AWS Security ChangesHomeSearch

AWS artifact documentation change

Service: artifact · 2025-04-03 · Documentation low

File: artifact/latest/ug/example-govcloud-iam-policies.md

Summary

Updated IAM policy examples for AWS Artifact in GovCloud with expanded actions, resource patterns, and condition keys. Added service-linked role creation permissions, refined agreement management policies, and improved resource scoping with conditions.

Security assessment

Changes focus on improving least-privilege practices by adding granular actions (e.g., ListReports, GetNdaForAgreement), implementing resource conditions, and using service-linked roles. While these are security improvements, there's no evidence they address a specific disclosed vulnerability.

Diff

diff --git a/artifact/latest/ug/example-govcloud-iam-policies.md b/artifact/latest/ug/example-govcloud-iam-policies.md
index ef118062e..8e9cc2903 100644
--- a//artifact/latest/ug/example-govcloud-iam-policies.md
+++ b//artifact/latest/ug/example-govcloud-iam-policies.md
@@ -13 +13 @@ The following example policies show permissions that you can assign to IAM users
-  * Example policies to manage reports
+  * Example policies to manage AWS reports
@@ -37 +37,4 @@ The following policy grants permission to download all reports.
-                    "artifact:Get"
+            "artifact:ListReports",
+            "artifact:GetReportMetadata",
+            "artifact:GetReport",
+            "artifact:GetTermForReport"
@@ -39,3 +42 @@ The following policy grants permission to download all reports.
-                "Resource": [
-                    "arn:aws:artifact:::report-package/*"
-                ]
+          "Resource": "*"
@@ -55 +56,4 @@ The following policy grants permission to download only the SOC, PCI, and ISO re
-                    "artifact:Get"
+            "artifact:ListReports",
+            "artifact:GetReportMetadata",
+            "artifact:GetReport",
+            "artifact:GetTermForReport"
@@ -57,4 +61,10 @@ The following policy grants permission to download only the SOC, PCI, and ISO re
-                "Resource": [
-                    "arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*",
-                    "arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*",
-                    "arn:aws:artifact:::report-package/Certifications and Attestations/ISO/*"
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+              "artifact:ReportSeries": [
+                "SOC",
+                "PCI",
+                "ISO"
+              ],
+              "artifact:ReportCategory": [
+                "Certifications And Attestations"
@@ -62,0 +73,2 @@ The following policy grants permission to download only the SOC, PCI, and ISO re
+          }
+        }
@@ -77 +89,2 @@ The following policy grants permission to download all agreements. IAM users mus
-                    "artifact:DownloadAgreement"
+            "artifact:ListAgreements",
+            "artifact:ListCustomerAgreements"
@@ -81,0 +95,18 @@ The following policy grants permission to download all agreements. IAM users mus
+        },
+        {
+          "Sid": "AWSAgreementActions",
+          "Effect": "Allow",
+          "Action": [
+            "artifact:GetAgreement",
+            "artifact:AcceptNdaForAgreement",
+            "artifact:GetNdaForAgreement"
+          ],
+          "Resource": "arn:aws-us-gov:artifact:::agreement/*"
+        },
+        {
+          "Sid": "CustomerAgreementActions",
+          "Effect": "Allow",
+          "Action": [
+            "artifact:GetCustomerAgreement"
+          ],
+          "Resource": "arn:aws-us-gov:artifact::*:customer-agreement/*"
@@ -86 +117 @@ The following policy grants permission to download all agreements. IAM users mus
-The following policy grants permission to accept an agreement.
+The following policy grants permission to accept all agreement.
@@ -95,2 +126 @@ The following policy grants permission to accept an agreement.
-                    "artifact:AcceptAgreement",
-                    "artifact:DownloadAgreement"
+            "artifact:ListAgreements"
@@ -100,0 +131,11 @@ The following policy grants permission to accept an agreement.
+        },
+        {
+          "Sid": "AWSAgreementActions",
+          "Effect": "Allow",
+          "Action": [
+            "artifact:GetAgreement",
+            "artifact:AcceptNdaForAgreement",
+            "artifact:GetNdaForAgreement",
+            "artifact:AcceptAgreement"
+          ],
+          "Resource": "arn:aws-us-gov:artifact:::agreement/*"
@@ -105 +146 @@ The following policy grants permission to accept an agreement.
-The following policy grants permission to terminate an agreement.
+The following policy grants permission to terminate all agreement.
@@ -111,0 +153,10 @@ The following policy grants permission to terminate an agreement.
+          "Sid": "ListAgreementActions",
+          "Effect": "Allow",
+          "Action": [
+            "artifact:ListAgreements",
+            "artifact:ListCustomerAgreements"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "CustomerAgreementActions",
