Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement Management
Learn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.
Overview of Artifact
Artifact is a service that provides on-demand access to AWS compliance reports and agreements. When your compliance audit requires evidence of AWS's security controls, you can download SOC reports and ISO certificates from Artifact and submit them to your auditors. BAA and GDPR DPA agreements can also be applied across your entire Organizations structure at once. Artifact supports both direct access through the AWS Management Console and programmatic retrieval of reports via the AWS CLI or API.
Reports and Agreement Management
Artifact Reports provides over 50 types of compliance reports, including SOC 1 (internal controls over financial reporting), SOC 2 (security, availability, and confidentiality), PCI DSS AOC (Payment Card Industry compliance attestation), and ISO 27001 certificates. Reports are downloaded in PDF format, and SOC reports are typically 200-400 page detailed documents. Artifact Agreements lets you electronically sign BAA (Business Associate Agreements required for HIPAA compliance) and NDA agreements. When you sign an organization agreement from the Organizations management account, it is automatically applied to all member accounts. Per-account agreements are also possible, but in multi-account environments, organization-level agreements significantly reduce operational overhead.
Using Reports for Audit Response
Reports available through Artifact Reports span a wide range, including SOC 1/2/3, PCI DSS, ISO 27001/27017/27018, FedRAMP, and HIPAA. When auditors request evidence of AWS's security controls, you download the relevant report and submit it. Some reports require agreement to an NDA (Non-Disclosure Agreement), which you accept electronically at the time of download. Artifact Agreements lets you apply BAA (Business Associate Agreement) and GDPR DPA (Data Processing Addendum) across your entire Organizations structure, eliminating the need for per-account agreement management. Reports are updated periodically, so you should retrieve the latest versions in time for your audit schedule. SOC 2 Type II reports attest to the operating effectiveness of controls over a defined period (typically 12 months) and are issued by an audit firm. After retrieval, share them with your audit team and review any noted exceptions or management responses to assess impact on your organization. You can also find detailed coverage of Artifact in related books on Amazon.
Artifact Pricing and Operations
Artifact is free to use. There are no additional charges for downloading reports or managing agreements. From the Organizations management account or a delegated administrator account, you can centrally manage agreements for all member accounts. As an audit response workflow, standardize the process of creating a list of required reports aligned with your annual audit schedule, downloading the latest versions from Artifact, and providing them to your audit team. Under the AWS Shared Responsibility Model, Artifact reports serve as evidence of AWS-side controls; user-side controls must be documented separately. Control access by restricting artifact:Get and artifact:DownloadAgreement IAM actions to audit teams and GRC personnel only, preventing unnecessary distribution of NDA-protected reports.
Best Practices and Common Pitfalls
There are key design considerations for effectively leveraging Artifact. First, using the Organizations delegated administrator feature lets you delegate report retrieval permissions to your GRC team while reducing direct access to the management account. Second, report retrieval history is recorded in CloudTrail, automatically providing an audit trail of who retrieved which report and when. A common pitfall is the mismatch between SOC report coverage periods and your audit period. SOC 2 Type II reports are typically issued for periods like April-March or October-September, and if they don't align with your fiscal year, you may need to request a bridge letter (Gap Letter) from AWS. Additionally, Artifact only provides evidence for AWS-side controls - applications running on EC2 and user-managed databases require you to prepare your own audit evidence.
Integration with Other Services
While Artifact is used independently, combining it with other AWS security services enables a comprehensive compliance posture. AWS Config continuously evaluates whether your resource configurations comply with compliance rules (PCI DSS, CIS Benchmark, etc.), and paired with the AWS-side controls evidenced by Artifact reports, this covers both sides of the Shared Responsibility Model. Security Hub aggregates Config rule compliance status into a unified dashboard, while Audit Manager handles automated evidence collection and audit report generation. In practice, submitting Artifact SOC reports alongside your own Audit Manager reports to external audit firms provides comprehensive control evidence for both the AWS side and your side. In the financial industry, submitting PCI DSS AOC alongside custom security control documentation is common, making the combined use of Artifact and Audit Manager a de facto standard.
Summary
Artifact is a free service that provides on-demand access to AWS compliance reports and agreements. You can download audit reports such as SOC 1/2/3, PCI DSS, and ISO 27001 to submit to auditors, and apply BAA and GDPR DPA across your entire Organizations structure, significantly reducing the effort required for audit response. By properly designing delegated administrator usage, CloudTrail access trails, and SOC report coverage period gap management, you can efficiently standardize your annual audit workflow.