Using AWS managed policies for AWS Artifact
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
AWS managed policy: AWSArtifactReportsReadOnlyAccess
You can attach the
AWSArtifactReportsReadOnlyAccess policy to your IAM identities.
This policy grants
read-only
permissions that allow listing, viewing, and downloading reports.
Permissions details
This policy includes the following permissions.
-
artifact– Allows principals to list, view, and download reports from AWS Artifact.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "artifact:Get", "artifact:GetReport", "artifact:GetReportMetadata", "artifact:GetTermForReport", "artifact:ListReports" ], "Resource": "*" } ] }
AWS managed policy: AWSArtifactAgreementsReadOnlyAccess
You can attach the
AWSArtifactAgreementsReadOnlyAccess policy to your IAM identities.
This policy grants
read-only access to list the AWS Artifact service agreements and to download the accepted agreements. It also includes permissions to list as well as describe the organization details. Additionally, the policy provides the ability to check if the required service-linked role exists.
Permissions details
This policy includes the following permissions.
-
artifact– Allows principals to list all the agreements and to view accepted agreements from AWS Artifact. -
IAM– Allows principals to check if the service linked role exists using GetRole. -
organization– Allows principals to describe organization and to list service access for organization.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListAgreementsActions", "Effect": "Allow", "Action": [ "artifact:ListAgreements", "artifact:ListCustomerAgreements" ], "Resource": "*" }, { "Sid": "GetCustomerAgreementActions", "Effect": "Allow", "Action": [ "artifact:GetCustomerAgreement" ], "Resource": "arn:aws:artifact::*:customer-agreement/*" }, { "Sid": "AWSOrganizationActions", "Effect": "Allow", "Action": [ "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganization" ], "Resource": "*" }, { "Sid": "GetRole", "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact" } ] }
AWS managed policy: AWSArtifactAgreementsFullAccess
You can attach the
AWSArtifactAgreementsFullAccess policy to your IAM identities.
This policy grants
full permissions to list, download, accept, and terminate AWS Artifact agreements. It also includes permissions to list and enable AWS service access in the Organization service, as well as describe the organization details. Additionally, the policy provides the ability to check if the required service-linked role exists and creates one if it doesn't.
Permissions details
This policy includes the following permissions.
-
artifact– Allows principals to list, download, accept, and terminate the agreements from AWS Artifact. -
IAM– Allows principals to create service linked role and to check if the service linked role exists using GetRole. -
organization– Allows principals to describe organization and to list/enable service access for organization.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListAgreementActions", "Effect": "Allow", "Action": [ "artifact:ListAgreements", "artifact:ListCustomerAgreements" ], "Resource": "*" }, { "Sid": "AWSAgreementActions", "Effect": "Allow", "Action": [ "artifact:GetAgreement", "artifact:AcceptNdaForAgreement", "artifact:GetNdaForAgreement", "artifact:AcceptAgreement" ], "Resource": "arn:aws:artifact:::agreement/*" }, { "Sid": "CustomerAgreementActions", "Effect": "Allow", "Action": [ "artifact:GetCustomerAgreement", "artifact:TerminateAgreement" ], "Resource": "arn:aws:artifact::*:customer-agreement/*" }, { "Sid": "CreateServiceLinkedRoleForOrganizationsIntegration", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "artifact.amazonaws.com" ] } } }, { "Sid": "GetRoleToCheckForRoleExistence", "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact" }, { "Sid": "EnableServiceTrust", "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:ListAWSServiceAccessForOrganization", "organizations:DescribeOrganization" ], "Resource": "*" } ] }
AWS Artifact updates to AWS managed policies
View details about updates to AWS managed policies for AWS Artifact since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Artifact Document history page.
| Change | Description | Date |
|---|---|---|
|
AWS Artifact started tracking changes |
AWS Artifact started tracking changes for its AWS managed policies and introduced AWSArtifactReportsReadOnlyAccess. |
2023-12-15 |
|
Introduced AWS Agreements managed polices |
Introduced AWSArtifactAgreementsReadOnlyAccess and AWSArtifactAgreementsFullAccess managed policies. |
2024-11-21 |
