AWS Artifact FAQs

General

AWS Artifact, available in the console, is a self-service audit artifact retrieval portal that provides our customers with on-demand access to AWS’ compliance documentation and AWS agreements.

You can use AWS Artifact Reports to download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports.

You can use AWS Artifact Agreements to review, accept, and track the status of AWS agreements such as the Business Associate Addendum (BAA).

All AWS Accounts have access to AWS Artifact. Root users and IAM users with admin permissions can download all audit artifacts available to their account by agreeing to the associated terms and conditions.

You will need to grant IAM users with non-admin permissions access to AWS Artifact using IAM permissions. This allows you to grant a user access to AWS Artifact, while restricting access to other services and resources within your AWS Account. For information on how to grant access using IAM, refer to this help topic in the AWS Artifact documentation.

An Agreement can have two states:

  • Inactive: An Agreement is in Inactive state if the Agreement has not been accepted by the user or a previously accepted Agreement has been terminated by the user 
  • Active: An Agreement is in Active state if the Agreement has been accepted by the user

Your administrative account has all of the permissions needed to use AWS Artifact, but different documents and agreements might require you to delegate permissions differently for various users. You can delegate permissions by using IAM policies. Refer to the following tables in the AWS Artifact User Guide to view the permissions that you can assign to IAM users based on the level of access that they need.

An audit artifact is a piece of evidence that demonstrates that an organization is following a documented process or meeting a specific requirement. Audit artifacts are gathered and archived throughout the system development life cycle and are to be used as evidence in internal and/or external audits and assessments.

AWS Artifact currently provides customers with reports and agreements that may be used as audit artifacts.

You will often need to provide your auditors with access to AWS compliance reports. You can easily accomplish this by creating IAM user credentials specific to each auditor and configuring the credentials so that the auditor can only access the reports that are relevant to the audit that they are conducting. For more information, see this help topic in the AWS Artifact documentation.

You can provide the AWS audit artifacts to your auditors or regulators as evidence of AWS security controls.

You can also use the responsibility guidance provided by some of the AWS audit artifacts to design your cloud architecture. This guidance helps determine the additional security controls you should put in place in order to support the specific use cases of your system.

No. You can access and download all available artifacts at any time, as many times as you need.

AWS Reports

AWS Artifact Reports can be used by all AWS customers to assess and validate the security and compliance of the AWS infrastructure and services that they use.

You should use AWS Artifact Reports if you are:

  • Obligated to demonstrate the compliance of your cloud architectures during system design, development and audit life cycles. In order to demonstrate the historical and current compliance of your AWS infrastructure (specific to the services that you use), auditors and regulators require you to provide evidence in the form of audit artifacts.
  • Required to or are interested in using audit artifacts to validate that your AWS implemented controls are operating effectively.
  • Interested in continuously monitoring or auditing your suppliers.
  • A member of a development team that is building secure cloud architectures and are in need of guidance in understanding your responsibility for complying with ISO, PCI, SOC, and other regulatory standards. Often, the work of your team will either enable your enterprise to use AWS or ensure that your enterprise can continue to use AWS.

You can provide the AWS audit artifacts to your auditors or regulators as evidence of AWS security controls.

You can also use the responsibility guidance provided by some of the AWS audit artifacts to design your cloud architecture. This guidance helps determine the additional security controls you should put in place in order to support the specific use cases of your system.

You can share the AWS compliance reports with your customers directly if permitted by the terms and conditions applicable to the specific AWS compliance report. Please refer to the applicable terms and conditions on the first page of the AWS compliance report downloaded from AWS Artifact to check whether or not sharing of that report is permitted.

Additionally, your customers can access AWS compliance reports using their own AWS Account. If they do not already have an account, you should direct them to create one. There is no charge associated with creating an account.

After logging into their account, your customers can access available reports in the AWS Console by navigating to Artifact under Security, Identity & Compliance.

For more information refer to Getting Started with AWS Artifact.

 

To learn more about the Federal Risk and Authorization Management Program (FedRAMP) and how to download AWS FedRAMP Security packages using AWS Artifact, visit the FedRAMP compliance webpage.

Third-Party Reports

Third-party (AWS Marketplace Independent Software Vendor (ISV)) compliance reports will only be accessible to those AWS customers who have been granted access to AWS Marketplace Vendor Insights for a specific ISV. Learn more on how to get access to third-party compliance reports here.

