1. Home
  2. Training Library
  3. Amazon Web Services
  4. Amazon Web Services Courses
  5. How to Find Compliance Data Using AWS Artifact

Using an IAM Policy To Grant Access to Audit Artifacts


Finding Compliance Data with AWS Artifact
Start course

In this course, we will be examining AWS Artifact, a free self-service resource that provides you with immediate access to AWS security and compliance reports, as well as the ability to view and accept agreements with AWS at both the account and organization level.

Learning Objectives

The objective of this course is to introduce you to AWS Artifact and explain how it is used to view compliance reports and accept legally binding agreements with AWS.

Intended Audience

This course is ideal for those who have a responsibility for managing governance, preparing audit compliance documentation, or anyone who is unfamiliar with the AWS Artifact service and is simply looking to learn more about it at an introductory level.


As a prerequisite to this course, you should have a very basic understanding of AWS and cloud computing. This is an introductory course that will cover the basics of AWS Artifact.


So let’s say you’re being audited, and as part of that audit, you need to demonstrate that AWS complies with the ISO 27001 standard for security management. To do this, you’ll need to be able to share the ISO certification reports from AWS Artifact with your auditor. In this demonstration, I’m going to show you a customer-managed IAM policy that will allow only the ISO reports to be downloaded from AWS Artifact, then I will attach that policy to an IAM user for an auditor within my AWS account.

So I’m currently signed in to my AWS account as an Administrator, and here in the IAM Management Console, I’m looking at the summary screen for an IAM user I’ve created named “auditor.” And you’ll see here that my auditor user doesn’t have any permissions yet. So I’m going to click Add permissions, and from here you see I can choose to Add this user to a group, Copy permissions from an existing user, or Attach existing IAM policies directly. And if you’re interested in learning more about these IAM policies in greater detail, I encourage you to check out our course on “Using IAM Policies to Define and Manage Permissions” here.

But for this demonstration, I’ve already created a new customer-managed policy called ArtifactReadISO, so I’ll come down here and filter by Artifact, and here you’ll see my customer-managed policy. And if I click the arrow to expand this, you’ll see the Effect of this policy is to Allow… the Action is Get within artifact… and the ARN of this Resource includes the following prefix to denote only the ISO certification report packages. 

And I could have used PCI or SOC here in place of ISO to denote those specific reports, or I could also have just used report-package/*, which would then allow our auditor to download any report package within Artifact. But following the principle of least privilege, I wanted to restrict this to just the ISO report packages, so I have this full prefix in here. So I’ll come up here and check the box to attach this policy, then come down here and click Next. And then on this screen, I’ll click Add permissions.

So now we see this ArtifactReadISO policy is attached directly to this user. And it’s worth pointing out that if I had multiple IAM users for different auditors in my AWS account, the best practice would be to attach this policy to an IAM user group instead, then just add my IAM users directly to that group rather than attaching this policy to each individual user. But now that I’ve given the auditor account permissions to view the ISO reports, I’m going to log in to the AWS console with that account and see this policy in action.

So I’m logged in as the auditor now, and I’m here on the AWS Artifact home page. So from here I can click View reports, and you’ll notice I can see this full list of reports here but if I select one of them that isn’t an ISO report and I come up here and click Download report, you’ll see I get this permission required message. So that’s good, our auditor can’t just download any report here. So to find my ISO report, I’m going to come here to the search box and enter ISO 27001. And if I come down here and select the ISO 27001 certification report and click Download report this time, you’ll see my report was successfully downloaded. And this report package is a PDF, which you will want to open with Adobe Acrobat.

Now I should point out, while it is entirely possible to just download the PDF of this report yourself and share it with your auditors via email or some other external means, the best practice here is to leverage AWS Artifact to share these audit artifacts more securely, just like I’ve done in this demonstration. Each report is watermarked with a unique ID specific to your AWS account that would theoretically allow AWS to trace it back to your account if it somehow ended up in the wrong hands, which could be a breach of your non-disclosure agreement for any confidential reports or agreements.

So that’s how we can leverage IAM policies to give fine-grained access to audit artifacts–such as ISO reports stored in AWS Artifact–to our external auditors.

About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.