Migrating reports to fine-grained permissions for AWS Artifact - AWS Artifact
Migrating reports to new permissions

Migrating reports to fine-grained permissions for AWS Artifact

Note

The content of this page is only applicable to commercial AWS Regions, and does not currently apply to AWS GovCloud (US) Regions.

You can now use fine-grained permissions for AWS Artifact. Through these fine-grained permissions, you have granular control on providing access to features such as accepting terms and downloading reports.

To access reports through the fine-grained permissions, you can utilize the AWSArtifactReportsReadOnlyAccess Managed Policy or update your permissions as per the below recommendation.

Note

The legacy IAM action artifact:Get is deprecated as of March 3, 2025.

Migrating reports to new permissions

Migrate non-resource specific permissions

Replace your existing policy containing legacy permissions with a policy containing fine-grained permissions.

Legacy policy:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "artifact:Get"
        ],
        "Resource": [
            "arn:aws:artifact:::report-package/*"
        ]
    }]
}

New policy with fine-grained permissions:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "artifact:ListReports",
            "artifact:GetReportMetadata",
            "artifact:GetReport",
            "artifact:GetTermForReport"
        ],
        "Resource": "*"
    }]
}

Migrate resource-specific permissions

Replace your existing policy containing legacy permissions with a policy containing fine-grained permissions. Report resource wildcard permissions have been replaced with condition keys.

Legacy policy:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "artifact:Get"
        ],
        "Resource": [
            "arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*",
            "arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*",
            "arn:aws:artifact:::report-package/Certifications and Attestations/ISO/*"
        ]
    }]
}

New policy with fine-grained permissions and condition keys:

{
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "artifact:ListReports"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "artifact:GetReportMetadata",
                "artifact:GetReport",
                "artifact:GetTermForReport"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "artifact:ReportSeries": [
                        "SOC",
                        "PCI",
                        "ISO"
                    ],
                    "artifact:ReportCategory": [
                        "Certifications and Attestations"
                    ]
                }
            }
        }
    ]
}