AWS customers using AWS Marketplace Vendor Insights should download and use third-party compliance reports shared by the ISVs via AWS Artifact as part of their third-party risk assessment.

Sharing of a third-party compliance report with downstream customers is governed by the applicable Terms and Conditions (T&Cs) that are documented on the cover page of the downloaded report. Please refer to the respective T&Cs to determine whether sharing is permitted or not. Additionally, please note that T&Cs may vary for each report.

AWS is making these reports available to customers for faster and self-service access, and any questions regarding the reports should be directed to the respective third parties.

Agreements

AWS Artifact Agreements, a feature of the AWS Artifact service (our audit and compliance portal), enables you to review, accept, and manage agreements with AWS for your individual account, and also for all accounts that are part of your organization in AWS Organizations. You can also use AWS Artifact to terminate agreements you have previously accepted if they are no longer required.

Different types of agreements are available in AWS Artifact Agreements to address the needs of customers subject to specific regulations. For example, the Business Associate Addendum (BAA) is available for customers that need to comply with the Health Insurance Portability and Accountability Act (HIPAA). For a complete list of agreements available to your account, login to AWS Artifact.

Before you enter into an agreement on AWS Artifact Agreements, you must download and agree to the terms of the AWS Artifact nondisclosure agreement (NDA). Each agreement is confidential and cannot be shared with others outside of your company.

Yes, you will need to accept the AWS Artifact NDA to access and download confidential documents in Artifact. That said, if you have an existing NDA with Amazon, and if your existing NDA covers the same confidential information as the information provided in Artifact, then your existing NDA will apply instead of the Artifact NDA.

If you’re an administrator of an AWS account, you automatically have permissions to download, accept, and terminate agreements for that account. If you are the administrator of the management account of an organization in AWS Organizations, you can accept and terminate agreements on behalf of the management account and all member accounts in your organization. You should always review any agreement terms with your legal, privacy and/or compliance teams before accepting. You can use IAM to grant access to your agreement stakeholders (such as members of your legal, privacy and/or compliance teams), so that those users can download, review, and accept agreements.

If you’re not an administrator, you will need to be granted additional permissions to download, accept, and terminate agreements (usually, by your administrator). Administrators have the flexibility to grant varying levels of permissions to IAM users based on the business needs of the users.

For a complete list of AWS Artifact permissions, refer to Controlling Access and Common Policies in the AWS Artifact User Guide.

When accepted, AWS Artifact Account Agreements (located under the Account agreements tab) apply only to the individual account you used to sign into AWS.

When accepted, AWS Artifact Organization Agreements (located under the Organization agreements tab) apply to all accounts in an organization created through AWS Organizations, including the organization's management account and all member accounts. Only the management account in an organization can accept agreements in AWS Artifact Organization Agreements.

AWS Artifact Organization Agreements simplifies agreement management for multiple AWS accounts by allowing you to accept a single agreement on behalf of all accounts within your organization. When an authorized user of a management account accepts an organization agreement, all existing and future member accounts will be covered under the terms of the agreement automatically.

If you are a user of the management account of an organization in AWS Organizations, you can accept an agreement on behalf of all current and future member accounts in your organization. The organization that you belong to must be enabled for all features. If your organization is configured for consolidated billing features only, see Enabling All Features in Your Organization.

To get started, you must be signed in to the management account with the following IAM permissions:

artifact:DownloadAgreement
artifact:AcceptAgreement
artifact:TerminateAgreement
organizations:DescribeOrganization
organizations:EnableAWSServiceAccess
organizations:ListAWSServiceAccessForOrganization
iam:ListRoles
iam:CreateServiceLinkedRole

For a complete list of AWS Artifact permissions, refer to Controlling Access and Common Policies in the AWS Artifact User Guide.

AWS needs permission to create a service-linked role in your account so that the AWS Artifact service can ListAccounts to identify the complete list of member accounts in your organization when an agreement is accepted. When a member account joins or leaves your organization, AWS will be notified, and the list of accounts covered by your accepted agreement(s) will be updated.

Visit the AWS Artifact Agreements console and click on the Organization agreements tab. If the management account in your organization has accepted one or more organization agreements, they will be listed as active. You can do this either when logged in as the management account or as a member account in the organization.

