AWS Artifact and Compliance Programs
Learn what AWS Artifact is, how to access compliance reports, and understand key compliance programs like SOC, PCI DSS, HIPAA, and ISO 27001.
What is AWS Artifact?
AWS Artifact is a self-service portal in the AWS Management Console that gives you on-demand access to AWS's compliance reports, certifications, and agreements.
Think of it as the filing cabinet where AWS keeps its security paperwork — and you can open it any time.
Note
Artifact does not evaluate your resources. It provides AWS's own compliance documentation. For evaluating your resource configurations, you would use AWS Config.
What you find in Artifact
Artifact provides two categories of documents:
Reports — Third-party audit reports and certifications that prove AWS meets specific security standards.
Agreements — Legal agreements between you and AWS, such as the Business Associate Addendum (BAA) for HIPAA workloads.
Key compliance programs
AWS participates in dozens of compliance programs. These are the most commonly referenced:
| Program | What it covers |
|---|---|
| SOC 1 / SOC 2 / SOC 3 | Independent audits of AWS's controls — SOC 1 focuses on financial reporting controls, SOC 2 on security/availability/confidentiality, SOC 3 is a public summary |
| PCI DSS | Payment Card Industry Data Security Standard — required if you process credit card data |
| HIPAA | Health Insurance Portability and Accountability Act — required for protected health information (PHI) in the US |
| ISO 27001 | International standard for information security management systems |
| FedRAMP | Federal Risk and Authorization Management Program — required for US government cloud workloads |
Tip
You do not need to memorize every compliance program. Focus on recognizing what Artifact is and where to find these reports.
Shared responsibility for compliance
Compliance follows the same shared responsibility model as security:
- AWS is responsible for achieving and maintaining certifications for the cloud infrastructure (the "security of the cloud" side)
- You are responsible for implementing controls in your own workloads and demonstrating that your usage meets the compliance requirements (the "security in the cloud" side)
For example, AWS achieves PCI DSS compliance for its infrastructure. But if you process credit cards on AWS, you must also follow PCI DSS controls in your application, network configuration, and data handling.
How to access reports in the console
- Open the AWS Management Console
- Search for Artifact in the service search bar
- Choose Reports to browse available audit reports
- Choose Agreements to review or accept legal agreements like the BAA
Note
Access to some Artifact reports requires accepting an NDA (non-disclosure agreement) within the portal. This is normal — the reports contain sensitive audit details.
Quick comparison: Artifact vs Config
| AWS Artifact | AWS Config | |
|---|---|---|
| Purpose | Access AWS's compliance reports and agreements | Evaluate your resource configurations against rules |
| Who is being evaluated? | AWS (third-party audits of AWS infrastructure) | Your resources (your S3 buckets, EC2 instances, etc.) |
| Output | PDF reports, agreements | Compliance dashboards, rule evaluations |
The governance triad: Artifact, Config, and Audit Manager
Three services work together in the compliance story:
| Service | What it gives you | What it does not do | Best-fit use case |
|---|---|---|---|
| AWS Artifact | Downloadable compliance reports and agreements (SOC, PCI) | Does not map your resource usage to controls | "Show me AWS's compliance documentation" |
| AWS Config | Resource configuration history and rule evaluation | Not a compliance evidence binder by itself | Continuous configuration tracking |
| AWS Audit Manager | Control-framework mapping and automated evidence collection | Does not assess compliance itself | Reduce audit evidence collection effort |
Warning
Important 2026 availability change: AWS Audit Manager is transitioning to maintenance mode and will not be available to new customers starting April 30, 2026. Existing customers can continue using it. The conceptual knowledge remains relevant for understanding how compliance evidence collection works.
Modern alternative approach
For new accounts created after April 2026, combine these services to achieve similar outcomes:
- AWS Config for resource configuration snapshots and compliance rules
- AWS Security Hub (with CSPM enabled) for security posture checks
- CloudTrail for user activity logging
- Custom reporting to assemble evidence for auditors
Audit Manager's unique value was pre-built framework mappings (PCI DSS, SOC 2) and automated evidence collection. Without it, you will build similar workflows using the above services.
Summary
- AWS Artifact is a self-service portal for compliance reports and agreements
- Key programs include SOC 1/2/3, PCI DSS, HIPAA, ISO 27001, and FedRAMP
- AWS provides the compliance evidence; you implement the controls in your workloads
- Artifact is not the same as Config — Artifact gives you AWS's reports, Config evaluates your resources
- AWS Audit Manager automates evidence collection for audits (note 2026 availability change for new customers)
- For new accounts: combine Config + Security Hub + CloudTrail for similar outcomes to Audit Manager