Security, Identity & Compliance | AWS Artifact Flashcards
What is AWS Artifact?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
AWS Artifact, available in the console, is a self-service audit artifact retrieval portal that provides our customers with on-demand access to AWS’ compliance documentation.
Who should use AWS Artifact?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
AWS Artifact can be used by all AWS customers to assess and validate the security and compliance of the AWS infrastructure and services that they use.
You should use AWS Artifact if you are:
Obligated to demonstrate the compliance of your cloud architectures during system design, development and audit life cycles. In order to demonstrate the historical and current compliance of your AWS infrastructure (specific to the services that you use), auditors and regulators require you to provide evidence in the form of audit artifacts.
Required to, or are interested in using audit artifacts to validate that your AWS implemented controls are operating effectively.
Interested in continuously monitoring or auditing your suppliers.
A member of a development team that is building secure cloud architectures, and are in need of guidance in understanding your responsibility for complying with ISO, PCI, SOC, and other regulatory standards. Often, the work of your team will either enable your enterprise to use AWS, or ensure that your enterprise can continue to use AWS.
What is an audit artifact?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
An audit artifact is a piece of evidence that demonstrates that an organization is following a documented process, or meeting a specific requirement. Audit artifacts are gathered and archived throughout the system development life cycle, and are to be used as evidence in internal and/or external audits and assessments.
Who has access to AWS Artifact?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
All AWS Accounts have access to AWS Artifact. Root users and IAM users with admin permissions can download all audit artifacts available to their account by agreeing to the associated terms and conditions.
You will need to grant IAM users with non-admin permissions access to AWS Artifact using IAM permissions. This allows you to grant a user access to AWS Artifact, while restricting access to other services and resources within your AWS Account. For information on how to grant access using IAM, refer to this help topic in the AWS Artifact documentation.
How can I use these artifacts to meet my audit requirements?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
You can provide the AWS audit artifacts to your auditors or regulators as evidence of AWS security controls.
You can also use the responsibility guidance provided by some of the AWS audit artifacts to design your cloud architecture. This guidance helps determine the additional security controls you should put in place in order to support the specific use cases of your system.
Is there a limit to the number of artifacts I can download?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
No. You can access and download all available artifacts at any time, as many times as you need.
How do I share audit artifacts with my auditors?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
You will often need to provide your auditors with access to AWS compliance reports. You can easily accomplish this by creating IAM user credentials specific to each auditor, and configuring the credentials so that the auditor can only access the reports that are relevant to the audit that they are conducting. For more information, see this help topic in the AWS Artifact documentation.
How do I share audit artifacts with my customers who have a need to assess the security of AWS?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
Your customers can access AWS compliance reports using their own AWS Account. If they do not already have an account, you should direct them to create one. There is no charge associated with creating an account.
After logging into their account, your customers can access available reports in the AWS Console by navigating to Compliance Reports under Security, Identity & Compliance. If your customer would like to access a report that requires and NDA, they can receive access by signing a click-through NDA inside of the Artifact Console.
For more information refer to Getting Started with AWS Artifact.
How do I share audit artifacts with other individuals within my organization?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
You will often need to provide other individuals within your organization access to AWS compliance reports. Documents that you download from AWS Artifact are specifically generated for you, and every document has a unique watermark. For this reason, you should only share the documents with individuals that you trust. Do not email the documents as attachments, and do not share them online. To share a document, use a secure sharing service such as Amazon WorkDocs, or create an IAM permissions policy that gives IAM users in the group access to the AWS Artifact documents. For more information, refer to the AWS Artifact documentation.
Can I grant individuals within my organization access only to AWS Artifact?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
Yes. Using IAM, you can create a permissions policy for a non-admin group that gives the IAM users in the group access to AWS Artifact. You can then use the policty to restrict access to other services and resources within the associated account. For more information on how to create a non-admin group, refer to the AWS Artifact documentation.
Can I restrict access to individuals within my organization to only select artifacts?
Compliance Reports
AWS Artifact | Security, Identity & Compliance
Yes. Access can be granted to one or more artifacts using IAM permissions, giving you full control over who has access to each artifact. For example, if you want your PCI team to only have access to the AWS PCI report, but your SOX team to only have access to the AWS SOC 1 report, you can customize each users access permissions. For information on how to grant access using IAM, refer to this help topic in the AWS Artifact documentation.
If I already have a signed NDA with AWS outside of Artifact, do I need to accept a new NDA in AWS Artifact?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
Yes, you will need to accept another NDA in Artifact to access and download confidential documents in Artifact. That said, if you have an existing NDA with Amazon, and if your existing NDA covers the same confidential information as the information provided in Artifact, then your existing NDA will apply instead of the Artifact NDA. Please refer to this language in the first paragraph of the Artifact NDA:
“If you have entered into a separate nondisclosure agreement with Amazon that covers at least the same confidential information covered by Artifact Confidential Information (as defined in this Agreement), then that separate nondisclosure agreement will apply instead of this Agreement (see Section 11 below).”