Important: The IAM user signed into the AWS console must have permission to organizations:DescribeOrganization in order for AWS Artifact to retrieve information about your account’s organization agreements. For a complete list of AWS Artifact permissions, refer to Controlling Access and Common Policies in the AWS Artifact User Guide.

An organization is a collection of one or more member accounts that you can manage centrally with a single management account using AWS Organizations. Refer to the AWS Organizations website to learn more.

A management account is the AWS account you use to create your organization in AWS Organizations. When logged into the management account, you can use AWS Organizations to create member accounts in your organization, invite existing accounts to join your organization, and remove accounts from your organization.

Only management accounts can use AWS Artifact Organization Agreements to accept or terminate agreements on behalf of all accounts in an organization.

A member account is an AWS account, other than the management account, that is part of an organization in AWS Organizations. If you are an administrator of the management account in an organization, you can create member accounts in the organization and invite existing accounts to join the organization. A member account can belong to only one organization at a time.

Member accounts can use AWS Artifact Account Agreements to accept or terminate agreements on behalf of that individual member account only. Member accounts can use AWS Artifact Organization Agreements to view the agreements accepted on the member account’s behalf by the organization’s management account.

No, AWS Artifact Organization Agreements is only available for accounts using AWS Organizations. If you would like to create or join an organization, follow the instructions in Creating and Managing an AWS Organizations.

AWS Artifacts Agreements works the same for reseller accounts. Resellers can use IAM to control who has permissions to download, accept, and terminate agreements. By default, only users with administrative privileges can grant access.

If you have accounts in separate organizations that you want covered by an agreement, you must log in to each organization’s management account and accept the relevant agreements through AWS Artifact Organization Agreements.

If you would like to consolidate accounts into a single organization, you can invite AWS accounts to join your organization by following the instructions in Inviting an Account to Your Organization.

No. In AWS Artifact Organization Agreements (the Organization agreements tab) you can only accept agreements on behalf of all accounts within the organization.

If you would like to accept an agreement for only some member accounts, you must sign in to each account individually and accept the relevant agreement(s) through AWS Artifact Account Agreements (the Account agreements tab).

Yes, management accounts and member accounts can have AWS Artifact Account Agreements (i.e. agreements under the Account agreements tab) and AWS Artifact Organization Agreements (i.e. agreements under the Organization agreements tab) of the same type in place at the same time.

If your account has an account agreement and an organization agreement of the same type in place at the same time, the organization agreement will apply instead of the account agreement. If, with respect to an individual account, an organization agreement is terminated (e.g. by removal of a member account from the organization), the account agreement in place for that individual account (viewable under the Account agreements tab) will remain active and will continue to apply.

The organization agreement will apply because according to its terms, it applies instead of the account agreement when both are active. If the organization agreement is terminated, and if you have an account agreement of the same type in place (under the Account agreements tab), the account agreement will apply to that account. Note: Terminating the organization agreement does not terminate the account agreement.

When a member account is removed from an organization (e.g. by leaving the organization, or by being removed from the organization by the management account), any organization agreements accepted on its behalf will no longer apply to that member account.

Management account administrators should alert member accounts prior to removing those accounts from the organization so that member accounts can put new account agreements in place, if necessary. Before member account owners leave an organization, they should determine (with the assistance of legal, privacy, or compliance teams, if appropriate) whether it is necessary to put new agreements in place.

Currently, member accounts are not notified when they are removed from an organization. We are developing functionality that will alert member accounts when they have been removed from an organization and are no longer covered by an organization agreement.

Management account administrators should alert member accounts prior to removing those accounts from the organization so that member accounts can put new account agreements in place, if necessary. Before member account owners leave an organization, they should determine (with the assistance of legal, privacy, or compliance teams, if appropriate) whether it is necessary to put new agreements in place.

Business Associate Addendum (BAA)

AWS Artifact Agreements enables you to review and accept the AWS BAA from the AWS Management Console for your account or your organization in AWS Organizations. You can accept the AWS BAA for your individual account under the Account agreements tab, or if you are a management account in an organization, you can accept the AWS BAA on behalf of all accounts in your organization under the Organization agreements tab. Upon accepting the AWS BAA in AWS Artifact Agreements, you will instantly designate your AWS account(s) for use in connection with protected health information (PHI). Additionally, you can use the AWS Artifact Agreements console to see which agreements are in place for your AWS account or organization and review the terms of those agreements.

