This section of the AWS Certified Solutions Architect - Professional learning path introduces the AWS management and governance services relevant to the AWS Certified Solutions Architect - Professional exam. These services are used to help you audit, monitor, and evaluate your AWS infrastructure and resources and form a core component of resilient and performant architectures.
Want more? Try a Lab Playground or do a Lab Challenge!
Learning Objectives
- Understand the benefits of using AWS CloudWatch and audit logs to manage your infrastructure
- Learn how to record and track API requests using AWS CloudTrail
- Learn what AWS Config is and its components
- Manage multi-account environments with AWS Organizations and Control Tower
- Learn how to carry out logging with CloudWatch, CloudTrail, CloudFront, and VPC Flow Logs
- Learn about AWS data transformation tools such as AWS Glue and data visualization services like Amazon Athena and QuickSight
- Learn how AWS CloudFormation can be used to represent your infrastructure as code (IaC)
- Understand SLAs in AWS
Hello, and welcome to this lecture where I will be examining AWS Artifact, a free self-service portal that provides you with immediate access to AWS security and compliance reports. Within AWS Artifact, you also have the ability to view, download, accept, and terminate legal agreements between you and AWS at both the account and organization level.
So you may be asking yourself: why would I ever need to access the information in AWS Artifact? And as it turns out, there could be several reasons. For starters, you might be asked to provide evidence of the current or historical compliance of different AWS services used within your architecture as part of a required audit to ensure that your enterprise may continue to leverage the AWS cloud. And this audit could potentially extend out to include your suppliers as well. Or perhaps you just want to learn more about your responsibilities when it comes to complying with various regulatory standards such as Payment Card Industry, or PCI, or Service Organization Control, or SOC. After all, simply leveraging the AWS cloud does not guarantee that the systems you build within it will be fully secure or compliant. We’ll discuss this more in a moment.
AWS Artifact can be accessed directly from the AWS console by searching “Artifact.” From there, the AWS Artifact home page gives you options to view reports and view agreements, so let’s spend a little time discussing reports and agreements in more detail.
AWS Artifact Reports consist of AWS auditor-issued reports and include everything from ISO certifications to PCI and SOC reports.
These reports, known as audit artifacts, may be shared with auditors and regulators by creating IAM users with an associated identity-based policy that grants access only to the necessary reports. And these audit artifacts allow you to provide evidence of AWS security controls to ensure compliance with any applicable governance, regulations, or frameworks when architecting solutions in the AWS cloud. Now of course this is always done in accordance with the AWS Shared Responsibility Model, where AWS is responsible for the underlying security OF the cloud, but you remain responsible for your own systems’ and applications’ security IN the cloud. Now to learn more about the AWS Shared Responsibility Model, I encourage you to check out this resource. Consequently, the compliance reports provided within AWS Artifact pertain only to AWS and do not in any way certify the security or compliance of your own company, organization, or application. However, these audit artifacts can and should inform the security controls you choose to implement as part of your own cloud architecture and solution design.
In addition to security and compliance reports, AWS Artifact also allows you to view and execute legally binding agreements between you and AWS.
These agreements can be applied at the individual account level, or if you are signed in to the AWS console with the management account of an organization in AWS Organizations, you can also apply an agreement to all member accounts within your organization. One example of a commonly used agreement is the AWS Business Associate Addendum, or BAA, which governs your use of AWS services when storing personal health information, or PHI.
To accept an agreement, you must first accept the AWS Artifact non-disclosure agreement or NDA.
After you have accepted this NDA, then downloaded and reviewed the agreement, you may accept the agreement by checking a box acknowledging that you accept all of its relevant terms and conditions. Note that when accepting an agreement on behalf of all member accounts within an AWS Organization, you must also certify that you have the full power and authority to accept the agreement on behalf of every entity that either currently has, or may ever subsequently have, a member account within your organization at any point in the future.
So that’s how we can use AWS Artifact to not only view compliance reports and agreements but also to help ensure the solutions we architect in the AWS cloud remain secure and compliant with all necessary rules and regulations.
Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.