminating the need for per-account agreement management. Reports are updated periodically, so you should retrieve the latest versions in time for your audit schedule. You can also find detailed coverage of Artifact in related books on Amazon.

Artifact Pricing and Operations

Artifact is free to use. There are no additional charges for downloading reports or managing agreements. From the Organizations management account or a delegated administrator account, you can centrally manage agreements for all member accounts. As an audit response workflow, standardize the process of creating a list of required reports aligned with your annual audit schedule, downloading the latest versions from Artifact, and providing them to your audit team. Under the AWS Shared Responsibility Model, Artifact reports serve as evidence of AWS-side controls; user-side controls must be documented separately.

Summary

Artifact is a free service that provides on-demand access to AWS compliance reports and agreements. You can download audit reports such as SOC 1/2/3, PCI DSS, and ISO 27001 to submit to auditors, and apply BAA and GDPR DPA across your entire Organizations structure, significantly reducing the effort required for audit response.

Related Services

AWS ArtifactA service for on-demand access to AWS compliance reports and agreementsAWS OrganizationsA service for centrally managing multiple AWS accountsAWS ConfigA service that records and evaluates AWS resource configuration changes and continuously monitors compliance

Related Articles

Continuous Compliance Monitoring with AWS Config - Rule Evaluation and Auto-RemediationLearn how to record resource configurations with AWS Config, evaluate compliance using Config rules, and set up auto-remediation actions.Building a Multi-Account Environment with AWS Control Tower - Landing Zone and GuardrailsEstablish governance for your multi-account environment with automated landing zone construction and guardrail-based policy enforcement. Also covers automated account creation with Account Factory.Multi-Account Strategy and AWS Organizations - The Optimal Approach to Cloud GovernanceEstablish security boundaries and optimize cost allocation through OU hierarchy design and SCP governance controls in Organizations. This article covers the full picture of multi-account operations, including Control Tower guardrails and consolidated billing.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.CloudTrail Sees Everything - How API Calls Are Recorded and Practical Forensic InvestigationThis article explains how CloudTrail records AWS API calls, the differences between management events and data events, SQL analysis with CloudTrail Lake, and forensic investigation techniques when a security incident occurs.

Similar Articles and Services

AWS Compliance - Over 143 Certifications from ISMAP to PCI DSS That Outpace the CompetitionExplore the breadth of AWS's 143+ compliance certifications, focusing on ISMAP, SOC, PCI DSS, and HIPAA, and compare the certification coverage with Azure and GCP.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.AWS Audit ManagerA service that automates compliance audit evidence collection and continuously assesses adherence to frameworks such as SOC 2, PCI DSS, and HIPAAAWS Audit ManagerA service that automates evidence collection and assessment for compliance audits