Amazon Web Services is offering a new service called AWS Artifact to help with regulatory compliance. Regulatory compliance has been a key concern for enterprise adoption, but this service aims to make compliance reporting for cloud instances and data much easier.
Amazon Web Services (AWS) Artifact is available to all AWS customers for no additional cost. It is accessed via the AWS Management Console and provides access to specific documents, known as audit artifacts, that can be used to prove compliance with various regulatory requirements. These include Service Organization Control reports, Payment Card Industry reports and certifications from various accreditation bodies.
Amazon has allowed user access to be controlled by its standard AWS Identity and Access Management system, which means that customers have granular control over who has access to AWS Artifact and which documents they are able to access within it. Each document is treated securely, with a watermark specific to that download, and Amazon encourages users not to send the documents via insecure methods, such as email.
Aside from this, Artifact does not create any new security concerns for customers; all the data is specific to Amazon, and it does not relate directly to the systems and data you store on its infrastructure. It is also only accessible via the secure AWS Management Console, meaning it benefits from all the security controls that are already implemented.
Does AWS Artifact really make compliance easier?
It's important to be very clear about how exactly this service helps with compliance. It does not mean that you can simply log in to AWS, download the relevant Artifact documents, submit them to the regulatory body and expect to be compliant. AWS, like all cloud providers, operates a shared responsibility model, which means that, although these documents can prove compliance at the infrastructure level, you are responsible for everything residing in that infrastructure. This includes the operating system, applications, encryption, customer data, and identity and access management. In fact, the vast majority of the work to prove compliance will still reside with the AWS customer.
The AWS Artifact documents are, to a certain extent, just providing evidence to support what the auditors will already know -- that the AWS infrastructure itself is securely configured. It is almost certain that any noncompliant areas will exist in the areas controlled by the customer and, therefore, they are still your responsibility in terms of proving compliance.
This means that you will still need to prove, for example, that you have regular patching cycles on all servers and a robust identity and access management policy. However, Artifact does go a step further and provide advice to customers on how to prepare their areas of responsibility for compliance, which is a helpful additional benefit.
The AWS Artifact documents provide a useful resource to be able to prove compliance at the infrastructure level, and to give advice on customer compliance responsibility. However, as the overwhelming majority of the compliance work needs to be done by the customer, due to the shared responsibility model, be sure to understand this new service from Amazon. Yes, it's useful, but it's not necessarily a major change when it comes to proving compliance.
Learn more about the effects of General Data Protection Regulation compliance
Find out how small businesses can ease the compliance burden of the Payment Card Industry Data Security Standard
Discover what Payment Card Industry Data Security Standard version 3.2 means for enterprise compliance