@@ -113,0 +165 @@ The following policy grants permission to terminate an agreement.
+            "artifact:GetCustomerAgreement",
@@ -116,3 +168 @@ The following policy grants permission to terminate an agreement.
-                "Resource": [
-                    "*"
-                ]
+          "Resource": "arn:aws-us-gov:artifact::*:customer-agreement/*"
@@ -123 +173 @@ The following policy grants permission to terminate an agreement.
-The following policy grants permissions to manage single account agreements.
+The following policy grants permissions to view and execute account level agreements.
@@ -129,0 +180,21 @@ The following policy grants permissions to manage single account agreements.
+          "Sid": "ListAgreementActions",
+          "Effect": "Allow",
+          "Action": [
+            "artifact:ListAgreements",
+            "artifact:ListCustomerAgreements"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "AWSAgreementActions",
+          "Effect": "Allow",
+          "Action": [
+            "artifact:GetAgreement",
+            "artifact:AcceptNdaForAgreement",
+            "artifact:GetNdaForAgreement",
+            "artifact:AcceptAgreement"
+          ],
+          "Resource": "arn:aws-us-gov:artifact:::agreement/*"
+        },
+        {
+          "Sid": "CustomerAgreementActions",
@@ -132,2 +203 @@ The following policy grants permissions to manage single account agreements.
-                    "artifact:AcceptAgreement",
-                    "artifact:DownloadAgreement",
+            "artifact:GetCustomerAgreement",
@@ -136,4 +206 @@ The following policy grants permissions to manage single account agreements.
-                "Resource": [
-                    "arn:aws:artifact::*:customer-agreement/*",
-                    "arn:aws:artifact:::agreement/*"
-                ]
+          "Resource": "arn:aws-us-gov:artifact::*:customer-agreement/*"
@@ -152,0 +220 @@ The following policy grants permission to create the IAM role that AWS Artifact
+          "Sid": "CreateServiceLinkedRoleForOrganizationsIntegration",
@@ -154,12 +222,5 @@ The following policy grants permission to create the IAM role that AWS Artifact
-                "Action": "iam:ListRoles",
-                "Resource": "arn:aws:iam::*:role/*"
-            },
-            {
-                "Effect": "Allow",
-                "Action": "iam:CreateRole",
-                "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync"
-            },
-            {
-                "Effect": "Allow",
-                "Action": "iam:AttachRolePolicy",
-                "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync",
+          "Action": [
+            "iam:CreateServiceLinkedRole",
+            "iam:GetRole"
+          ],
+          "Resource": "arn:aws-us-gov:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact",
@@ -167,2 +228,4 @@ The following policy grants permission to create the IAM role that AWS Artifact
-                    "ArnEquals": {
-                        "iam:PolicyARN": "arn:aws:iam::aws:policy/service-role/AWSArtifactAccountSync"
+            "StringEquals": {
+              "iam:AWSServiceName": [
+                "artifact.amazonaws.com"
+              ]
@@ -201,0 +265 @@ The following policy grants permissions to manage agreements for the management
+          "Sid": "ListAgreementActions",
@@ -204,3 +268,2 @@ The following policy grants permissions to manage agreements for the management
-                    "artifact:AcceptAgreement",
-                    "artifact:DownloadAgreement",
-                    "artifact:TerminateAgreement"
+            "artifact:ListAgreements",
+            "artifact:ListCustomerAgreements"
@@ -208,4 +271 @@ The following policy grants permissions to manage agreements for the management
-                "Resource": [
-                    "arn:aws:artifact::*:customer-agreement/*",
-                    "arn:aws:artifact:::agreement/*"
-                ]
+          "Resource": "*"
@@ -213,0 +274 @@ The following policy grants permissions to manage agreements for the management
+          "Sid": "AWSAgreementActions",
@@ -215,2 +276,7 @@ The following policy grants permissions to manage agreements for the management
-                "Action": "iam:ListRoles",
-                "Resource": "arn:aws:iam::*:role/*"
+          "Action": [
+            "artifact:GetAgreement",
+            "artifact:AcceptNdaForAgreement",
+            "artifact:GetNdaForAgreement",
+            "artifact:AcceptAgreement"
+          ],
+          "Resource": "arn:aws-us-gov:artifact:::agreement/*"
@@ -218,0 +285 @@ The following policy grants permissions to manage agreements for the management
+          "Sid": "CustomerAgreementActions",
@@ -220,2 +287,5 @@ The following policy grants permissions to manage agreements for the management
-                "Action": "iam:CreateRole",
-                "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync"
+          "Action": [
+            "artifact:GetCustomerAgreement",