When you accept an online BAA within the Account agreements tab in AWS Artifact, the account you used to sign in to AWS is automatically designated as a HIPAA Account under that online account BAA. If you are a management account in AWS Organizations and accept an online BAA under the Organization agreements tab in AWS Artifact, all accounts within your organization are automatically designated as HIPAA Accounts. Member accounts that are later added to that organization will be automatically designated as HIPAA Accounts as well.

Yes, if you use AWS Organizations, the management account in your organization can use the Organization agreements tab in AWS Artifact Agreements to accept an organization BAA on behalf of all existing and future member accounts in your organization.

If you do not use AWS Organizations, or would only like to designate certain of your member accounts, you must sign in to each account separately and accept a BAA on behalf of that account.

The difference is that the BAA in the Organization agreements tab, when accepted, applies to all accounts linked to your management account through AWS Organizations. In comparison, the BAA in the Account agreements tab only applies to the individual account you used to accept the account BAA, and no other accounts. If you have accepted both the account BAA and the organization BAA, the organization BAA will apply instead of the account BAA.

Yes, using the management account of your organization you can use the Organization agreements tab in AWS Artifact Agreements to accept an organization BAA on behalf of all existing and future member accounts in your organization. When both the account and organization BAA are accepted, the organization BAA will apply instead of the account BAA.

If you no longer need to use your AWS account or organization accounts in connection with PHI, and if you accepted the BAA using AWS Artifact Agreements, you can use AWS Artifact Agreements to terminate that BAA.

If you accepted the BAA offline, refer to the 'Offline BAA' FAQs below.

If you terminate an online BAA under the Account agreements tab in AWS Artifact, the account you used to sign into AWS will immediately cease to be a HIPAA Account and, unless it is also covered by an organization BAA (within the Organization agreements tab), it will no longer be covered by a BAA with AWS. You should only terminate a BAA if you are sure that you have removed all protected health information (PHI) from the account and will no longer use the account in connection with PHI.

If you are a user of a management account and terminate an online BAA within the Organization agreements tab in AWS Artifact, all accounts within your organization will immediately be removed as HIPAA Accounts and, unless they are covered by individual account BAAs (within the Account agreements tab), they will no longer be covered by a BAA with AWS. You should only terminate a BAA for an organization if you are sure that you have removed all protected health information (PHI) from ALL accounts within such organization and will no longer use any of the accounts in connection with PHI.

If you have both an account BAA and an organization BAA in place at the same time, the terms of the organization BAA will apply instead of the terms of the account BAA. Terminating the organization BAA does not terminate the account BAA, so if you terminate the organization BAA, the account BAA will continue to apply to that account.

No. When a member account leaves an organization, any accepted organization agreement(s) no longer apply to that account. If the member account wants one or more of the agreements to continue to apply after leaving the organization, the member account should accept the relevant account agreement(s) under the Account agreements tab in AWS Artifact prior to leaving the organization.

You may use any AWS service in an account designated as a HIPAA Account, but you may only include PHI in HIPAA Eligible Services. Our HIPAA Eligible Services Reference page contains the latest list of HIPAA Eligible Services.

Yes. If you prefer to enter into an offline BAA with AWS, please contact your AWS Account Manager or contact us to submit your request. However, we encourage you to take advantage of the speed, efficiency and visibility provided by AWS Artifact Agreements.

If you previously signed an offline BAA, the terms of that BAA will continue to apply to the accounts you designated as HIPAA Accounts under that offline BAA.

For any accounts that you have not already designated as a HIPAA Account under your offline BAA, you can use AWS Artifact Agreements to accept an online BAA for those accounts.

Yes. The management account in your organization can use the Organization agreements tab in AWS Artifact Agreements to accept an organization BAA on behalf of all existing and future member accounts in your organization.

No. In order to protect the confidentiality of your offline BAA, you will not be able to download a copy of it in AWS Artifact Agreements. If you would like to view a copy of your previously signed offline BAA, you can reach out to your AWS Account Manager to request it.

No. You can use AWS Artifact Agreements to accept an online BAA for a single account or for all accounts within your organization in AWS Organizations. These will be subject to the terms of the applicable online BAA, however, not your offline BAA.

