Migrating to fine-grained permissions

AWS Artifact now enables customers to use fine-grained permissions. Through these fine-grained permissions, customers have granular control on providing access to features such as accepting terms and downloading reports.

To access reports through the fine-grained permissions, you can utilize the AWSArtifactReportsReadOnlyAccess Managed Policy or update your permissions as per the below recommendation. If you had previously opted out of using fine-grained permissions, you should opt-in using the “opt-in to fine-grained permissions for AWS Artifact reports” link available in the reports console.

You have the option to access the reports with old permissions through the “opt-out of the fine-grained permissions for AWS Artifact reports” link available in the console if there is an issue with updating to the new permissions.

Migrating to new permissions

Migrate non-resource specific permissions

Users need to replace the existing Policy containing legacy permissions with a Policy containing fine-grained permissions

Legacy Policy:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "artifact:Get"
      ],
      "Resource": [
        "arn:aws:artifact:::report-package/*"
      ]
    }
  ]
}

New Policy with fine-grained permissions:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "artifact:ListReports",
        "artifact:GetReportMetadata",
        "artifact:GetReport",
        "artifact:GetTermForReport"
      ],
      "Resource": "*"
    }
  ]
}

Migrate resource-specific permissions

Users need to replace their existing Policy containing legacy permissions with a Policy containing fine-grained permissions. Report resource wildcard permissions have been replaced with condition keys.

Legacy Policy:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "artifact:Get"
      ],
      "Resource": [
        "arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*",
        "arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*",
        "arn:aws:artifact:::report-package/Certifications and Attestations/ISO/*"
      ]
    }
  ]
}

New policy with fine-grained permissions and condition keys.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "artifact:ListReports"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "artifact:GetReportMetadata",
        "artifact:GetReport",
        "artifact:GetTermForReport"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "artifact:ReportSeries": [
            "SOC",
            "PCI",
            "ISO"
          ],
          "artifact:ReportCategory": [
            "Certifications and Attestations"
          ]
        }
      }
    }
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Setup user access to AWS Artifact

Example IAM policies