AWS Artifact
User Guide

Getting Started

AWS Artifact offers a number of documents for downloading. Different documents may require you to delegate permissions differently for various user accounts. Permissions are delegated by using a combination of IAM policies and whitelisting. This Getting Started section shows you how to set up permissions and download reports by completing the following steps:

Step 1: Create an Admin Group and Add an IAM User

In this step, you create an Administrators group and add yourself as an IAM user to the group.

To create an IAM user for yourself and add the user to an Administrators group

  1. Use your AWS account email address and password to sign in as the AWS account root user to the IAM console at


    We strongly recommend that you adhere to the best practice of using the Administrator IAM user below and securely lock away the root user credentials. Sign in as the root user only to perform a few account and service management tasks.

  2. In the navigation pane of the console, choose Users, and then choose Add user.

  3. For User name, type Administrator.

  4. Select the check box next to AWS Management Console access, select Custom password, and then type the new user's password in the text box. You can optionally select Require password reset to force the user to create a new password the next time the user signs in.

  5. Choose Next: Permissions.

  6. On the Set permissions for user page, choose Add user to group.

  7. Choose Create group.

  8. In the Create group dialog box, type Administrators.

  9. For Filter, choose Job function.

  10. In the policy list, select the check box for AdministratorAccess. Then choose Create group.

  11. Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to see the group in the list.

  12. Choose Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, choose Create user.

You can use this same process to create more groups and users, and to give your users access to your AWS account resources. To learn about using policies to restrict users' permissions to specific AWS resources, go to Access Management and Example Policies.

You can repeat the preceding steps to add other IAM users to the admin group.

Step 2: Create an IAM Policy

In this step, you create a permissions policy that grants permissions to the IAM users in the group so they can access the AWS Artifact documents. The following table shows the permissions that you can assign to IAM users based on the level of access that they need.

Permissions Type IAM Policy Document
Permissions to Download All Reports
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:Get" ], "Resource": [ "arn:aws:artifact:::report-package/*" ] } ] }

Permissions to Download All Agreements

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:DownloadAgreement" ], "Resource": [ "*" ] } ] }
Permissions to Accept Agreements
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:AcceptAgreement" ], "Resource": [ "*" ] } ] }
Permissions to Terminate Agreements
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:TerminateAgreement" ], "Resource": [ "*" ] } ] }

To create an IAM policy

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the navigation pane, choose Policies.

  3. Choose Create Policy.

  4. Choose Create Your Own Policy.

  5. For Policy Name, type a unique name that helps you to remember what your policy is intended to do.

  6. For Description, type a description for your policy.

  7. For Policy Document, copy and paste one of the policy documents from the previous table, or copy and paste the following policy to grant access to ISO certification reports, PCI compliance reports, and Service Organization Control (SOC) reports:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:Get" ], "Resource": [ "arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*", "arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*", "arn:aws:artifact:::report-package/Certifications and Attestations/ISO/*" ] } ] }

    To remove permissions for a specific type of report, remove the line with that report type. For example, to remove the SOC reports, remove the following line:

    "arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*",
  8. Choose Validate Policy.

  9. Choose Create Policy.

Now that you have created your policy, you can attach the policy to a non-admin group.

Step 3: Create IAM Users

In the preceding steps, you created an admin group, added yourself to the group as an IAM user, and created a permissions policy. You can add other IAM users to the group at any time. You also can create non-admin groups and add IAM users to those groups. Now that you have created an admin user and a policy, create a group of IAM users and add each of the people that you want to have access to AWS Artifact documents. To do so, use the procedure from Step 1: Create an Admin Group and Add an IAM User, using the policy that you just created in step two instead of AdministratorAccess.

Step 4: Download a Document

Now that you have set up your IAM users and policies, you can download a document by following the procedure in Downloading Documents.