If you want to designate additional HIPAA Accounts under your offline BAA, you can do so by following the process described in your offline BAA (e.g., sending an email to aws-hipaa@amazon.com). Once confirmed by AWS, the Artifact Agreements interface will change for the newly designated account to reflect that it has been designated as a HIPAA Account under your offline BAA.

No. You can use AWS Artifact Agreements to remove an account as a HIPAA Account under your offline BAA, but it will not terminate the offline BAA itself. To terminate an offline BAA, you need to provide written notice to AWS according to the terms of your offline BAA.

Yes. You can follow the steps prompted within AWS Artifact to remove your account as a HIPAA Account under your offline BAA. You should only remove an account as a HIPAA Account if you are sure that you have removed all protected health information (PHI) from the account and will no longer use the account in connection with PHI.

By its terms, the AWS BAA only applies to “HIPAA Accounts,” which are defined as AWS accounts that store or transmit PHI, that only use HIPAA Eligible Services to store or transmit that PHI, and to which you have applied the required security configurations specified in the AWS BAA, such as encryption of PHI at rest and in transit (refer to the AWS BAA for a full list of the required security configurations). Accounts that do not meet the definition of a HIPAA Account are not subject to the AWS BAA.

AWS Australian Notifiable Data Breach Addendum (ANDB Addendum)

AWS Artifact Agreements enables you to review and accept an ANDB Addendum from the AWS Management Console for either your AWS account or, if you are a management account in an AWS organization, your AWS organization. You can accept the ANDB Addendum for your individual AWS account under the Account agreements tab, or if you are a management account in an organization, you can accept the ANDB Addendum on behalf of all existing and future AWS accounts in your AWS organization under the Organization agreements tab. Additionally, you can use the AWS Artifact Agreements console to see which agreements are in place for your AWS account or AWS organization and review the terms of those agreements.

The difference is that the ANDB Addendum in the Organization agreements tab, when accepted, applies to all existing and future AWS accounts linked to your management account through AWS Organizations. In comparison, the ANDB Addendum in the Account agreements tab only applies to the individual AWS account you used to accept the ANDB Addendum, and no other AWS accounts. If you have accepted both the account ANDB Addendum and the organizations ANDB Addendum, the organizations ANDB Addendum will apply instead of the account ANDB Addendum.

Yes, using the management account of your organization you can use the Organization agreements tab in AWS Artifact Agreements to accept an ANDB Addendum on behalf of all existing and future member accounts in your organization. When both the account ANDB Addendum and organizations ANDB Addendum are accepted, the organizations ANDB Addendum will apply instead of the account ANDB Addendum.

You can use AWS Artifact Agreements to terminate an ANDB Addendum at any time.

To terminate an account ANDB Addendum, you can use the Account agreements tab in AWS Artifact and click on the “Terminate the AWS Australian Notifiable Data Breach Addendum for this Account” button.

To terminate an organizations ANDB Addendum, you can use the Organization agreements tab in AWS Artifact and click on the “Terminate AWS Australian Notifiable Data Breach Addendum for this Organization” button.

If you terminate an account ANDB Addendum under the Account agreements tab in AWS Artifact, the AWS account you used to sign into AWS Artifact will not be covered by an ANDB Addendum with AWS, unless it is also covered by an organizations ANDB Addendum (within the Organization agreements tab). You should only terminate an account ANDB Addendum either when (a) you are sure that you have removed all personal information from the AWS account and you will no longer use the AWS account in connection with personal information or (b) you join that AWS account as a member account in an AWS organization that has an organizations ANDB Addendum.

If you are a user of a management account and terminate an organizations ANDB Addendum within the Organization agreements tab in AWS Artifact, the AWS accounts in that AWS organization will not be covered by an ANDB Addendum with AWS, unless they are covered by an account ANDB Addendum (within the Account agreements tab). You should only terminate an organizations ANDB Addendum either when (a) you are sure that all personal information has been removed from the AWS accounts in that AWS organization and those AWS accounts will no longer be used in connection with personal information or (b) you have agreed account ANDB Addendums for those AWS accounts that are used in connection with personal information.

If you have both an account ANDB Addendum and an organizations ANDB Addendum in place at the same time, the terms of the organizations ANDB Addendum will apply instead of the terms of the account ANDB Addendum. Terminating the organizations ANDB Addendum does not terminate the account ANDB Addendum, so if you terminate the organizations ANDB Addendum, the account ANDB Addendum will then apply to that AWS account.

