Example IAM policies for AWS Artifact in AWS GovCloud (US) Regions
These policies are ONLY applicable in AWS GovCloud (US) Regions. For policies applicable to commercial AWS Regions, see Example IAM policies for AWS Artifact in commercial AWS Regions
You can create permissions policies that grant permissions to IAM users. You can grant users access to AWS Artifact reports and the ability to accept and download agreements on behalf of either a single account or an organization.
The following example policies show permissions that you can assign to IAM users based on the level of access that they need.
Example policies to manage reports
The following policy grants permission to download all reports.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:Get" ], "Resource": [ "arn:aws:artifact:::report-package/*" ] } ] }
The following policy grants permission to download only the SOC, PCI, and ISO reports.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:Get" ], "Resource": [ "arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*", "arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*", "arn:aws:artifact:::report-package/Certifications and Attestations/ISO/*" ] } ] }
Example policies to manage agreements
The following policy grants permission to download all agreements. IAM users must also have this permission to accept agreements.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:DownloadAgreement" ], "Resource": [ "*" ] } ] }
The following policy grants permission to accept an agreement.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:AcceptAgreement", "artifact:DownloadAgreement" ], "Resource": [ "*" ] } ] }
The following policy grants permission to terminate an agreement.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:TerminateAgreement" ], "Resource": [ "*" ] } ] }
The following policy grants permissions to manage single account agreements.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:AcceptAgreement", "artifact:DownloadAgreement", "artifact:TerminateAgreement" ], "Resource": [ "arn:aws:artifact::*:customer-agreement/*", "arn:aws:artifact:::agreement/*" ] } ] }
Example policies to integrate with AWS Organizations
The following policy grants permission to create the IAM role that AWS Artifact uses to integrate with AWS Organizations. Your organization's management account must have these permissions to get started with organizational agreements.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "arn:aws:iam::*:role/*" }, { "Effect": "Allow", "Action": "iam:CreateRole", "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync" }, { "Effect": "Allow", "Action": "iam:AttachRolePolicy", "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync", "Condition": { "ArnEquals": { "iam:PolicyARN": "arn:aws:iam::aws:policy/service-role/AWSArtifactAccountSync" } } } ] }
The following policy grants permission to grant AWS Artifact the permissions to use AWS Organizations. Your organization's management account must have these permissions to get started with organizational agreements.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:DescribeOrganization", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" } ] }
Example policies to manage agreements for the management account
The following policy grants permissions to manage agreements for the management account.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:AcceptAgreement", "artifact:DownloadAgreement", "artifact:TerminateAgreement" ], "Resource": [ "arn:aws:artifact::*:customer-agreement/*", "arn:aws:artifact:::agreement/*" ] }, { "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "arn:aws:iam::*:role/*" }, { "Effect": "Allow", "Action": "iam:CreateRole", "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync" }, { "Effect": "Allow", "Action": "iam:AttachRolePolicy", "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync", "Condition": { "ArnEquals": { "iam:PolicyARN": "arn:aws:iam::aws:policy/service-role/AWSArtifactAccountSync" } } }, { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:EnableAWSServiceAccess", "organizations:ListAccounts", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" } ] }
Example policies to manage organizational agreements
The following policy grants permissions to manage organizational agreements. Another user with the required permissions must set up the organizational agreements.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:AcceptAgreement", "artifact:DownloadAgreement", "artifact:TerminateAgreement" ], "Resource": [ "arn:aws:artifact::*:customer-agreement/*", "arn:aws:artifact:::agreement/*" ] }, { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization" ], "Resource": "*" } ] }
The following policy grants permissions to view organizational agreements.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:DownloadAgreement" ], "Resource": [ "arn:aws:artifact::*:customer-agreement/*", "arn:aws:artifact:::agreement/*" ] }, { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization" ], "Resource": "*" } ] }
