AWS Artifact | BAA Agreement Flashcards
If I already have a signed NDA with AWS outside of Artifact, do I need to accept a new NDA in AWS Artifact?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
Yes, you will need to accept another NDA in Artifact to access and download confidential documents in Artifact. That said, if you have an existing NDA with Amazon, and if your existing NDA covers the same confidential information as the information provided in Artifact, then your existing NDA will apply instead of the Artifact NDA. Please refer to this language in the first paragraph of the Artifact NDA:
“If you have entered into a separate nondisclosure agreement with Amazon that covers at least the same confidential information covered by Artifact Confidential Information (as defined in this Agreement), then that separate nondisclosure agreement will apply instead of this Agreement (see Section 11 below).”
What is AWS Artifact Agreements, and why should I use it?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
AWS Artifact Agreements is a feature of the AWS Artifact service (our audit and compliance portal). AWS Artifact Agreements enables you to review, accept, and manage the status of your Business Associate Addendum (BAA) agreement from the AWS Management Console for your account. You can use the console to enter into a BAA agreement, and thus instantly designate an AWS account for use in connection with protected health information (PHI). Additionally, you can use the console to confirm that your AWS account is designated as a HIPAA account and review the terms of the accepted agreement to understand your obligations. If you no longer need to use the account in connection with PHI, you can use AWS Artifact Agreements to terminate the BAA.
How do I give other users access to AWS Artifact Agreements?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
If you’re an administrator of an AWS account, you can grant IAM permissions to other users to enable them to download, accept, or terminate agreements on behalf of your account in AWS Artifact. For more information, see the AWS Artifact documentation.
What agreements are available in AWS Artifact Agreements?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
Currently, the Business Associate Addendum (BAA) is the only specialized industry agreement that is available in AWS Artifact Agreements. Before you enter into a BAA agreement, you must download and agree to the terms of a nondisclosure agreement (NDA). The BAA is confidential and can’t be shared with others outside of your organization.
If I already have a signed NDA with AWS outside of Artifact, do I need to accept a new NDA in AWS Artifact Agreements?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
Yes, you will need to accept another NDA in Artifact to access and download confidential documents in Artifact. That said, if you have an existing NDA with Amazon, and if your existing NDA covers the same confidential information as the information provided in Artifact, then your existing NDA will apply instead of the Artifact NDA. Please refer to this language in the first paragraph of the Artifact NDA:
“If you have entered into a separate nondisclosure agreement with Amazon that covers at least the same confidential information covered by Artifact Confidential Information (as defined in this Agreement), then that separate nondisclosure agreement will apply instead of this Agreement (see Section 11 below).”
If I am an administrator of an AWS account, can I sign the agreement?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
If you’re an administrator of an AWS account, you automatically have permissions to download, accept, and terminate agreements for that account. If you’re not an administrator, you will need additional permissions to accept and terminate agreements. Users whose IAM accounts have been granted full access to download all reports will not inherit access to accept or terminate agreements. However, users whose IAM accounts have been granted full access to AWS Artifact (i.e. an IAM policy with Artifact*) will be able to perform all actions.
The different levels of permissions give administrators the flexibility to grant permissions to IAM users based on the business needs of the users. For more information, see the AWS Artifact documentation.
If I had permissions to download reports in AWS Artifact prior to the availability of AWS Artifact Agreements, can I accept and terminate agreements in addition to downloading them?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
Yes. By default, users with administrative privileges can use AWS Artifact Agreements to download, review, and accept agreements. You should always review any agreement terms with your legal, privacy and/or compliance teams before accepting. You can also use IAM to seamlessly grant access to users with a business need (such as members of your legal, privacy and/or compliance teams), so that those users can download, review, and accept agreements for your organization. For more information, see the AWS Artifact documentation.
If I previously signed an offline BAA with AWS, do I have to accept the online BAA in AWS Artifact Agreements?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
No. If you previously signed an offline BAA, the terms of that BAA continue to apply to the accounts you already designated as HIPAA Accounts under that offline BAA.
For any account that you have not already designated as a HIPAA Account under your offline BAA, you can use AWS Artifact Agreements to accept an online BAA for that account and instantly designate it as a HIPAA Account.
If I have a previously signed offline BAA with AWS, can I view or download that offline BAA in AWS Artifact Agreements?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
No. In order to protect the confidentiality of your offline BAA, you will not be able to download it in AWS Artifact Agreements by default. If you would like to view a copy of your previously signed offline BAA, you can reach out to your AWS Account Manager to request it.
If I designated an account as a HIPAA Account under a previously signed offline BAA, can I use AWS Artifact Agreements to remove that account as a HIPAA Account under my offline BAA?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
Yes. You can follow the steps within the AWS Artifact interface to remove your account as a HIPAA Account under your offline BAA. You should only remove an account as a HIPAA Account if you are sure that you have removed all protected health information (PHI) from the account and will no longer use the account in connection with PHI.
If I have a previously signed offline BAA with AWS, can I use AWS Artifact Agreements to designate additional accounts as HIPAA Accounts under my offline BAA?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
No. If you need to designate an account as a HIPAA Account under your previously signed offline BAA, you can do so by following the process described in your offline BAA (e.g., sending an email to aws-hipaa@amazon.com). Once confirmed by AWS, the Artifact Agreements interface will change for the newly designated account to reflect that it has been designated as a HIPAA Account under your offline BAA.
If I have an offline BAA with AWS, can I terminate my offline BAA in the AWS Artifact Agreements interface?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
No. Customers with a previously signed offline BAA cannot terminate that offline BAA in AWS Artifact. To terminate a previously signed offline BAA, customers will need to provide written notice to AWS according to the terms of the offline BAA.
How do I designate my account as a HIPAA Account under a BAA using AWS Artifact Agreements?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
When you accept a BAA online in AWS Artifact, the account you used to log into AWS Artifact is automatically designated as a HIPAA Account under that online BAA. No additional steps are necessary.
If you have additional accounts that need to be covered under a BAA, you must log in to AWS Artifact for each of those other accounts, and separately accept a BAA for each one.
Can I designate more than one account as a HIPAA Account under a BAA using AWS Artifact Agreements?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
Yes. However, you must log in to AWS Artifact for each account that needs to be covered under a BAA and separately accept a BAA for each one.
Similarly, if you terminate an online BAA, only the account associated with that online BAA agreement will be removed as a HIPAA Account.
How does AWS Artifacts Agreements work for reseller accounts?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
AWS Artifacts Agreements works the same for reseller accounts. Resellers can use IAM to control who has permissions to download, accept, and terminate agreements. By default, only users with administrative privileges can grant access.