What is AWS Artifact Agreements, and why should I use it?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
AWS Artifact Agreements is a feature of the AWS Artifact service (our audit and compliance portal). AWS Artifact Agreements enables you to review, accept, and manage the status of your Business Associate Addendum (BAA) agreement from the AWS Management Console for your account. You can use the console to enter into a BAA agreement, and thus instantly designate an AWS account for use in connection with protected health information (PHI). Additionally, you can use the console to confirm that your AWS account is designated as a HIPAA account and review the terms of the accepted agreement to understand your obligations. If you no longer need to use the account in connection with PHI, you can use AWS Artifact Agreements to terminate the BAA.
How do I give other users access to AWS Artifact Agreements?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
If you’re an administrator of an AWS account, you can grant IAM permissions to other users to enable them to download, accept, or terminate agreements on behalf of your account in AWS Artifact. For more information, see the AWS Artifact documentation.
What agreements are available in AWS Artifact Agreements?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
Currently, the Business Associate Addendum (BAA) is the only specialized industry agreement that is available in AWS Artifact Agreements. Before you enter into a BAA agreement, you must download and agree to the terms of a nondisclosure agreement (NDA). The BAA is confidential and can’t be shared with others outside of your organization.
If I already have a signed NDA with AWS outside of Artifact, do I need to accept a new NDA in AWS Artifact Agreements?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
Yes, you will need to accept another NDA in Artifact to access and download confidential documents in Artifact. That said, if you have an existing NDA with Amazon, and if your existing NDA covers the same confidential information as the information provided in Artifact, then your existing NDA will apply instead of the Artifact NDA. Please refer to this language in the first paragraph of the Artifact NDA:
“If you have entered into a separate nondisclosure agreement with Amazon that covers at least the same confidential information covered by Artifact Confidential Information (as defined in this Agreement), then that separate nondisclosure agreement will apply instead of this Agreement (see Section 11 below).”
If I am an administrator of an AWS account, can I sign the agreement?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
If you’re an administrator of an AWS account, you automatically have permissions to download, accept, and terminate agreements for that account. If you’re not an administrator, you will need additional permissions to accept and terminate agreements. Users whose IAM accounts have been granted full access to download all reports will not inherit access to accept or terminate agreements. However, users whose IAM accounts have been granted full access to AWS Artifact (i.e. an IAM policy with Artifact*) will be able to perform all actions.
The different levels of permissions give administrators the flexibility to grant permissions to IAM users based on the business needs of the users. For more information, see the AWS Artifact documentation.
If I had permissions to download reports in AWS Artifact prior to the availability of AWS Artifact Agreements, can I accept and terminate agreements in addition to downloading them?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
Yes. By default, users with administrative privileges can use AWS Artifact Agreements to download, review, and accept agreements. You should always review any agreement terms with your legal, privacy and/or compliance teams before accepting. You can also use IAM to seamlessly grant access to users with a business need (such as members of your legal, privacy and/or compliance teams), so that those users can download, review, and accept agreements for your organization. For more information, see the AWS Artifact documentation.
If I previously signed an offline BAA with AWS, do I have to accept the online BAA in AWS Artifact Agreements?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
No. If you previously signed an offline BAA, the terms of that BAA continue to apply to the accounts you already designated as HIPAA Accounts under that offline BAA.
For any account that you have not already designated as a HIPAA Account under your offline BAA, you can use AWS Artifact Agreements to accept an online BAA for that account and instantly designate it as a HIPAA Account.
If I have a previously signed offline BAA with AWS, can I view or download that offline BAA in AWS Artifact Agreements?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
No. In order to protect the confidentiality of your offline BAA, you will not be able to download it in AWS Artifact Agreements by default. If you would like to view a copy of your previously signed offline BAA, you can reach out to your AWS Account Manager to request it.
If I designated an account as a HIPAA Account under a previously signed offline BAA, can I use AWS Artifact Agreements to remove that account as a HIPAA Account under my offline BAA?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
Yes. You can follow the steps within the AWS Artifact interface to remove your account as a HIPAA Account under your offline BAA. You should only remove an account as a HIPAA Account if you are sure that you have removed all protected health information (PHI) from the account and will no longer use the account in connection with PHI.
If I have a previously signed offline BAA with AWS, can I use AWS Artifact Agreements to designate additional accounts as HIPAA Accounts under my offline BAA?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
No. If you need to designate an account as a HIPAA Account under your previously signed offline BAA, you can do so by following the process described in your offline BAA (e.g., sending an email to aws-hipaa@amazon.com). Once confirmed by AWS, the Artifact Agreements interface will change for the newly designated account to reflect that it has been designated as a HIPAA Account under your offline BAA.
If I have an offline BAA with AWS, can I terminate my offline BAA in the AWS Artifact Agreements interface?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
No. Customers with a previously signed offline BAA cannot terminate that offline BAA in AWS Artifact. To terminate a previously signed offline BAA, customers will need to provide written notice to AWS according to the terms of the offline BAA.
How do I designate my account as a HIPAA Account under a BAA using AWS Artifact Agreements?
BAA Agreement
AWS Artifact | Security, Identity & Compliance
When you accept a BAA online in AWS Artifact, the account you used to log into AWS Artifact is automatically designated as a HIPAA Account under that online BAA. No additional steps are necessary.
If you have additional accounts that need to be covered under a BAA, you must log in to AWS Artifact for each of those other accounts, and separately accept a BAA for each one.
