AWS Security ChangesHomeSearch

AWS artifact high security documentation change

Service: artifact · 2025-04-03 · Security-related high

File: artifact/latest/ug/security-iam-awsmanpol.md

Summary

Added AWS GovCloud policy examples, removed region note, and updated managed policy change log to reflect artifact:Get permission removal.

Security assessment

Explicit removal of the artifact:Get permission from AWSArtifactReportsReadOnlyAccess indicates a security hardening measure to reduce excessive permissions.

Diff

diff --git a/artifact/latest/ug/security-iam-awsmanpol.md b/artifact/latest/ug/security-iam-awsmanpol.md
index 01831f7d6..b4f39c03d 100644
--- a//artifact/latest/ug/security-iam-awsmanpol.md
+++ b//artifact/latest/ug/security-iam-awsmanpol.md
@@ -9,4 +8,0 @@ AWSArtifactReportsReadOnlyAccessAWSArtifactAgreementsReadOnlyAccessAWSArtifactAg
-###### Note
-
-The content of this page is only applicable to commercial AWS [Regions](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html?icmpid=docs_homepage_addtlrcs#region), and does not currently apply to AWS GovCloud (US) Regions.
-
@@ -71,0 +68,3 @@ This policy includes the following permissions.
+AWS
+    
+    
@@ -112,0 +112,46 @@ This policy includes the following permissions.
+
+AWS GovCloud (US)
+    
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "ListAgreementsActions",
+          "Effect": "Allow",
+          "Action": [
+            "artifact:ListAgreements",
+            "artifact:ListCustomerAgreements"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "GetCustomerAgreementActions",
+          "Effect": "Allow",
+          "Action": [
+            "artifact:GetCustomerAgreement"
+          ],
+          "Resource": "arn:aws-us-gov:artifact::*:customer-agreement/*"
+        },
+        {
+          "Sid": "AWSOrganizationActions",
+          "Effect": "Allow",
+          "Action": [
+            "organizations:ListAWSServiceAccessForOrganization",
+            "organizations:DescribeOrganization"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "GetRole",
+          "Effect": "Allow",
+          "Action": [
+            "iam:GetRole"
+          ],
+          "Resource": "arn:aws-us-gov:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact"
+        }
+      ]
+    }
+            
+
@@ -131,0 +177,3 @@ This policy includes the following permissions.
+AWS
+    
+    
@@ -200,0 +249,74 @@ This policy includes the following permissions.
+
+AWS GovCloud (US)
+    
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "ListAgreementActions",
+          "Effect": "Allow",
+          "Action": [
+            "artifact:ListAgreements",
+            "artifact:ListCustomerAgreements"
+          ],
+          "Resource": "*"
+        },
+        {
+          "Sid": "AWSAgreementActions",
+          "Effect": "Allow",
+          "Action": [
+            "artifact:GetAgreement",
+            "artifact:AcceptNdaForAgreement",
+            "artifact:GetNdaForAgreement",
+            "artifact:AcceptAgreement"
+          ],
+          "Resource": "arn:aws-us-gov:artifact:::agreement/*"
+        },
+        {
+          "Sid": "CustomerAgreementActions",
+          "Effect": "Allow",
+          "Action": [
+            "artifact:GetCustomerAgreement",
+            "artifact:TerminateAgreement"
+          ],
+          "Resource": "arn:aws-us-gov:artifact::*:customer-agreement/*"
+        },
+        {
+          "Sid": "CreateServiceLinkedRoleForOrganizationsIntegration",
+          "Effect": "Allow",
+          "Action": [
+            "iam:CreateServiceLinkedRole"
+          ],
+          "Resource": "arn:aws-us-gov:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact",
+          "Condition": {
+            "StringEquals": {
+              "iam:AWSServiceName": [
+                "artifact.amazonaws.com"
+              ]
+            }
+          }
+        },
+        {
+          "Sid": "GetRoleToCheckForRoleExistence",
+          "Effect": "Allow",
+          "Action": [
+            "iam:GetRole"
+          ],
+          "Resource": "arn:aws-us-gov:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact"
+        },
+        {
+          "Sid": "EnableServiceTrust",
+          "Effect": "Allow",
+          "Action": [
+            "organizations:EnableAWSServiceAccess",
+            "organizations:ListAWSServiceAccessForOrganization",
+            "organizations:DescribeOrganization"
+          ],
+          "Resource": "*"
+        }
+      ]
+    }
+            
+
@@ -207 +329 @@ Change | Description | Date
-AWS Artifact started tracking changes  |  AWS Artifact started tracking changes for its AWS managed policies and introduced AWSArtifactReportsReadOnlyAccess. | 2023-12-15  
+Updated AWS Reports managed polices  |  Updated AWSArtifactReportsReadOnlyAccess managed policy to remove the artifact:get permission. | 2025-03-21  
@@ -209 +331 @@ Introduced AWS Agreements managed polices  |  Introduced AWSArtifactAgreementsRe
-Updated AWS Reports managed policy  |  Removed legacy permission from AWSArtifactReportsReadOnlyAccess managed policy. | 2025-03-03  
+AWS Artifact started tracking changes  |  AWS Artifact started tracking changes for its AWS managed policies and introduced AWSArtifactReportsReadOnlyAccess. | 2023-12-15