This section provides detail on the AWS management services relevant to the Solution Architect Associate exam. These services are used to help you audit, monitor and evaluate your AWS infrastructure and resources. These management services form a core component of running resilient and performant architectures.
Want more? Try a lab playground or do a Lab Challenge!
Learning Objectives
- Understand the benefits of using AWS CloudWatch and audit logs to manage your infrastructure
- Learn how to record and track API requests using AWS CloudTrail
- Learn what AWS Config is and its components
- Manage your accounts with AWS Organizations, including single sign-on with AWS SSO
- Learn how to carry out logging with CloudWatch, CloudTrail, CloudFront, and VPC Flow Logs
- Understand how to design cost-optimized architectures in AWS
- Learn about AWS data transformation tools such as AWS Glue and data visualization services like Amazon Athena and QuickSight
Hello, and welcome to this lecture where I will be examining AWS Artifact, a free self-service portal that provides you with immediate access to AWS security and compliance reports. Within AWS Artifact, you also have the ability to view, download, accept, and terminate legal agreements between you and AWS at both the account and organization level.
So you may be asking yourself: why would I ever need to access the information in AWS Artifact? And as it turns out, there could be several reasons. For starters, you might be asked to provide evidence of the current or historical compliance of different AWS services used within your architecture as part of a required audit to ensure that your enterprise may continue to leverage the AWS cloud. And this audit could potentially extend out to include your suppliers as well. Or perhaps you just want to learn more about your responsibilities when it comes to complying with various regulatory standards such as Payment Card Industry, or PCI, or Service Organization Control, or SOC. After all, simply leveraging the AWS cloud does not guarantee that the systems you build within it will be fully secure or compliant. We’ll discuss this more in a moment.
AWS Artifact can be accessed directly from the AWS console by searching “Artifact.” From there, the AWS Artifact home page gives you options to view reports and view agreements, so let’s spend a little time discussing reports and agreements in more detail.
AWS Artifact Reports consist of AWS auditor-issued reports and include everything from ISO certifications to PCI and SOC reports.
These reports, known as audit artifacts, may be shared with auditors and regulators by creating IAM users with an associated identity-based policy that grants access only to the necessary reports. And these audit artifacts allow you to provide evidence of AWS security controls to ensure compliance with any applicable governance, regulations, or frameworks when architecting solutions in the AWS cloud. Now of course this is always done in accordance with the AWS Shared Responsibility Model, where AWS is responsible for the underlying security OF the cloud, but you remain responsible for your own systems’ and applications’ security IN the cloud. Now to learn more about the AWS Shared Responsibility Model, I encourage you to check out this resource. Consequently, the compliance reports provided within AWS Artifact pertain only to AWS and do not in any way certify the security or compliance of your own company, organization, or application. However, these audit artifacts can and should inform the security controls you choose to implement as part of your own cloud architecture and solution design.
In addition to security and compliance reports, AWS Artifact also allows you to view and execute legally binding agreements between you and AWS.
These agreements can be applied at the individual account level, or if you are signed in to the AWS console with the management account of an organization in AWS Organizations, you can also apply an agreement to all member accounts within your organization. One example of a commonly used agreement is the AWS Business Associate Addendum, or BAA, which governs your use of AWS services when storing personal health information, or PHI.
To accept an agreement, you must first accept the AWS Artifact non-disclosure agreement or NDA.
After you have accepted this NDA, then downloaded and reviewed the agreement, you may accept the agreement by checking a box acknowledging that you accept all of its relevant terms and conditions. Note that when accepting an agreement on behalf of all member accounts within an AWS Organization, you must also certify that you have the full power and authority to accept the agreement on behalf of every entity that either currently has, or may ever subsequently have, a member account within your organization at any point in the future.
So that’s how we can use AWS Artifact to not only view compliance reports and agreements but also to help ensure the solutions we architect in the AWS cloud remain secure and compliant with all necessary rules and regulations.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.