Migrating reports to fine-grained permissions for AWS Artifact

You can now use fine-grained permissions for AWS Artifact. Through these fine-grained permissions, you have granular control on providing access to features such as accepting terms and downloading reports.

To access reports through the fine-grained permissions, you can utilize the AWSArtifactReportsReadOnlyAccess Managed Policy or update your permissions as per the below recommendation. If you had previously opted out of using fine-grained permissions, you should opt-in using the “opt-in to fine-grained permissions for AWS Artifact reports” link available in the reports console.

You have the option to access the reports with old permissions through the “opt-out of the fine-grained permissions for AWS Artifact reports” link available in the console if there is an issue with updating to the new permissions.

Migrating reports to new permissions

Migrate non-resource specific permissions

Replace your existing policy containing legacy permissions with a policy containing fine-grained permissions.

Legacy policy:


{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "artifact:Get"
        ],
        "Resource": [
            "arn:aws:artifact:::report-package/*"
        ]
    }]
}

New policy with fine-grained permissions:


{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "artifact:ListReports",
            "artifact:GetReportMetadata",
            "artifact:GetReport",
            "artifact:GetTermForReport"
        ],
        "Resource": "*"
    }]
}

Migrate resource-specific permissions

Replace your existing policy containing legacy permissions with a policy containing fine-grained permissions. Report resource wildcard permissions have been replaced with condition keys.

Legacy policy:


{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "artifact:Get"
        ],
        "Resource": [
            "arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*",
            "arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*",
            "arn:aws:artifact:::report-package/Certifications and Attestations/ISO/*"
        ]
    }]
}

New policy with fine-grained permissions and condition keys:


{
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "artifact:ListReports"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "artifact:GetReportMetadata",
                "artifact:GetReport",
                "artifact:GetTermForReport"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "artifact:ReportSeries": [
                        "SOC",
                        "PCI",
                        "ISO"
                    ],
                    "artifact:ReportCategory": [
                        "Certifications and Attestations"
                    ]
                }
            }
        }
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Granting user access

Migrating to fine-grained permissions for AWS Artifact agreements