No. When a member account leaves an AWS organization, any accepted organization agreement(s), such as the organizations ANDB Addendum no longer apply to that AWS account. If the member account wants one or more of the agreements to continue to apply after leaving the organization, the member account should accept the relevant account agreement(s) under the Account agreements tab in AWS Artifact prior to leaving the AWS organization.

You may use any AWS service in an AWS account covered by an ANDB Addendum with AWS.

By its terms, the organizations ANDB Addendum only applies to “ANDB Accounts,” which are defined as AWS accounts where the entity responsible for that account is subject to the Australian Privacy Act, and that AWS account includes “personal information” (as defined in the Australian Privacy Act) in AWS’ possession or control. Accounts that do not meet the definition of an ANDB Account are not subject to the organizations ANDB Addendum.

AWS New Zealand Notifiable Data Breach Addendum (NZNDB Addendum)

AWS Artifact Agreements enables you to review and accept an NZNDB Addendum from the AWS Management Console for either your AWS account or, if you are a management account in an AWS organization, your AWS organization. You can accept the NZNDB Addendum for your individual AWS account under the Account agreements tab, or if you are a management account in an organization, you can accept the NZNDB Addendum on behalf of all existing and future AWS accounts in your AWS organization under the Organization agreements tab. Additionally, you can use the AWS Artifact Agreements console to see which agreements are in place for your AWS account or AWS organization and review the terms of those agreements.

The difference is that the NZNDB Addendum in the Organization agreements tab, when accepted, applies to all existing and future AWS accounts linked to your management account through AWS Organizations. In comparison, the NZNDB Addendum in the Account agreements tab only applies to the individual AWS account you used to accept the NZNDB Addendum, and no other AWS accounts. If you have accepted both the account NZNDB Addendum and the organizations NZNDB Addendum, the organizations NZNDB Addendum will apply instead of the account NZNDB Addendum.

Yes, using the management account of your organization you can use the Organization agreements tab in AWS Artifact Agreements to accept an NZNDB Addendum on behalf of all existing and future member accounts in your organization. When both the account NZNDB Addendum and organizations NZNDB Addendum are accepted, the organizations NZNDB Addendum will apply instead of the account NZNDB Addendum.

You can use AWS Artifact Agreements to terminate an NZNDB Addendum at any time.
To terminate an account NZNDB Addendum, you can use the Account agreements tab in AWS Artifact and click on the “Terminate the AWS New Zealand Notifiable Data Breach Addendum for this Account” button.

To terminate an organizations NZNDB Addendum, you can use the Organization agreements tab in AWS Artifact and click on the “Terminate AWS New Zealand Notifiable Data Breach Addendum for this Organization” button.

If you terminate an account NZNDB Addendum under the Account agreements tab in AWS Artifact, the AWS account you used to sign into AWS Artifact will not be covered by an NZNDB Addendum with AWS, unless it is also covered by an organizations NZNDB Addendum (within the Organization agreements tab). You should only terminate an account NZNDB Addendum either when (a) you are sure that you have removed all personal information from the AWS account and you will no longer use the AWS account in connection with personal information or (b) you join that AWS account as a member account in an AWS organization that has an organizations NZNDB Addendum.

If you are a user of a management account and terminate an organizations NZNDB Addendum within the Organization agreements tab in AWS Artifact, the AWS accounts in that AWS organization will not be covered by an NZNDB Addendum with AWS, unless they are covered by an account NZNDB Addendum (within the Account agreements tab). You should only terminate an organizations NZNDB Addendum either when (a) you are sure that all personal information has been removed from the AWS accounts in that AWS organization and those AWS accounts will no longer be used in connection with personal information or (b) you have agreed account NZNDB Addendums for those AWS accounts that are used in connection with personal information.

If you have both an account NZNDB Addendum and an organizations NZNDB Addendum in place at the same time, the terms of the organizations NZNDB Addendum will apply instead of the terms of the account NZNDB Addendum. Terminating the organizations NZNDB Addendum does not terminate the account NZNDB Addendum, so if you terminate the organizations NZNDB Addendum, the account NZNDB Addendum will then apply to that AWS account.

