Identity and access management in AWS Artifact - AWS Artifact

Identity and access management in AWS Artifact

When you sign up for AWS, you provide an email address and password that are associated with your AWS account. These are your root credentials, and they provide complete access to all of your AWS resources, including resources for AWS Artifact. However, we strongly recommend that you don't use the root account for everyday access. We also recommend that you don't share account credentials with others to give them complete access to your account.

Instead of signing in to your AWS account with root credentials or sharing your credentials with others, you should create a special user identity called an IAM user for yourself and for anyone who might need access to a document or agreement in AWS Artifact. With this approach, you can provide individual sign-in information for each user, and you can grant each user only the permissions that they need to work with specific documents. You can also grant multiple IAM users the same permissions by granting the permissions to an IAM group and adding the IAM users to the group.

If you already manage user identities outside AWS, you can use IAM identity providers instead of creating IAM users. For more information, see Identity providers and federation in the IAM User Guide.

Create IAM users and grant them access to AWS Artifact

Complete the following steps to grant users permissions to AWS Artifact based on the level of access they need.

Step 1: Create an IAM policy

As an IAM administrator, you can create a policy that grants permissions to AWS Artifact actions and resources.

To create an IAM policy

Use the following procedure to create an IAM policy that you can use to grant permissions to your IAM users and groups.

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. Choose Create policy.

  4. Choose the JSON tab.

  5. Enter a policy document. You can create you own policy, or you can use one of the policies from Example IAM policies.

  6. Choose Review Policy. The policy validator reports any syntax errors.

  7. On the Review policy page, enter a unique name that helps you remember the purpose of the policy. You can also provide a description.

  8. Choose Create policy.

Step 2: Create an IAM group and attach the policy

As an IAM administrator, you can create a group and attach the policy that you created to the group. You can add IAM users to the group at any time.

To create an IAM group and attach your policy
  1. In the navigation pane, choose Groups and then choose Create New Group.

  2. For Group Name, enter a name for your group and then choose Next Step.

  3. In the search field, enter the name of the policy that you created. Select the check box for your policy and then choose Next Step.

  4. Review the group name and policies. When you are ready, choose Create Group.

Step 3: Create IAM users and add them to the group

As an IAM administrator, you can add users to a group at any time. This grants the users the permissions granted to the group.

To create an IAM user and add the user to a group
  1. In the navigation pane, choose Users and then choose Add user.

  2. For User name, enter the names for one or more users.

  3. Select the check box next to AWS Management Console access. Configure an auto-generated or custom password. You can optionally select User must create a new password at next sign-in to require a password reset when the user first signs in.

  4. Choose Next: Permissions.

  5. Choose Add user to group and then select the group that you created.

  6. Choose Next: Tags. You can optionally add tags to your users.

  7. Choose Next: Review. When you are ready, choose Create user.

Example IAM policies

You can create permissions policies that grant permissions to IAM users. You can grant users access to AWS Artifact reports and the ability to accept and download agreements on behalf of either a single account or an organization.

The following example policies show permissions that you can assign to IAM users based on the level of access that they need.

Example policies to manage AWS reports

AWS reports are denoted by the IAM resource report-package.

The following policy grants permission to download all AWS reports.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:Get" ], "Resource": [ "arn:aws:artifact:::report-package/*" ] } ] }

The following policy grants permission to download only the AWS SOC, PCI, and ISO reports.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:Get" ], "Resource": [ "arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*", "arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*", "arn:aws:artifact:::report-package/Certifications and Attestations/ISO/*" ] } ] }
Example policies to manage third-party reports

Third-party reports are denoted by the IAM resource report.

The following policy grants permission to all third-party report functionality.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:ListReports", "artifact:GetReportMetadata", "artifact:GetReport", "artifact:GetTermForReport", ], "Resource": [ "arn:aws:artifact:us-east-1::report/*" ] } ] }

The following policy grants permission to download third-party reports.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:GetReport", "artifact:GetTermForReport" ], "Resource": [ "arn:aws:artifact:us-east-1::report/*" ] } ] }

The following policy grants permission to list third-party reports.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:ListReport", ], "Resource": [ "arn:aws:artifact:us-east-1::report/*" ] } ] }

The following policy grants permission to view a third-party report’s details.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:GetReportMetadata", ], "Resource": [ "arn:aws:artifact:us-east-1::report/report-jRVRFP8HxUN5zpPh" ] } ] }
Example policies to manage agreements

The following policy grants permission to download all agreements. IAM users must also have this permission to accept agreements.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:DownloadAgreement" ], "Resource": [ "*" ] } ] }

The following policy grants permission to accept an agreement.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:AcceptAgreement", "artifact:DownloadAgreement" ], "Resource": [ "*" ] } ] }

The following policy grants permission to terminate an agreement.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:TerminateAgreement" ], "Resource": [ "*" ] } ] }

The following policy grants permissions to manage single account agreements.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:AcceptAgreement", "artifact:DownloadAgreement", "artifact:TerminateAgreement" ], "Resource": [ "arn:aws:artifact::*:customer-agreement/*", "arn:aws:artifact:::agreement/*" ] } ] }
Example policies to integrate with AWS Organizations

The following policy grants permission to create the IAM role that AWS Artifact uses to integrate with AWS Organizations. Your organization's management account must have these permissions to get started with organizational agreements.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "arn:aws:iam::*:role/*" }, { "Effect": "Allow", "Action": "iam:CreateRole", "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync" }, { "Effect": "Allow", "Action": "iam:AttachRolePolicy", "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync", "Condition": { "ArnEquals": { "iam:PolicyARN": "arn:aws:iam::aws:policy/service-role/AWSArtifactAccountSync" } } } ] }

The following policy grants permission to grant AWS Artifact the permissions to use AWS Organizations. Your organization's management account must have these permissions to get started with organizational agreements.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" } ] }
Example policies to manage agreements for the management account

The following policy grants permissions to manage agreements for the management account.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:AcceptAgreement", "artifact:DownloadAgreement", "artifact:TerminateAgreement" ], "Resource": [ "arn:aws:artifact::*:customer-agreement/*", "arn:aws:artifact:::agreement/*" ] }, { "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "arn:aws:iam::*:role/*" }, { "Effect": "Allow", "Action": "iam:CreateRole", "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync" }, { "Effect": "Allow", "Action": "iam:AttachRolePolicy", "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync", "Condition": { "ArnEquals": { "iam:PolicyARN": "arn:aws:iam::aws:policy/service-role/AWSArtifactAccountSync" } } }, { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:EnableAWSServiceAccess", "organizations:ListAccounts", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" } ] }
Example policies to manage organizational agreements

The following policy grants permissions to manage organizational agreements. Another user with the required permissions must set up the organizational agreements.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:AcceptAgreement", "artifact:DownloadAgreement", "artifact:TerminateAgreement" ], "Resource": [ "arn:aws:artifact::*:customer-agreement/*", "arn:aws:artifact:::agreement/*" ] }, { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization" ], "Resource": "*" } ] }

The following policy grants permissions to view organizational agreements.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:DownloadAgreement" ], "Resource": [ "arn:aws:artifact::*:customer-agreement/*", "arn:aws:artifact:::agreement/*" ] }, { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization" ], "Resource": "*" } ] }