No. When a member account leaves an AWS organization, any accepted organization agreement(s), such as the organizations NZNDB Addendum no longer apply to that AWS account. If the member account wants one or more of the agreements to continue to apply after leaving the organization, the member account should accept the relevant account agreement(s) under the Account agreements tab in AWS Artifact prior to leaving the AWS organization.

You may use any AWS service in an AWS account covered by an NZNDB Addendum with AWS.

By its terms, the organizations NZNDB Addendum only applies to “NZNDB Accounts,” which are defined as AWS accounts where the entity responsible for that account is subject to the New Zealand Privacy Act, and that AWS account includes “personal information” (as defined in the New Zealand Privacy Act) held by AWS. Accounts that do not meet the definition of an NZNDB Account are not subject to the organizations NZNDB Addendum.

Troubleshooting

  • Make certain that you are using the most current version of your web browser and have Adobe Reader as well.
  • Enable pop-ups for your browser so the attachment can download.
  • Check your recent downloads folder.
  • Review the document and share within your organization, as needed.

Error messages are usually the result of your IAM user not having sufficient permissions to perform the desired action in AWS Artifact. Refer to the table below for a complete list of error messages and how to resolve them:

Error message in AWS Artifact console

Issues Resolution
You don’t have the permissions to accept the agreement You need permissions to accept agreements in AWS Artifact. Contact your account administrator to attach the following permission to your IAM user: artifact:AcceptAgreement 

For an example IAM policy, refer to Agreement Permissions.
You don’t have the permissions to terminate the agreement You need permissions to terminate agreements in AWS Artifact. Contact your account administrator to attach the following permission to your IAM user: artifact:TerminateAgreement 

For an example IAM policy, refer to Agreement Permissions.
You don’t have the permissions to download the agreement You need permissions to download agreements in AWS Artifact. Contact your account administrator to attach the following permission to your IAM user: artifact:DownloadAgreement 

For an example IAM policy, refer to Agreement Permissions.
You don't have the permissions to download this report

You need permissions to download reports in AWS Artifact. Contact your account administrator to attach the following permission to your IAM user: artifact:get.

Your organization must be enabled for all features Your organization is configured only for consolidated billing. To use organization agreements in AWS Artifact, your organization must be enabled for all features. Learn more
Before you can manage agreements for your organization, you need the following permissions: organizations:EnableAWSServiceAccess and organizations:ListAWSServiceAccessForOrganization. These permissions enable AWS Artifact to access organization information in AWS Organizations. Contact your account administrator to attach the following permission to your IAM user:

iam:CreateRole
iam:AttachRolePolicy
iam:ListRoles

For an example IAM policy, refer to Agreement Permissions.
Before you can manage agreements for your organization, you need the following permissions to list, create, and attach IAM roles: iam:ListRoles, iam:CreateRole, and iam:AttachRolePolicy. Contact your account administrator to attach the following permission to your IAM user:

organizations:EnableAWSServiceAccess
organizations:ListAWSServiceAccessForOrganization

For an example IAM policy, refer to Agreement Permissions.

You don’t have the permissions to retrieve information about your AWS account’s organization

Contact your account administrator to attach the following permission to your IAM user:

organizations:DescribeOrganization

For an example IAM policy, refer to Agreement Permissions.
Your account isn’t in an organization You can create or join an organization by following the instructions in Creating and Managing an AWS Organizations.
Your configuration status is “Inactive” One or more event rules that enables your configuration had failed to be properly created. Please delete the configuration and try to create it again at a later time. If the issue persists, please refer to AWS User Notifications troubleshooting.
Your delivery channel status is “Pending” The given email has not been verified yet. Please check your inbox and spam folders for a verification email from AWS User Notifications. If you would like to resend the verification email, you can do so in AWS User Notifications delivery channels.
You don't have permission to list the configurations

Contact your account administrator to attach the following permissions to your IAM user:

 "artifact:GetAccountSettings",
                "notifications:ListChannels",
                "notifications:ListEventRules",
                "notifications:ListNotificationConfigurations",
                "notifications:ListNotificationHubs",
                "notifications-contacts:GetEmailContact"

For an example IAM policy, refer to Agreement Permissions.

You don't have permission to create the configuration

Contact your account administrator to attach the following permissions to your IAM user:

                "artifact:GetAccountSettings",
                "artifact:PutAccountSettings",
                "notifications:AssociateChannel",
                "notifications:CreateEventRule",
                "notifications:TagResource",
                "notifications:CreateNotificationConfiguration",
                "notifications-contacts:CreateEmailContact",
                "notifications-contacts:SendActivationCode",
                "notifications:ListNotificationHubs",
                "notifications:ListEventRules",
                "notifications-contacts:ListEmailContacts"

For an example IAM policy, refer to Agreement Permissions.

You don't have permission to edit the configuration

Contact your account administrator to attach the following permissions to your IAM user:

               "artifact:GetAccountSettings",
                "artifact:PutAccountSettings",
                "notifications:AssociateChannel",
                "notifications:DisassociateChannel",
                "notifications:ListChannels",
                "notifications:GetNotificationConfiguration",
                "notifications:ListTagsForResource",
                "notifications:TagResource",
                "notifications:UntagResource",
                "notifications:UpdateEventRule",
                "notifications:ListEventRules",
                "notifications:UpdateNotificationConfiguration",
                "notifications-contacts:GetEmailContact",
                "notifications-contacts:ListEmailContacts"

For an example IAM policy, refer to Agreement Permissions.

You don't have permission to delete the configuration

Contact your account administrator to attach the following permissions to your IAM user:

"notifications:DeleteNotificationConfiguration",
"notifications:ListEventRules"

For an example IAM policy, refer to Agreement Permissions.

You don't have permission to view details of the configuration

Contact your account administrator to attach the following permissions to your IAM user:

"notifications:ListEventRules",
"notifications:ListChannels",
"notifications:GetNotificationConfiguration",
"notifications:ListTagsForResource",
"notifications-contacts:GetEmailContact"

For an example IAM policy, refer to Agreement Permissions.

You don't have permission to register the notification hubs

Contact your account administrator to attach the following permissions to your IAM user:

"notifications:RegisterHubRegions",
"notifications:DeregisterHubRegions"

For an example IAM policy, refer to Agreement Permissions.

Notifications

AWS Artifact notifications provide users with a user interface to subscribe and unsubscribe to notifications about availability of new documents (i.e., reports or agreements) or updates to existing documents. AWS Artifact uses the AWS User Notification service to send notifications. Notifications are sent to emails that a user provides during notification configuration setup. To learn more about AWS Artifact notifications click here, and to learn more about AWS User notifications click here.

You should use the AWS Artifact notifications feature if you are interested in proactively learning about new reports or agreements that become available on AWS Artifact. By receiving notifications, you will save time and effort needed to manually check for availability of new content by re-visiting the AWS Artifact console. Each notification will also include a link to the specific new report or agreement so that you can easily navigate to it as long as you are logged in to the AWS management console.

You will need permissions to use the AWS Artifact service and AWS User Notifications service. You can set up an IAM policy that defines who (users, groups and roles) can perform which notification related actions on AWS Artifact and AWS User Notifications resources. You can also specify which resources the actions are related to in the policy. To learn more, click here.

For reports, you can filter notifications by choosing specific categories and series of reports on which you need notifications. For agreements, currently we do not provide granular filters as the number of updates to existing agreements or the number of new agreements added is low.

Subscribing to notifications on the AWS Artifact console means that you have opted-in to receive notifications from AWS Artifact service. Subscribing to notifications is a one-time action that is a prerequisite for setting up notification configurations. In case you want to stop notifications from AWS Artifact service, the notification subscription button allows you to turn-off all AWS Artifact notifications using a single button click.

After subscribing, you must create one or more configurations to start receiving notifications. While creating a configuration, you can choose whether you need notifications on all reports and agreements or a subset of reports, and provide the email addresses of the individuals who would like to receive notifications.

Notifications will be delivered to the email addresses provided by the user while creating the notification configuration. Please note that notifications will only be sent to verified email addresses. Additionally, notifications will also be delivered within the AWS User Notifications center console.

AWS Artifact notifications leverage AWS User Notifications service in order to configure notifications and to send emails. You can configure notifications using the AWS Artifact console. You can also view and configure notifications using the AWS User Notifications console.

On AWS Artifact notifications feature, you can provide up to 20 email addresses per notification configuration. Additionally, service quotas of AWS User Notification service will also apply, please refer to more details here.